OWASP Logging Project

Presentation by Marc Chisinevski

Objectives of this presentation

Explain the goals of the OWASP Logging Project

Discuss how to integrate application logs into a Security Information Management system (SIM). Live demo 1.

Discuss SIM common issues and present a multidimensional solution prototype. Live demo 2.

Goals of the OWASP Logging Project

1) Provide tools for software developers in order to help them define and provide meaningful logs.

2) Provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps).

3) Integrating application logs into a Security Information Management configuration.

4) Facilitate attack reconstruction.

5) Facilitate information sharing around security events.

1) Provide tools for software developers in order to help them define and provide meaningful logs

IDE integration:

auto-completion

templates

logging policy definition support.

IDE (Integrated Development Environment) Templates can provide checks/hints/defaults.Examples defined by the OWASP Enterprise Security API:- hashed value of the session ID, identity of the user that caused the event, description of the event (supplied by the caller)- whether the event succeeded or failed (indicated by the caller), severity level of the event (indicated by the caller)- that this is a security relevant event (indicated by the caller)- hostname or IP where the event occurred (and ideally the user's source IP as well), a time stamp

2) Provide code audit tools to ensure that log

messages are consistent and complete

Code audit tools s.a. OWASP yasca can be easily adapted in order to ensure that:

- logging standards are respected

- and log messages are consistent and complete (content, format, timestamps).

3) Integrating application logs into a Security Information Management configuration

OSSIM (http://www.ossim.net/)

has numerous plugins for parsing:

webserver, appserver, WAF, IPS, IDS logs

and generating/storing events in its standard format.

Adding a plugin for parsing custom application logs is as easy as finding the correct regular expression provided that: - developers included all relevant information in the log message - and that they have done so in a consistent way.

Current problems

Difficult to obtain relevant views of consolidated data

Examples:

Alarms concerning Client1 in December

Alarms in Datacenter1 in January

Difficult to calculate indicators

Example:

Annual Loss Expectancy for Asset1

Current problems

Difficult to compare with historical data

Performance issues

Live Demo 1 - Ossim

A « click and play » virtual appliance containing

a full OSSIM installation is provided

OSSIM executive dashboard

Current day details from the previous Executive Dashboard:

very technical information, clearly not useful for CFO/CEOs, with all due respect

Functional benefits of a multidimensional solution

Presenting risk assessments and safeguard cost-effectiveness scenarios to CFO/CEO

Different views: Client, Asset, Data Center, Time

Indicators: Loss Expectancy, Risk …

Functional benefits of the multidimensional solution

Aggregation levels are clearly defined:

Raw data: Event, Server

Consolidated data: Alarm, Asset, Client, Data Center, Time, Geography

Technical benefits of the multidimensional solution

Reporting queries no longer run on the production SIM database

Drill-down, roll-up, slice without writing SQL

Integrate data from different sources

Live Demo 2 - Multidimensional solution

Essbase example

Essbase outlines

Essbase outlines

Demo data feed

Asset view

Data Center view

Client view

Questions

Acknowledgments

OSSIM team

Wojtek Janeczek, friend and multidimensional DB expert

Thank you!