Choosing Your Log Management Approach: Buy, Build or Outsource

How Would You Do It? Selecting a Log Management Approach Anton Chuvakin, Ph.D., GCIH, GCFA Chief Logging Evangelist LogLogic, Inc Mitigating Risk. Automating Compliance.

Outline
Are you convinced: why log management?
Hey, why not just ignore the logs, as usual ! 
Choices, choices: build, buy, outsource, combine…
Build advantage and risks
Buy advantage and risks
Outsource advantage and risks
Combined strategies
Critical issues
Buy: questions to ask your vendor
Build: open-source tools available
Conclusions

Log Data Overview
Audit logs
Transaction logs
Intrusion logs
Connection logs
System performance records
User activity logs
Various alerts and other messages
Firewalls/intrusion prevention
Routers/switches
Intrusion detection
Servers, desktops, mainframes
Business applications
Databases
Anti-virus
VPNs
What logs? From Where?

Why Log Management?
Threat protection and discovery
Incident response
Forensics , “e-discovery” and litigation support
Regulatory compliance
Internal policies and procedure compliance
Internal and external audit support
IT system and network troubleshooting
IT performance management

Log Management Mandate and Regulations Regulations Require LMI
SOX
GLBA
FISMA
JPA
NIST 800-53
Capture audit records
Regularly review audit records for unusual activity and violations
Automatically process audit records
Protect audit information from unauthorized deletion
Retain audit logs
NIST 800-92 Log Management Guide!
PCI
HIPAA
SLAs
Mandates Demand It
PCI : Requirement 10 and beyond
Logging and user activities tracking are critical
Automate and secure audit trails for event reconstruction
Review logs daily
Retain audit trail history for at least one year
COBIT
ISO
ITIL
COBIT 4
Provide audit trail for root-cause analysis
Use logging to detect unusual or abnormal activities
Regularly review access, privileges, changes
Verify backup completion
ISO17799
Maintain audit logs for system access and use, changes, faults, corrections, capacity demands
Review the results of monitoring activities regularly and ensure the accuracy of logs
Controls Require it “ Get fined, Get Sanctioned” “ Lose Customers, Reputation, Revenue or Job” “ Get fined, Go To Jail”

Log Management Process

How Do You Do It?
Now that you are convinced that log management is A MUST, your choices are:
Outsource
Built
Buy
Combined strategies are also possible – some offer unique advantages

Outsource
Risks
Somebody else will worry about your problems!
Requirements not met
SLA risks and lost control of data
Volume and log access challenges
Advantages
Somebody else will worry about your problems!
Likely, no need to run any equipment in house
Less staff needed
Management will like it 

Outsourcing LM: What to Be Aware Of?
Will all your logs be going to the MSSP? What will?
Likely not – no way to move all!
Does MSSP have skills to analyze your site-specific logs?
Probably not …
Can you still take a peek at your logs?
Do you need to call for that?
Can you just review, search, etc your raw logs?
BTW, SaaS is NOT MSSP – you need to do the work (oh, horror!  )

Build
Risks
Ongoing maintenance will kill you 
No support, apart from you
Does it pass the “ bus test ”?
Handling log volume
Will it scale with you?
Advantages
Likely will get exactly what you want
You can do things that no vendor has
Choose platform, tools, methods
No up front cost
Its fun to do! 

Open-Source Pieces That Help!
Log collection
Syslog-ng, kiwi, Snare, Project LASSO, Apache2syslog, logger, etc
Secure centralization
Stunnel, ssh/scp, free IPSec VPNs
Pre-processing
LogPP – from ugly logs to cute ones 
Storage
MySQL or design your own file-based storage
Analysis – a tough one! 
MS Excel – yes, still a top choice!
OSSEC and OSSIM for [ some ] intelligence
SEC for correlation
Swatch, logwatch, logsentry, other match-n-bug scripts (too many!)

Buy
Risks
“Cash and carry” – pay and get a tool you need to use now
Skilled staff needed to get value out of a purchased appliance
Requirements not met
Vendor longevity
Advantages
“ Cash and carry” – pay and get a “ solution ”
Support for log sources
Ongoing improvements, support and guidance
“ Have a face(s) to scream at!”

Questions to Discuss With Your Vendor
Are you collecting and aggregating 100% of all log data from all data sources on the network?
Are your logs transported and stored securely ?
Are there packaged reports that suit your needs? Can you create the needed reports to organize collected log data quickly?
Can you set alerts on anything in the logs?
Are you looking at log data on a daily basis? Can you prove that you are?
Can you perform fast, targeted searches for specific data?
Can you contextualize log data (comparing application, network and database logs) when undertaking forensics and other operational tasks?
Can you readily prove that security, change management, and access control policies are in use and up to date?
Can you securely share log data with other applications and users?

Combined Strategies: Often the Best…
… but you might need to pay twice 
Buy + Build : great idea – enhance vendor tools with internal custom development OR combine vendor tools with open-source tools (build, then buy or the opposite )
Buy + Outsource : split the work with an MSSP team and retain more control
Build + Outsource : combine your own with MSSP
Combined approaches mitigate some of the risks, but at a cost (see TANFL principle  )

Build + Buy: Surprisingly Effective!
Capture buy advantages:
Support
Ongoing improvements
Performance and scalability of the platform
Routine, boring log management tasks done by vendor!
Capture build advantages:
Build analysis you want on top of the vendor platform (e.g. via web API like LogLogic’s)
Present the data you want to the people that need it
Fun log management tasks done by you!

Finally, How to Choose?
Breadth/depth of project requirements
Just how unusual you are?
Unique needs or volumes
Size of organization
Available resources
Money
Development talent
Organization culture and management support
Deployed hardware and software
Run any Tandem? 

Take Action!
Turn ON logging!
Assess the role of log data in meeting compliance requirements , mitigating security risks , enabling audit and improving availability
Implement log management strategy as outlined above
Only “roll your own” after analyzing other options as well as pro/con arguments
Attend webcasts ( www.loglogic.com ) and read our blog at blog.loglogic.com

Thank You!
Anton Chuvakin, Ph.D., GCIH, GCFA www.chuvakin.org
Chief Logging Evangelist
LogLogic, Inc www.loglogic.com
See www.info-secure.org for my papers, books, reviews
and other security and logging resources.
Subscribe to my blog at www.securitywarrior.org

Choosing Your Log Management Approach: Buy, Build or Outsource

by Anton Chuvakin on Feb 01, 2008

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 9

Statistics

Choosing Your Log Management Approach: Buy, Build or Outsource — Presentation Transcript