Log management and compliance: What's the real story? by Dr. Anton Chuvakin
-
Upload
anton-chuvakin -
Category
Technology
-
view
1.583 -
download
3
description
Transcript of Log management and compliance: What's the real story? by Dr. Anton Chuvakin
Log Management and Compliance: What's the Real Story?
Dr. Anton Chuvakin
2010
Outline
Introduction to Logs and Log management
Compliance Mandates Affecting IT– Compliance and ECM = Disaster Brewing!
Logging, an Ultimate Compliance Technology
Logging for Compliance Practices
Conclusions and Action Items
Security Warrior ConsultingDr. Anton Chuvakin
Log Data Overview
Audit logs Transaction logs Intrusion logs Connection logs System performance records User activity logs Various alerts and other
messages
Firewalls/intrusion prevention Routers/switches Intrusion detection Servers, desktops, mainframes Business applications Databases Anti-virus VPNs
What Logs? From Where?
Log Chaos: Login
<122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2
<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ACHUVAKIN
<57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:antonc] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006
<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User chuvakin has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
Security Warrior ConsultingDr. Anton Chuvakin
Why Manage Logs?
Threat protection and discovery
Incident response and forensics
Regulatory compliance and audit
Internal policies and procedure compliance
IT system and network troubleshooting
System performance management
Security Warrior ConsultingDr. Anton Chuvakin
Unfortunately …
“The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.”
Security Warrior ConsultingDr. Anton Chuvakin
Compliance – Why is it Here?1. Corporations Stole
2. Got Caught
Sarbanes Oxley3. Politicians wrote laws
4. Bill gets passed 5. Now we have to obey them
At the Same Time…
RegulationsRequire Logs
SOX GLBA
FISMA JPA
NIST 800-53 Capture audit records Regularly review audit
records for unusual activity and violations
Automatically process audit records
Protect audit information from unauthorized deletion
Retain audit logs
PCI HIPAA
MandatesDemand Logs
PCI : Requirement 10 and beyond
Logging and user activities tracking are critical
Automate and secure audit trails for event reconstruction
Review logs daily Retain audit trail history
forat least one year
COBIT ISO
ITIL
COBIT Provide audit trail
for root-cause analysis Use logging to detect unusual or
abnormal activities Regularly review access,
privileges, changes Verify backup completion
ISO27002 Maintain audit logs for system
access and use, changes, faults, corrections, capacity demands
Review the results of monitoring activities regularly and ensure the accuracy of logs
ControlsInclude Logs
“Get fined, Get Sanctioned”
“Lose Customers, Reputation, Revenue or Job”
“Get fined, Go To Jail”
Security Warrior ConsultingDr. Anton Chuvakin
More Laws! Privacy Laws
Mostly in Europe–Thus affect transnational companies
Govern not what MUST be logged, but what MUST NOT be logged!
Logging is typically mentioned as something that might help violate privacy–E.g. Google query logging and retention
Security Warrior ConsultingDr. Anton Chuvakin
More Laws! Breach Laws Affected IR
Laws that control consumer notification in case of a security breach
Yesterday CA 1386
Today more than 45 US States
Tomorrow the world
Who to notify is key:–200,000 vs. 40,000,000 notifications? Major $$$
in play!
Security Warrior ConsultingDr. Anton Chuvakin
What to do?
Security Warrior ConsultingDr. Anton Chuvakin
“In a free country, you don't have to ask permission for much of anything, but that
freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you
will have to pay.”
http://geer.tinho.net/geer.housetestimony.070423.txt
Daniel Geer, Sc.D.
Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and
Science and TechnologyApril 2008
Security Warrior ConsultingDr. Anton Chuvakin
Why Logs for Accountability Everybody leaves traces in logs!
– Potentially, every action could be logged!
Control doesn’t scale, accountability (=logs!) does!– More controls -> more complexity -> less control!
The only technology that makes IT users (legitimate and otherwise) accountable: logging!
Security Warrior ConsultingDr. Anton Chuvakin
Control vs VisibilityMyth: Stringent access
controls will stop all attacks!
What about those that have legitimate access? What about those who “break the rules”?
The only control you can get is based on visibility and accountability!
Corporate Accountability
Accountability
Accountability is answerability, enforcement, responsibility, blameworthiness, liability
Log Management
Log management is collecting, retaining and analyzing audit
trails across the organization
There is a strong link between
accountability and logging
Big Picture: Logs as Enabler of Corporate Accountability
Security Warrior ConsultingDr. Anton Chuvakin
Security detection and remediation
Security analysis and forensics
Monitoring IT controls for regulatory compliance
Troubleshooting IT problems
Monitoring end-user behavior
Service level/performance management
Configuration/change management
Monitoring IT administrator behavior
Capacity planning
Business analysis22%51% 28%
24%54% 22%
17%66% 17%
19%66% 15%
15%69% 16%
15%73% 12%
17%74% 9%
14%77% 9%
11%82% 8%
7%90%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Yes, we use SIM technologies for this todayNo, we don’t use SIM technologies for this today, but plan or would like to do so in the future
No, we don’t use SIM technologies for this today and have no plans to do soSource: Enterprise Strategy Group,
2007
Use Cases for Log Data Continue to Expand
Does your organization use log management for any of the following?
(Percentage of respondants, N = 123)
2%
Security Warrior ConsultingDr. Anton Chuvakin
Six Mistakes of Log Management
1. Not logging at all
2. Not looking at the logs
3. Storing logs for too short a time
4. Prioritizing the log records before collection
5. Ignoring the logs from applications
6. Only looking at what you know is bad
Security Warrior ConsultingDr. Anton Chuvakin
“Compliance+” Model At Work
You bought it for PCI DSSYou installed it
Your boss is happyYour auditor is … gone
What are you going to do next?
Security Warrior ConsultingDr. Anton Chuvakin
Conclusions In today’s complex IT, the only control comes from visibility
and accountability
Logs and log management is what enables it across all systems
Start logging – then start collecting logs – then start reviewing and analyzing logs
Prepare for incidents by deploying log management system!
Security Warrior ConsultingDr. Anton Chuvakin
Questions?
Dr. Anton Chuvakin
Security Warrior Consulting
Log management , SIEM, PCI DSS
Email: [email protected]
Site: http://www.chuvakin.org
Blog: http://www.securitywarrior.org
Twitter: @anton_chuvakin
Consulting: http://www.securitywarriorconsulting.com
Security Warrior ConsultingDr. Anton Chuvakin
More on Anton
Consultant: http://www.securitywarriorconsulting.com
Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc
Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide
Standard developer: CEE, CVSS, OVAL, etc
Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others
Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager
Security Warrior ConsultingDr. Anton Chuvakin
Want a PCI DSS Book?“PCI Compliance” by Anton
Chuvakin and Branden Williams
Useful reference for merchants, vendors – and everybody else