Logs & The Law: What is Admissible in Court?
-
Upload
loglogic -
Category
Technology
-
view
2.276 -
download
3
Transcript of Logs & The Law: What is Admissible in Court?
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.1Confidential |
Logs & The LawWhat is Admissible in Court?
Dominique Levin, VP Product Management
Logs & The Law: What’s Admissible in Court?
MGT-4, June 12, 2006
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.2Confidential |
Agenda
Introduction to logs Uses Logs & the Law: Best Practices Logs as Evidence Architecture & Solutions
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.3Confidential |
10/09/200317:42:57,146.127.94.13,48352,146.127.97.14,909,,,accept,tcp,,,,909,146.127.93.29,,0,,4,3,,' 9Oct2003 17:42:57,accept,labcpngfp3,inbound,eth2c0,0,VPN-1 & FireWall-1,product=VPN-1 & FireWall-1[db_tag={0DE0E532-EEA0-11D7-BDFC-927F5D1DECEC};mgmt= labcpngfp3;date=1064415722;policy_name= Standard],labdragon,48352,146.127.97.14,909, tcp,146.127.93.145,',eth2c0,inbound
Oct 9 16:29:49 [146.127.94.4] Oct 09 2003 16:44:50: %PIX-6-302013: Built outbound TCP connection 2245701 for outside:146.127.98.67/1487 (146.127.98.67/1487) to inside:146.127.94.13/42562 (146.127.93.145/42562)
2003-10-20|15:25:52|dragonapp-nids|TCP-SCAN|146.127.94.10|146.127.94.13|0|0|X|------S-|0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52|
Oct 20 15:35:08 labsnort snort: [1:1421:2] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 146.127.94.10:43355 -> 146.127.94.13:705
SENSORDATAID="138715" SENSORNAME="146.127.94.23:network_sensor_1" ALERTID="QPQVIOAJKBNC6OONK6FTNLLESZ" LOCALTIMEZONEOFFSET="14400" ALERTNAME="pcAnywhere_Probe“ ALERTDATETIME="2003-10-20 19:35:21.0" SRCADDRESSNAME="146.127.94.10" SOURCEPORT="42444" INTRUDERPORT="42444" DESTADDRESSNAME="146.127.94.13" VICTIMPORT="5631" ALERTCOUNT="1" ALERTPRIORITY="3" PRODUCTID="3" PROTOCOLID="6" REASON="RSTsent"
2003-10-20|15:25:52|dragonapp-nids|TCP-SCAN|146.127.94.10|146.127.94.13|0|0|X|------S-|0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52|
Oct 20 15:35:08 labsnort snort: [1:1421:2] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 146.127.94.10:43355 -> 146.127.94.13:705
Systems
Primary Sources Of Data in the Enterprise
Structured Unstructured
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.4Confidential |
Log Data is 30% of all Data
•High volume•Sensitive (customer, employee)•Dispersed•Inconsistent formats•Heterogeneous•Few clear policies or procedures•‘Handling’ at odds with other policies•Little awareness or consistency•More than search or forensics•Now critical to mitigating risk and meeting compliance and legal requirements!
Systems
30% of all data
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.5Confidential |
Logs are a Fingerprint
User and System Activity
Privileges Assigned/Changed
Customer Transaction
Email BCC
Failed Logon
Security Breach
File Up/Download
Credit Card Data Access
Information Leak
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.6Confidential |
Logs Can Tell You Who Is Doing What …
Access Activity
Cisco ACSMS IASRCS ACE
•(Un)Successful Login •Users Created & Deleted
Server Activity
Apple MacOSHP UXIBM AIX MicrosoftNovell SuSeRedHat Linux
•Files & Program Access•Privileges Changed
VPN Activity
Cisco 3000Check Point VPN Juniper SSL VPNNortel Contivity
•Bytes Transferred•# & Length Connections
Proxy Activity
BlueCoat NetApp NetCacheMicrosoft ISAMicrosoft IISSquid
•Web Apps Accessed•Files Uploaded Downloaded
E-Mail Activity
MicrosoftExchange
•E-mails sent & bounced•Information Transferred
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.7Confidential |
Many Precedents For Using Logs
Martha Stewart: Logs prove digital phone messages had been altered and later restored
F100 Bank: Failed to furnish records – much of which was log data, resulting in $10m civil penalty
In re J.P. Morgan Securities, Inc. – failure to have adequate email preservation systems or procedures resulted in a $2,100,000 settlement and consent to establish procedures
In re Prudential Ins. Co. Sales Practices Litig. $1,000,000 fine by the court was imposed for document destruction
“Electronic data are the modern-day equivalent of the paper trail” – Judge Maass
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.8Confidential |
Preparedness is the Best Defense
“Unfortunately, that [no log data being available] happens more often than I would
like… If your home had been robbed, you would have to tell the police office what was stolen and how the burglar got in. The same is also true for the network. If you simply tell us you
have been broken into, and have no evidence to support it, we may be empathetic, but we can’t
open a case.” Shelagh Sayers,
special agent, FBI, San Francisco
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.9Confidential |
You have Legal Obligations
Protect customer information Prevent information leakage Meet compliance requirements Satisfy regulations Establish controls and
processes Employee misuse Privacy and security are
among the most active legislative areas impacting information technology—each day potential liability grows
A Fortune 500 retailer paid $60 million to settle a case alleging inappropriate sharing of customer information.
By 2006, 20-30% of Global 1000 will suffer exposure due to privacy mismanagement, and costs to recover from privacy mistakes will range from $5-$20 million each
» Source: Gartner
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.10Confidential |
Layers Of Compliance
Corporate Governance and Internal controls– COBIT 4.0, ISO 17799, NIST 800-53, PCI
Civil investigations and regulatory compliance– SOX, SEC, FTC, Comptroller of the Currency, HIPAA, GLBA
Private litigation– Class Action– Interplay with regulatory investigations and compliance– Zubulake (destruction of records)
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.11Confidential |
Best Practices Recommend Log Management
ISO 17799 Maintain audit logs
for system access and use, changes, faults, corrections, capacity demands
Review the results of monitoring activities regularly
Ensure the accuracy of the logs
NIST 800-53 Capture audit
records Regularly review
audit records for unusual activity and violations
Automatically process audit records
Protect audit information from unauthorized deletion
Retain audit logs
PCI
Requirement 10 Logging and user
activities tracking are critical
Automate and secure audit trails for event reconstruction
Review logs daily Retain audit trail
history for at least one year
CobiT 4 Provide adequate
audit trail for root-cause analysis
Use logging and monitoring to detect unusual or abnormal activities
Regularly review access, privileges, changes
Monitor performance
Verify backup completion
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.12Confidential |
Federal, State & Intl’ Laws Impacting Log Data
Electronic Communications Privacy Act
Computer Fraud & Abuse Act of 1984 Gramm-Leach-Bliley Act
(finance – but not just finance) CALEA (communications) HIPAA (health care) Sarbanes-Oxley
(Section 302 and 404) Telecommuncations Act of 1996
(Section 222) FTC Enforcement
(Petco and BJ’s scenario)
More than 35 states have introduced legislation regarding consumer protection relating to security issues
California and its notice of security breach law has been the model and key battleground
EU Data Directive Japan Data Directive EU Data Directive Canadian Data Protection Law Japan Data Directive
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.13Confidential |
Log Lies, Myths & Rumor…
There is no precedent for using log data… If I time stamp a log file it is inadmissible… I don’t need a clean set of my log data… I only need to worry about this when we get sued… I don’t need to capture all my log data… Homegrown solutions are just fine… Lawyers need to worry about this, not me…
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.14Confidential |
Immutable Logs Matter
Increase security, trust and accountability Increase admissibility Reduce and mitigate risk
“When audited logs are immutable and cannot be altered, there are additional advantages for
deterrence and proof of policy or legal violations With immutability, deterrence may be
improved for all users of the system.” Markle Foundation
Implementing a Trusted Information Sharing EnvironmentFebruary, 2006
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.15Confidential |
Overcoming Admissibility Hurdles
Authentication: are the logs what you claim them to be– Document and prove each transaction between the collection
of evidence and the appearance in court Hearsay: are logs kept in the course of a regularly
conducted business activity– What is the motive for logging?– “Documents created solely at the authors discretion create
motivational concerns and lack reliability and trustworthiness.” Best Evidence: use the original, or duplicate
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.16Confidential |
Ten Steps To Immutable Logs
1. Process & Controls Accurately document how evidence is created, stored and protected –
improves admissibility2. Retention (as long as business records)
6 month minimum Longer in an investigation Start retaining on first indication of trouble
3. Defined collection (no log left behind) 100% is possible Unfiltered – some solutions (SIEM) process less than 5% of log data
4. Unaltered record Separate collection, storage and future processing
5. Enhanced via processing (date & time stamp) You can improve the raw log – much like you can improve a document being
stored by adding a date stamp
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.17Confidential |
Ten Steps To Immutable Logs
6. Secure storage and transport Prevent alteration or loss You have a “due diligence” responsibility for “reasonable care” to protect and
preserve electronic evidence – and to have a plan to address threats to those assets
7. Access control: Establish chain of custody over log data When did you know? What did you know? Who knew it?
8. Centralize core data set Turn Logs into an efficient and valuable resource Ensure Logs are complete, accurate and verifiable
9. Distributed processing & storage – FBI10. Automate alerting and reporting
Promotes admissibility by reducing concerns related to authenticity, hearsay and best evidence
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.18Confidential |
Things to Avoid
Low redundancy – your processes and system should be high availability
Shutdown of logging – automated alerting when logging declines or stops
Minimal audit – audit the system and processes Programs that reduce log data – or – modify negatively
the log data (e.g. access time of files) Conflicts with other corporate processes and controls –
e.g. privacy, access, email retention
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.19Confidential |
Clear Benefits
“With forensically sounds logs, companies can reduce the potential of loosing a lawsuit,
diminish the costs associated with discovery and defense, increase the likelihood of forcing an opponent into settlement, and be a resource
to define against actions related to corporate governance.”
Erin KenneallyFSA Times
The Institute of Internal Auditors
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.20Confidential |
Reducing Costs of Compliance
0
100
200
300
$400
1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010
Technology Costs Administrative Costs
Compliance Costs (USD in Billions)
40%
60%
84%
16%
85%
15%
TACTICAL APPROACH
REGULATORY ONSLAUGHT
AUTOMATION
Source: TowerGroup
Guillermo KoppVice PresidentCross-Industry
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.21Confidential |
Log Management & Intelligence
Real-TimeAnalysis
HistoricalArchives
CompleteAggregation
AutomationOf CollectionProcesses &
Controls
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.22Confidential |
High-Performance Architecture for Global 2000
BackupSoftware
SAN/NASStorage
EnterpriseApps
MailServers
ProxyServers
Win/LinuxServers
NetworkDevices
SecurityDevices
Best Practices Reports and Alerts
Business Policies and IT Controls Definition
IT Controls - Policy Statements ImportCompliance Reports and Alerts Export
100% Message Collection. 100% Pure Storage.
Behavioral Alerts. Compliance Reports. Real-time Search.
Onlythe CEO should accessthis data
What shouldbe happening?
Who is actually accessing this data?
What is happening?
CEO COO CSO CIO HR Customer Legal BOD OperationsNetworkSecurityDatacenterAudit
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.23Confidential |
Architecting to meet Legal Obligations
Disaster Recovery Site
Main Data Center
ExistingNetworked
Storage
Remote Office
Remote Office
Remote Office
ST 2000Raw Logs
LX 2000Meta Logs
raw logs
LX 500metalogs
LX 1000metalogs
LX 2000metalogs
NTP Server
Microsecond accuracy: for example 30.123456 seconds
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.24Confidential |
Securing Log Data Transport
Disaster Recovery Site
Main Data Center
ExistingNetworked
Storage
Remote Office
Remote Office
Remote Office
ST 2000Raw Logs
LX 2000Meta Logs
raw logs
LX 500metalogs
LX 1000metalogs
LX 2000metalogs
Encryption, Authentication, TCP, Compression.
Bufferin case of
WAN Failure.
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.25Confidential |
Avoid Collusion with Distributed Log Storage
Disaster Recovery Site
Main Data Center
ExistingNetworked
Storage
Remote Office
Remote Office
Remote Office
ST 2000Raw Logs
LX 2000Meta Logs
raw logs
LX 500metalogs
LX 1000metalogs
LX 2000metalogs
Off-site storage in 2 places: requires multi-party conspiracy to alter logs.
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.26Confidential |
Perform Analysis on a Copy of the Log Data
Disaster Recovery Site
ManagementStation
SOAP RequestXML Responses
Main Data Center
ExistingNetworked
Storage
LX 2000Meta Logs
raw logs
ST 2000Raw Logs
Remote Office
Remote Office
Remote Office
LX 500metalogs
LX 1000metalogs
LX 2000metalogs
Raw Logs
Log Analysis
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.27Confidential |
Make Archives Tamper Proof with Hashing
Each 1 minutefile has it’s own hash file.
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.28Confidential |
No Human Intervention: Auto-Retention Settings
Logs get deletedby softwareautomatically,not by users.
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.29Confidential |
EMC Centera: Magnetic disk based WORM device
NetApp Decru: Encryption of log data at rest
Store Logs on WORM or encrypted device
ST 2000raw logs
LX 2000metalogs
ST 2000raw logs
LX 2000metalogs
NAS
NetApp Decru.
Tuesday, April 18, 2023
Automating Compliance. Mitigating Risk.30Confidential |
Take Action!
Turn on logging – it’s your responsibility! Assess role of systems data in meeting compliance
requirements, mitigating security risks and improving availability
Implement platform and architecture for systems data collection, storage and analysis as a first step on the path to compliance, availability and security mgmt
Identify project and define success criteria for automation and vendor selection
Request a trial
LogLogic Confidential Tuesday, April 18, 202331
Thank You!
Join us for a demo! http://www.loglogic.com/resources/screencasts/
loglogic.comblog.loglogic.com
Automating Compliance. Mitigating Risk.