Log management and compliance: What's the real story? by Dr. Anton Chuvakin

Log Management and Compliance: What's the Real Story?

Dr. Anton Chuvakin

2010

Outline

Introduction to Logs and Log management

Compliance Mandates Affecting IT– Compliance and ECM = Disaster Brewing!

Logging, an Ultimate Compliance Technology

Logging for Compliance Practices

Conclusions and Action Items

Security Warrior ConsultingDr. Anton Chuvakin

Log Data Overview

Audit logs Transaction logs Intrusion logs Connection logs System performance records User activity logs Various alerts and other

messages

Firewalls/intrusion prevention Routers/switches Intrusion detection Servers, desktops, mainframes Business applications Databases Anti-virus VPNs

What Logs? From Where?

Log Chaos: Login

<122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2

<13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: ACHUVAKIN

<57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:Login Success [user:antonc] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006

<18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User chuvakin has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)


Why Manage Logs?

Threat protection and discovery

Incident response and forensics

Regulatory compliance and audit

Internal policies and procedure compliance

IT system and network troubleshooting

System performance management


Unfortunately …

“The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.”


Compliance – Why is it Here?1. Corporations Stole

2. Got Caught

Sarbanes Oxley3. Politicians wrote laws

4. Bill gets passed 5. Now we have to obey them

At the Same Time…

RegulationsRequire Logs

SOX GLBA

FISMA JPA

NIST 800-53 Capture audit records Regularly review audit

records for unusual activity and violations

Automatically process audit records

Protect audit information from unauthorized deletion

Retain audit logs

PCI HIPAA

MandatesDemand Logs

PCI : Requirement 10 and beyond

Logging and user activities tracking are critical

Automate and secure audit trails for event reconstruction

Review logs daily Retain audit trail history

forat least one year

COBIT ISO

ITIL

COBIT Provide audit trail

for root-cause analysis Use logging to detect unusual or

abnormal activities Regularly review access,

privileges, changes Verify backup completion

ISO27002 Maintain audit logs for system

access and use, changes, faults, corrections, capacity demands

Review the results of monitoring activities regularly and ensure the accuracy of logs

ControlsInclude Logs

“Get fined, Get Sanctioned”

“Lose Customers, Reputation, Revenue or Job”

“Get fined, Go To Jail”


More Laws! Privacy Laws

Mostly in Europe–Thus affect transnational companies

Govern not what MUST be logged, but what MUST NOT be logged!

Logging is typically mentioned as something that might help violate privacy–E.g. Google query logging and retention


More Laws! Breach Laws Affected IR

Laws that control consumer notification in case of a security breach

Yesterday CA 1386

Today more than 45 US States

Tomorrow the world

Who to notify is key:–200,000 vs. 40,000,000 notifications? Major $$$

in play!


What to do?


“In a free country, you don't have to ask permission for much of anything, but that

freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you

will have to pay.”

http://geer.tinho.net/geer.housetestimony.070423.txt

Daniel Geer, Sc.D.

Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and

Science and TechnologyApril 2008

http://geer.tinho.net/geer.housetestimony.070423.txt


Why Logs for Accountability Everybody leaves traces in logs!

– Potentially, every action could be logged!

Control doesn’t scale, accountability (=logs!) does!– More controls -> more complexity -> less control!

The only technology that makes IT users (legitimate and otherwise) accountable: logging!


Control vs VisibilityMyth: Stringent access

controls will stop all attacks!

What about those that have legitimate access? What about those who “break the rules”?

The only control you can get is based on visibility and accountability!

Corporate Accountability

Accountability

Accountability is answerability, enforcement, responsibility, blameworthiness, liability

Log Management

Log management is collecting, retaining and analyzing audit

trails across the organization

There is a strong link between

accountability and logging

Big Picture: Logs as Enabler of Corporate Accountability


Security detection and remediation

Security analysis and forensics

Monitoring IT controls for regulatory compliance

Troubleshooting IT problems

Monitoring end-user behavior

Service level/performance management

Configuration/change management

Monitoring IT administrator behavior

Capacity planning

Business analysis22%51% 28%

24%54% 22%

17%66% 17%

19%66% 15%

15%69% 16%

15%73% 12%

17%74% 9%

14%77% 9%

11%82% 8%

7%90%

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

Yes, we use SIM technologies for this todayNo, we don’t use SIM technologies for this today, but plan or would like to do so in the future

No, we don’t use SIM technologies for this today and have no plans to do soSource: Enterprise Strategy Group,

2007

Use Cases for Log Data Continue to Expand

Does your organization use log management for any of the following?

(Percentage of respondants, N = 123)

2%


Six Mistakes of Log Management

1. Not logging at all

2. Not looking at the logs

3. Storing logs for too short a time

4. Prioritizing the log records before collection

5. Ignoring the logs from applications

6. Only looking at what you know is bad


“Compliance+” Model At Work

You bought it for PCI DSSYou installed it

Your boss is happyYour auditor is … gone

What are you going to do next?


Conclusions In today’s complex IT, the only control comes from visibility

and accountability

Logs and log management is what enables it across all systems

Start logging – then start collecting logs – then start reviewing and analyzing logs

Prepare for incidents by deploying log management system!


Questions?

Dr. Anton Chuvakin

Security Warrior Consulting

Log management , SIEM, PCI DSS

Email: [email protected]

Site: http://www.chuvakin.org

Blog: http://www.securitywarrior.org

Twitter: @anton_chuvakin

Consulting: http://www.securitywarriorconsulting.com

mailto:[email protected]

http://www.chuvakin.org/

http://www.securitywarrior.org/

http://www.securitywarriorconsulting.com/


More on Anton

Consultant: http://www.securitywarriorconsulting.com

Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc

Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide

Standard developer: CEE, CVSS, OVAL, etc

Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others

Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

http://www.securitywarriorconsulting.com/


Want a PCI DSS Book?“PCI Compliance” by Anton

Chuvakin and Branden Williams

Useful reference for merchants, vendors – and everybody else