How Would You Do It? Selecting a Log Management Approach Anton Chuvakin, Ph.D., GCIH, GCFA Chief Logging Evangelist LogLogic, Inc Mitigating Risk. Automating Compliance.

Outline Are you convinced: why log management? Hey, why not just ignore the logs, as usual !  Choices, choices: build, buy, outsource, combine… Build advantage and risks Buy advantage and risks Outsource advantage and risks Combined strategies Critical issues Buy: questions to ask your vendor Build: open-source tools available Conclusions

Are you convinced: why log management?

Hey, why not just ignore the logs, as usual ! 

Choices, choices: build, buy, outsource, combine…

Build advantage and risks

Buy advantage and risks

Outsource advantage and risks

Combined strategies

Critical issues

Buy: questions to ask your vendor

Build: open-source tools available

Conclusions

Log Data Overview Audit logs Transaction logs Intrusion logs Connection logs System performance records User activity logs Various alerts and other messages Firewalls/intrusion prevention Routers/switches Intrusion detection Servers, desktops, mainframes Business applications Databases Anti-virus VPNs What logs? From Where?

Audit logs

Transaction logs

Intrusion logs

Connection logs

System performance records

User activity logs

Various alerts and other messages

Firewalls/intrusion prevention

Routers/switches

Intrusion detection

Servers, desktops, mainframes

Business applications

Databases

Anti-virus

VPNs

Why Log Management? Threat protection and discovery Incident response Forensics , “e-discovery” and litigation support Regulatory compliance Internal policies and procedure compliance Internal and external audit support IT system and network troubleshooting IT performance management

Threat protection and discovery

Incident response

Forensics , “e-discovery” and litigation support

Regulatory compliance

Internal policies and procedure compliance

Internal and external audit support

IT system and network troubleshooting

IT performance management

Log Management Mandate and Regulations Regulations Require LMI SOX GLBA FISMA JPA NIST 800-53 Capture audit records Regularly review audit records for unusual activity and violations Automatically process audit records Protect audit information from unauthorized deletion Retain audit logs NIST 800-92 Log Management Guide! PCI HIPAA SLAs Mandates Demand It PCI : Requirement 10 and beyond Logging and user activities tracking are critical Automate and secure audit trails for event reconstruction Review logs daily Retain audit trail history for at least one year COBIT ISO ITIL COBIT 4 Provide audit trail for root-cause analysis Use logging to detect unusual or abnormal activities Regularly review access, privileges, changes Verify backup completion ISO17799 Maintain audit logs for system access and use, changes, faults, corrections, capacity demands Review the results of monitoring activities regularly and ensure the accuracy of logs Controls Require it “ Get fined, Get Sanctioned” “ Lose Customers, Reputation, Revenue or Job” “ Get fined, Go To Jail”

SOX

GLBA

FISMA

JPA

NIST 800-53

Capture audit records

Regularly review audit records for unusual activity and violations

Automatically process audit records

Protect audit information from unauthorized deletion

Retain audit logs

NIST 800-92 Log Management Guide!

PCI

HIPAA

SLAs

PCI : Requirement 10 and beyond

Logging and user activities tracking are critical

Automate and secure audit trails for event reconstruction

Review logs daily

Retain audit trail history for at least one year

COBIT

ISO

ITIL

COBIT 4

Provide audit trail for root-cause analysis

Use logging to detect unusual or abnormal activities

Regularly review access, privileges, changes

Verify backup completion

ISO17799

Maintain audit logs for system access and use, changes, faults, corrections, capacity demands

Review the results of monitoring activities regularly and ensure the accuracy of logs

Log Management Process

How Do You Do It? Now that you are convinced that log management is A MUST, your choices are: Outsource Built Buy Combined strategies are also possible – some offer unique advantages

Now that you are convinced that log management is A MUST, your choices are:

Outsource

Built

Buy

Combined strategies are also possible – some offer unique advantages

Outsource Risks Somebody else will worry about your problems! Requirements not met SLA risks and lost control of data Volume and log access challenges Advantages Somebody else will worry about your problems! Likely, no need to run any equipment in house Less staff needed Management will like it 

Risks

Somebody else will worry about your problems!

Requirements not met

SLA risks and lost control of data

Volume and log access challenges

Advantages

Somebody else will worry about your problems!

Likely, no need to run any equipment in house

Less staff needed

Management will like it 

Outsourcing LM: What to Be Aware Of? Will all your logs be going to the MSSP? What will? Likely not – no way to move all! Does MSSP have skills to analyze your site-specific logs? Probably not … Can you still take a peek at your logs? Do you need to call for that? Can you just review, search, etc your raw logs? BTW, SaaS is NOT MSSP – you need to do the work (oh, horror!  )

Will all your logs be going to the MSSP? What will?

Likely not – no way to move all!

Does MSSP have skills to analyze your site-specific logs?

Probably not …

Can you still take a peek at your logs?

Do you need to call for that?

Can you just review, search, etc your raw logs?

BTW, SaaS is NOT MSSP – you need to do the work (oh, horror!  )

Build Risks Ongoing maintenance will kill you  No support, apart from you Does it pass the “ bus test ”? Handling log volume Will it scale with you? Advantages Likely will get exactly what you want You can do things that no vendor has Choose platform, tools, methods No up front cost Its fun to do! 

Risks

Ongoing maintenance will kill you 

No support, apart from you

Does it pass the “ bus test ”?

Handling log volume

Will it scale with you?

Advantages

Likely will get exactly what you want

You can do things that no vendor has

Choose platform, tools, methods

No up front cost

Its fun to do! 

Open-Source Pieces That Help! Log collection Syslog-ng, kiwi, Snare, Project LASSO, Apache2syslog, logger, etc Secure centralization Stunnel, ssh/scp, free IPSec VPNs Pre-processing LogPP – from ugly logs to cute ones  Storage MySQL or design your own file-based storage Analysis – a tough one!  MS Excel – yes, still a top choice! OSSEC and OSSIM for [ some ] intelligence SEC for correlation Swatch, logwatch, logsentry, other match-n-bug scripts (too many!)

Log collection

Syslog-ng, kiwi, Snare, Project LASSO, Apache2syslog, logger, etc

Secure centralization

Stunnel, ssh/scp, free IPSec VPNs

Pre-processing

LogPP – from ugly logs to cute ones 

Storage

MySQL or design your own file-based storage

Analysis – a tough one! 

MS Excel – yes, still a top choice!

OSSEC and OSSIM for [ some ] intelligence

SEC for correlation

Swatch, logwatch, logsentry, other match-n-bug scripts (too many!)

Buy Risks “Cash and carry” – pay and get a tool you need to use now Skilled staff needed to get value out of a purchased appliance Requirements not met Vendor longevity Advantages “ Cash and carry” – pay and get a “ solution ” Support for log sources Ongoing improvements, support and guidance “ Have a face(s) to scream at!”

Risks

“Cash and carry” – pay and get a tool you need to use now

Skilled staff needed to get value out of a purchased appliance

Requirements not met

Vendor longevity

Advantages

“ Cash and carry” – pay and get a “ solution ”

Support for log sources

Ongoing improvements, support and guidance

“ Have a face(s) to scream at!”

Questions to Discuss With Your Vendor Are you collecting and aggregating 100% of all log data from all data sources on the network? Are your logs transported and stored securely ? Are there packaged reports that suit your needs? Can you create the needed reports to organize collected log data quickly? Can you set alerts on anything in the logs? Are you looking at log data on a daily basis? Can you prove that you are? Can you perform fast, targeted searches for specific data? Can you contextualize log data (comparing application, network and database logs) when undertaking forensics and other operational tasks? Can you readily prove that security, change management, and access control policies are in use and up to date? Can you securely share log data with other applications and users?

Are you collecting and aggregating 100% of all log data from all data sources on the network?

Are your logs transported and stored securely ?

Are there packaged reports that suit your needs? Can you create the needed reports to organize collected log data quickly?

Can you set alerts on anything in the logs?

Are you looking at log data on a daily basis? Can you prove that you are?

Can you perform fast, targeted searches for specific data?

Can you contextualize log data (comparing application, network and database logs) when undertaking forensics and other operational tasks?

Can you readily prove that security, change management, and access control policies are in use and up to date?

Can you securely share log data with other applications and users?

Combined Strategies: Often the Best… … but you might need to pay twice  Buy + Build : great idea – enhance vendor tools with internal custom development OR combine vendor tools with open-source tools (build, then buy or the opposite ) Buy + Outsource : split the work with an MSSP team and retain more control Build + Outsource : combine your own with MSSP Combined approaches mitigate some of the risks, but at a cost (see TANFL principle  )

… but you might need to pay twice 

Buy + Build : great idea – enhance vendor tools with internal custom development OR combine vendor tools with open-source tools (build, then buy or the opposite )

Buy + Outsource : split the work with an MSSP team and retain more control

Build + Outsource : combine your own with MSSP

Combined approaches mitigate some of the risks, but at a cost (see TANFL principle  )

Build + Buy: Surprisingly Effective! Capture buy advantages: Support Ongoing improvements Performance and scalability of the platform Routine, boring log management tasks done by vendor! Capture build advantages: Build analysis you want on top of the vendor platform (e.g. via web API like LogLogic’s) Present the data you want to the people that need it Fun log management tasks done by you!

Capture buy advantages:

Support

Ongoing improvements

Performance and scalability of the platform

Routine, boring log management tasks done by vendor!

Capture build advantages:

Build analysis you want on top of the vendor platform (e.g. via web API like LogLogic’s)

Present the data you want to the people that need it

Fun log management tasks done by you!

Finally, How to Choose? Breadth/depth of project requirements Just how unusual you are? Unique needs or volumes Size of organization Available resources Money Development talent Organization culture and management support Deployed hardware and software Run any Tandem? 

Breadth/depth of project requirements

Just how unusual you are?

Unique needs or volumes

Size of organization

Available resources

Money

Development talent

Organization culture and management support

Deployed hardware and software

Run any Tandem? 

Take Action! Turn ON logging! Assess the role of log data in meeting compliance requirements , mitigating security risks , enabling audit and improving availability Implement log management strategy as outlined above Only “roll your own” after analyzing other options as well as pro/con arguments Attend webcasts ( www.loglogic.com ) and read our blog at blog.loglogic.com

Turn ON logging!

Assess the role of log data in meeting compliance requirements , mitigating security risks , enabling audit and improving availability

Implement log management strategy as outlined above

Only “roll your own” after analyzing other options as well as pro/con arguments

Attend webcasts ( www.loglogic.com ) and read our blog at blog.loglogic.com

Thank You! Anton Chuvakin, Ph.D., GCIH, GCFA www.chuvakin.org Chief Logging Evangelist LogLogic, Inc www.loglogic.com See www.info-secure.org for my papers, books, reviews and other security and logging resources. Subscribe to my blog at www.securitywarrior.org

Anton Chuvakin, Ph.D., GCIH, GCFA www.chuvakin.org

Chief Logging Evangelist

LogLogic, Inc www.loglogic.com

See www.info-secure.org for my papers, books, reviews

and other security and logging resources.

Subscribe to my blog at www.securitywarrior.org