Logs & The Law: What is Admissible in Court?

Tuesday, April 18, 2023

Automating Compliance. Mitigating Risk.1Confidential |

Logs & The LawWhat is Admissible in Court?

Dominique Levin, VP Product Management

Logs & The Law: What’s Admissible in Court?

MGT-4, June 12, 2006



Agenda

Introduction to logs Uses Logs & the Law: Best Practices Logs as Evidence Architecture & Solutions



10/09/200317:42:57,146.127.94.13,48352,146.127.97.14,909,,,accept,tcp,,,,909,146.127.93.29,,0,,4,3,,' 9Oct2003 17:42:57,accept,labcpngfp3,inbound,eth2c0,0,VPN-1 & FireWall-1,product=VPN-1 & FireWall-1[db_tag={0DE0E532-EEA0-11D7-BDFC-927F5D1DECEC};mgmt= labcpngfp3;date=1064415722;policy_name= Standard],labdragon,48352,146.127.97.14,909, tcp,146.127.93.145,',eth2c0,inbound

Oct 9 16:29:49 [146.127.94.4] Oct 09 2003 16:44:50: %PIX-6-302013: Built outbound TCP connection 2245701 for outside:146.127.98.67/1487 (146.127.98.67/1487) to inside:146.127.94.13/42562 (146.127.93.145/42562)

2003-10-20|15:25:52|dragonapp-nids|TCP-SCAN|146.127.94.10|146.127.94.13|0|0|X|------S-|0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52|

Oct 20 15:35:08 labsnort snort: [1:1421:2] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 146.127.94.10:43355 -> 146.127.94.13:705

SENSORDATAID="138715" SENSORNAME="146.127.94.23:network_sensor_1" ALERTID="QPQVIOAJKBNC6OONK6FTNLLESZ" LOCALTIMEZONEOFFSET="14400" ALERTNAME="pcAnywhere_Probe“ ALERTDATETIME="2003-10-20 19:35:21.0" SRCADDRESSNAME="146.127.94.10" SOURCEPORT="42444" INTRUDERPORT="42444" DESTADDRESSNAME="146.127.94.13" VICTIMPORT="5631" ALERTCOUNT="1" ALERTPRIORITY="3" PRODUCTID="3" PROTOCOLID="6" REASON="RSTsent"

2003-10-20|15:25:52|dragonapp-nids|TCP-SCAN|146.127.94.10|146.127.94.13|0|0|X|------S-|0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52|

Oct 20 15:35:08 labsnort snort: [1:1421:2] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 146.127.94.10:43355 -> 146.127.94.13:705

Systems

Primary Sources Of Data in the Enterprise

Structured Unstructured



Log Data is 30% of all Data

•High volume•Sensitive (customer, employee)•Dispersed•Inconsistent formats•Heterogeneous•Few clear policies or procedures•‘Handling’ at odds with other policies•Little awareness or consistency•More than search or forensics•Now critical to mitigating risk and meeting compliance and legal requirements!

Systems

30% of all data



Logs are a Fingerprint

User and System Activity

Privileges Assigned/Changed

Customer Transaction

Email BCC

Failed Logon

Security Breach

File Up/Download

Credit Card Data Access

Information Leak



Logs Can Tell You Who Is Doing What …

Access Activity

Cisco ACSMS IASRCS ACE

•(Un)Successful Login •Users Created & Deleted

Server Activity

Apple MacOSHP UXIBM AIX MicrosoftNovell SuSeRedHat Linux

•Files & Program Access•Privileges Changed

VPN Activity

Cisco 3000Check Point VPN Juniper SSL VPNNortel Contivity

•Bytes Transferred•# & Length Connections

Proxy Activity

BlueCoat NetApp NetCacheMicrosoft ISAMicrosoft IISSquid

•Web Apps Accessed•Files Uploaded Downloaded

E-Mail Activity

MicrosoftExchange

•E-mails sent & bounced•Information Transferred



Many Precedents For Using Logs

Martha Stewart: Logs prove digital phone messages had been altered and later restored

F100 Bank: Failed to furnish records – much of which was log data, resulting in $10m civil penalty

In re J.P. Morgan Securities, Inc. – failure to have adequate email preservation systems or procedures resulted in a $2,100,000 settlement and consent to establish procedures

In re Prudential Ins. Co. Sales Practices Litig. $1,000,000 fine by the court was imposed for document destruction

“Electronic data are the modern-day equivalent of the paper trail” – Judge Maass



Preparedness is the Best Defense

“Unfortunately, that [no log data being available] happens more often than I would

like… If your home had been robbed, you would have to tell the police office what was stolen and how the burglar got in. The same is also true for the network. If you simply tell us you

have been broken into, and have no evidence to support it, we may be empathetic, but we can’t

open a case.” Shelagh Sayers,

special agent, FBI, San Francisco



You have Legal Obligations

Protect customer information Prevent information leakage Meet compliance requirements Satisfy regulations Establish controls and

processes Employee misuse Privacy and security are

among the most active legislative areas impacting information technology—each day potential liability grows

A Fortune 500 retailer paid $60 million to settle a case alleging inappropriate sharing of customer information.

By 2006, 20-30% of Global 1000 will suffer exposure due to privacy mismanagement, and costs to recover from privacy mistakes will range from $5-$20 million each

» Source: Gartner



Layers Of Compliance

Corporate Governance and Internal controls– COBIT 4.0, ISO 17799, NIST 800-53, PCI

Civil investigations and regulatory compliance– SOX, SEC, FTC, Comptroller of the Currency, HIPAA, GLBA

Private litigation– Class Action– Interplay with regulatory investigations and compliance– Zubulake (destruction of records)



Best Practices Recommend Log Management

ISO 17799 Maintain audit logs

for system access and use, changes, faults, corrections, capacity demands

Review the results of monitoring activities regularly

Ensure the accuracy of the logs

NIST 800-53 Capture audit

records Regularly review

audit records for unusual activity and violations

Automatically process audit records

Protect audit information from unauthorized deletion

Retain audit logs

PCI

Requirement 10 Logging and user

activities tracking are critical

Automate and secure audit trails for event reconstruction

Review logs daily Retain audit trail

history for at least one year

CobiT 4 Provide adequate

audit trail for root-cause analysis

Use logging and monitoring to detect unusual or abnormal activities

Regularly review access, privileges, changes

Monitor performance

Verify backup completion



Federal, State & Intl’ Laws Impacting Log Data

Electronic Communications Privacy Act

Computer Fraud & Abuse Act of 1984 Gramm-Leach-Bliley Act

(finance – but not just finance) CALEA (communications) HIPAA (health care) Sarbanes-Oxley

(Section 302 and 404) Telecommuncations Act of 1996

(Section 222) FTC Enforcement

(Petco and BJ’s scenario)

More than 35 states have introduced legislation regarding consumer protection relating to security issues

California and its notice of security breach law has been the model and key battleground

EU Data Directive Japan Data Directive EU Data Directive Canadian Data Protection Law Japan Data Directive



Log Lies, Myths & Rumor…

There is no precedent for using log data… If I time stamp a log file it is inadmissible… I don’t need a clean set of my log data… I only need to worry about this when we get sued… I don’t need to capture all my log data… Homegrown solutions are just fine… Lawyers need to worry about this, not me…



Immutable Logs Matter

Increase security, trust and accountability Increase admissibility Reduce and mitigate risk

“When audited logs are immutable and cannot be altered, there are additional advantages for

deterrence and proof of policy or legal violations With immutability, deterrence may be

improved for all users of the system.” Markle Foundation

Implementing a Trusted Information Sharing EnvironmentFebruary, 2006



Overcoming Admissibility Hurdles

Authentication: are the logs what you claim them to be– Document and prove each transaction between the collection

of evidence and the appearance in court Hearsay: are logs kept in the course of a regularly

conducted business activity– What is the motive for logging?– “Documents created solely at the authors discretion create

motivational concerns and lack reliability and trustworthiness.” Best Evidence: use the original, or duplicate



Ten Steps To Immutable Logs

1. Process & Controls Accurately document how evidence is created, stored and protected –

improves admissibility2. Retention (as long as business records)

6 month minimum Longer in an investigation Start retaining on first indication of trouble

3. Defined collection (no log left behind) 100% is possible Unfiltered – some solutions (SIEM) process less than 5% of log data

4. Unaltered record Separate collection, storage and future processing

5. Enhanced via processing (date & time stamp) You can improve the raw log – much like you can improve a document being

stored by adding a date stamp



Ten Steps To Immutable Logs

6. Secure storage and transport Prevent alteration or loss You have a “due diligence” responsibility for “reasonable care” to protect and

preserve electronic evidence – and to have a plan to address threats to those assets

7. Access control: Establish chain of custody over log data When did you know? What did you know? Who knew it?

8. Centralize core data set Turn Logs into an efficient and valuable resource Ensure Logs are complete, accurate and verifiable

9. Distributed processing & storage – FBI10. Automate alerting and reporting

Promotes admissibility by reducing concerns related to authenticity, hearsay and best evidence



Things to Avoid

Low redundancy – your processes and system should be high availability

Shutdown of logging – automated alerting when logging declines or stops

Minimal audit – audit the system and processes Programs that reduce log data – or – modify negatively

the log data (e.g. access time of files) Conflicts with other corporate processes and controls –

e.g. privacy, access, email retention



Clear Benefits

“With forensically sounds logs, companies can reduce the potential of loosing a lawsuit,

diminish the costs associated with discovery and defense, increase the likelihood of forcing an opponent into settlement, and be a resource

to define against actions related to corporate governance.”

Erin KenneallyFSA Times

The Institute of Internal Auditors



Reducing Costs of Compliance

0

100

200

300

$400

1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010

Technology Costs Administrative Costs

Compliance Costs (USD in Billions)

40%

60%

84%

16%

85%

15%

TACTICAL APPROACH

REGULATORY ONSLAUGHT

AUTOMATION

Source: TowerGroup

Guillermo KoppVice PresidentCross-Industry



Log Management & Intelligence

Real-TimeAnalysis

HistoricalArchives

CompleteAggregation

AutomationOf CollectionProcesses &

Controls



High-Performance Architecture for Global 2000

BackupSoftware

SAN/NASStorage

EnterpriseApps

MailServers

ProxyServers

Win/LinuxServers

NetworkDevices

SecurityDevices

Best Practices Reports and Alerts

Business Policies and IT Controls Definition

IT Controls - Policy Statements ImportCompliance Reports and Alerts Export

100% Message Collection. 100% Pure Storage.

Behavioral Alerts. Compliance Reports. Real-time Search.

Onlythe CEO should accessthis data

What shouldbe happening?

Who is actually accessing this data?

What is happening?

CEO COO CSO CIO HR Customer Legal BOD OperationsNetworkSecurityDatacenterAudit



Architecting to meet Legal Obligations

Disaster Recovery Site

Main Data Center

ExistingNetworked

Storage

Remote Office

Remote Office

Remote Office

ST 2000Raw Logs

LX 2000Meta Logs

raw logs

LX 500metalogs

LX 1000metalogs

LX 2000metalogs

NTP Server

Microsecond accuracy: for example 30.123456 seconds



Securing Log Data Transport


Main Data Center

ExistingNetworked

Storage

Remote Office

Remote Office

Remote Office

ST 2000Raw Logs

LX 2000Meta Logs

raw logs

LX 500metalogs

LX 1000metalogs

LX 2000metalogs

Encryption, Authentication, TCP, Compression.

Bufferin case of

WAN Failure.



Avoid Collusion with Distributed Log Storage


Main Data Center

ExistingNetworked

Storage

Remote Office

Remote Office

Remote Office

ST 2000Raw Logs

LX 2000Meta Logs

raw logs

LX 500metalogs

LX 1000metalogs

LX 2000metalogs

Off-site storage in 2 places: requires multi-party conspiracy to alter logs.



Perform Analysis on a Copy of the Log Data


ManagementStation

SOAP RequestXML Responses

Main Data Center

ExistingNetworked

Storage

LX 2000Meta Logs

raw logs

ST 2000Raw Logs

Remote Office

Remote Office

Remote Office

LX 500metalogs

LX 1000metalogs

LX 2000metalogs

Raw Logs

Log Analysis



Make Archives Tamper Proof with Hashing

Each 1 minutefile has it’s own hash file.



No Human Intervention: Auto-Retention Settings

Logs get deletedby softwareautomatically,not by users.



EMC Centera: Magnetic disk based WORM device

NetApp Decru: Encryption of log data at rest

Store Logs on WORM or encrypted device

ST 2000raw logs

LX 2000metalogs

ST 2000raw logs

LX 2000metalogs

NAS

NetApp Decru.



Take Action!

Turn on logging – it’s your responsibility! Assess role of systems data in meeting compliance

requirements, mitigating security risks and improving availability

Implement platform and architecture for systems data collection, storage and analysis as a first step on the path to compliance, availability and security mgmt

Identify project and define success criteria for automation and vendor selection

Request a trial

LogLogic Confidential Tuesday, April 18, 202331

Thank You!

Join us for a demo! http://www.loglogic.com/resources/screencasts/

loglogic.comblog.loglogic.com

Automating Compliance. Mitigating Risk.

Logs & The Law: What is Admissible in Court?

Technology

Transcript of Logs & The Law: What is Admissible in Court?