Slideshare.net (beta)

Home My Slidespace Upload Community Tags Widgets

Latest | Most Viewed | Most Embedded | Featured | Most Favorited | Most Downloaded | Slidecasts

 
Post: 
Myspace Hi5 Friendster Xanga LiveJournal Facebook Blogger Tagged Typepad Freewebs BlackPlanet gigya icons

Download not available Question_markThe user has chosen not to allow download of this file. If you need it badly, send a request on his/her slidespace.




All comments

Add a comment on Slide 1

If you have a SlideShare account, login to comment; else you can comment as a guest


Showing 1-50 of 0 (more)

Choosing Your Log Management Approach: Buy, Build or Outsource

From anton_chuvakin, 5 months ago

Presentation from Anton Chuvakin on Choosing Your Log Management A more

1107 views  |  0 comments  |  0 favorites
Share this slideshow
 

Tags

chuvakin logging security logs management log

 
 

Groups/Events

Not added to any group/event

 
 

Privacy InfoNew!

This slideshow is Public

 
Embed in your blog
Embed (wordpress.com)
custom

Slideshow Statistics
Total Views: 1107
on Slideshare: 1107
from embeds: 0* * Views from embeds since 21 Aug, 07

Slideshow transcript

Slide 1: Anton Chuvakin, Ph.D., GCIH, GCFA Chief Logging Evangelist LogLogic, Inc How Would You Do It? Selecting a Log Management Approach Mitigating Risk. Automating Compliance. LogLogic Confidential Friday, February 1, 2008 1

Slide 2: Outline  Are you convinced: why log management? – Hey, why not just ignore the logs, as usual!   Choices, choices: build, buy, outsource, combine… – Build advantage and risks – Buy advantage and risks – Outsource advantage and risks – Combined strategies  Critical issues – Buy: questions to ask your vendor – Build: open-source tools available  Conclusions Mitigating Risk. Automating Compliance. Friday, February 1, 2008 2

Slide 3: Log Data Overview What logs? From Where?  Audit logs  Firewalls/intrusion prevention  Transaction logs  Routers/switches  Intrusion logs  Intrusion detection  Connection logs  Servers, desktops, mainframes  System performance records  Business applications  User activity logs  Databases  Various alerts and other  Anti-virus messages  VPNs Mitigating Risk. Automating Compliance. Friday, February 1, 2008 3

Slide 4: Why Log Management?  Threat protection and discovery  Incident response  Forensics, “e-discovery” and litigation support  Regulatory compliance  Internal policies and procedure compliance  Internal and external audit support  IT system and network troubleshooting  IT performance management Mitigating Risk. Automating Compliance. Friday, February 1, 2008 4

Slide 5: Log Management Mandate and Regulations Regulations Mandates Controls Require LMI Demand It Require it  SOX  FISMA  PCI  SLAs  COBIT  ITIL  GLBA  JPA  HIPAA  ISO  NIST  PCI: Requirement 10  COBIT 4 800-53  Capture audit records and beyond  Provide audit trail for root-cause analysis  Regularly review audit records  Logging and user activities for unusual activity and tracking are critical  Use logging to detect unusual or violations abnormal activities  Automate and secure audit trails  Automatically process audit for event reconstruction  Regularly review access, privileges, records changes  Review logs daily  Protect audit information from  Verify backup completion  Retain audit trail history for unauthorized deletion at least one year  ISO17799  Retain audit logs  Maintain audit logs for system  NIST 800-92 Log access and use, changes, faults, corrections, capacity demands Management Guide!  Review the results of monitoring activities regularly and ensure the accuracy of logs “Get fined, Get “Lose Customers, “Get fined, Go To Jail” Sanctioned” Reputation, Revenue or Job” Mitigating Risk. Automating Compliance. Friday, February 1, 2008 5

Slide 6: Log Management Process Mitigating Risk. Automating Compliance. Friday, February 1, 2008 6

Slide 7: How Do You Do It?  Now that you are convinced that log management is A MUST, your choices are: – Outsource – Built – Buy  Combined strategies are also possible – some offer unique advantages Mitigating Risk. Automating Compliance. Friday, February 1, 2008 7

Slide 8: Outsource Advantages Risks  Somebody else will worry  Somebody else will about your problems! worry about your problems!  Likely, no need to run any equipment in house  Requirements not met  Less staff needed  SLA risks and lost control of data  Management will like it   Volume and log access challenges Mitigating Risk. Automating Compliance. Friday, February 1, 2008 8

Slide 9: Outsourcing LM: What to Be Aware Of?  Will all your logs be going to the MSSP? What will? – Likely not – no way to move all!  Does MSSP have skills to analyze your site-specific logs? – Probably not …  Can you still take a peek at your logs? – Do you need to call for that? – Can you just review, search, etc your raw logs?  BTW, SaaS is NOT MSSP – you need to do the work (oh, horror! ) Mitigating Risk. Automating Compliance. Friday, February 1, 2008 9

Slide 10: Build Advantages Risks  Likely will get exactly  Ongoing maintenance what you want will kill you   You can do things that  No support, apart from no vendor has you  Choose platform, tools,  Does it pass the “bus methods test”?  No up front cost  Handling log volume  Its fun to do!   Will it scale with you? Mitigating Risk. Automating Compliance. Friday, February 1, 2008 10

Slide 11: Open-Source Pieces That Help!  Log collection – Syslog-ng, kiwi, Snare, Project LASSO, Apache2syslog, logger, etc  Secure centralization – Stunnel, ssh/scp, free IPSec VPNs  Pre-processing – LogPP – from ugly logs to cute ones   Storage – MySQL or design your own file-based storage  Analysis – a tough one!  – MS Excel – yes, still a top choice! – OSSEC and OSSIM for [some] intelligence – SEC for correlation – Swatch, logwatch, logsentry, other match-n-bug scripts (too many!) Mitigating Risk. Automating Compliance. Friday, February 1, 2008 11

Slide 12: Buy Advantages Risks  “Cash and carry” – pay  “Cash and carry” – and get a “solution” pay and get a tool you  Support for log sources need to use now  Ongoing  Skilled staff needed to improvements, support get value out of a and guidance purchased appliance  “Have a face(s) to  Requirements not met scream at!”  Vendor longevity Mitigating Risk. Automating Compliance. Friday, February 1, 2008 12

Slide 13: Questions to Discuss With Your Vendor 1. Are you collecting and aggregating 100% of all log data from all data sources on the network? 2. Are your logs transported and stored securely? 3. Are there packaged reports that suit your needs? Can you create the needed reports to organize collected log data quickly? 4. Can you set alerts on anything in the logs? 5. Are you looking at log data on a daily basis? Can you prove that you are? 6. Can you perform fast, targeted searches for specific data? 7. Can you contextualize log data (comparing application, network and database logs) when undertaking forensics and other operational tasks? 8. Can you readily prove that security, change management, and access control policies are in use and up to date? 9. Can you securely share log data with other applications and users? Mitigating Risk. Automating Compliance. Friday, February 1, 2008 13

Slide 14: Combined Strategies: Often the Best…  … but you might need to pay twice   Buy + Build: great idea – enhance vendor tools with internal custom development OR combine vendor tools with open-source tools (build, then buy or the opposite)  Buy + Outsource: split the work with an MSSP team and retain more control  Build + Outsource: combine your own with MSSP  Combined approaches mitigate some of the risks, but at a cost (see TANFL principle ) Mitigating Risk. Automating Compliance. Friday, February 1, 2008 14

Slide 15: Build + Buy: Surprisingly Effective!  Capture buy advantages: – Support – Ongoing improvements – Performance and scalability of the platform – Routine, boring log management tasks done by vendor!  Capture build advantages: – Build analysis you want on top of the vendor platform (e.g. via web API like LogLogic’s) – Present the data you want to the people that need it – Fun log management tasks done by you! Mitigating Risk. Automating Compliance. Friday, February 1, 2008 15

Slide 16: Finally, How to Choose?  Breadth/depth of project requirements – Just how unusual you are? – Unique needs or volumes  Size of organization  Available resources – Money – Development talent  Organization culture and management support  Deployed hardware and software – Run any Tandem?  Mitigating Risk. Automating Compliance. Friday, February 1, 2008 16

Slide 17: Take Action!  Turn ON logging!  Assess the role of log data in meeting compliance requirements, mitigating security risks, enabling audit and improving availability  Implement log management strategy as outlined above  Only “roll your own” after analyzing other options as well as pro/con arguments  Attend webcasts (www.loglogic.com) and read our blog at blog.loglogic.com Mitigating Risk. Automating Compliance. Friday, February 1, 2008 17

Slide 18: Thank You! Anton Chuvakin, Ph.D., GCIH, GCFA www.chuvakin.org Chief Logging Evangelist LogLogic, Inc www.loglogic.com See www.info-secure.org for my papers, books, reviews and other security and logging resources. Subscribe to my blog at www.securitywarrior.org Mitigating Risk. Automating Compliance. Friday, February 1, 2008 18

© 2008 SlideShare Inc. All Rights Reserved.
App06 is serving you.