How to Gain Visibility and Control: Compliance Mandates, Security Threats and Data Leaks by Dr. Anton Chuvakin

1,052 views
984 views

Published on

How to Gain Visibility and Control: Compliance Mandates, Security Threats and Data Leaks by Dr. Anton Chuvakin

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,052
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Title: How to Gain Visibility and Control over Compliance Mandates, Security Threats and Data LeaksData integrity and confidentiality is critical. 62% of fraud is committed by insiders. Downtime is measured in millions of dollars per minute. Constant security threats and intense scrutiny by regulators and auditors require complete visibility and accountability, both in real-time and historically. Organizations face significant risks and exciting rewards during this period of economic and regulatory change.To meet the growing demands, you need to make a shift from worrying about the unknown to gaining a visibility and control over your operational threats. Top organizations are effectively managing their security threats and compliance requirements by building a foundation for internal investigations, forensics, and compliance that allows them to correlate information and detect real-time threats and fraud. By building pre-defined response plans they are able to significantly reduce the costs of managing network security and firewall policies. During this session we will cover how you can leverage the logs that you are already collecting to achieve regulatory compliance, protect valuable customer information and improve the efficiency of your IT operations team. This webcast will also feature a real world case study.(*) How to easily and cost-effectively automate your log management(*) How Log Management can be used to achieve compliance(*) How to protect valuable customer data(*) Best practices and tips for simplifying your life----I would like you to focus on the problem:(*) Data integrity and confidentiality is critical.(*) Constant security threats and intense scrutiny by regulators and auditors require complete visibility and accountability, both in real-time and historically.What organizations need to do:(*) To meet the growing demands, you need to make a shift from worrying about the unknown to gaining a visibility and control over your operational threats.(*) effectively managing the security threats and compliance requirements by building a foundation for internal investigations, forensics, and compliance that allows them to correlate information and detect real-time threats and fraud.(*) By building pre-defined response plans they are able to significantly reduce the costs of managing network security and firewall policies.=====We are trying to highlight all we do.This is infosec us audience====I'll be looking for a PPT presentation of between 12 and 20 slides, plus a spoken word preso of about 20 minutes from you - for submission one week ahead of the event itself - so can I suggest close of business on 01 December please?
  • How to Gain Visibility and Control: Compliance Mandates, Security Threats and Data Leaks by Dr. Anton Chuvakin

    1. 1. How to Gain Visibility and Control:Compliance Mandates, Security Threats and Data Leaks<br />Dr. Anton Chuvakin<br />Security Warrior Consulting<br />www.securitywarriorconsulting.com<br />Nov 2009<br />
    2. 2. Outline<br />Threats: From Hackers to Auditors<br />What’s in Common? Accountability!<br />Log Management for Accountability, Visibility and Control<br />“Compliance“+”: Many Uses for Logs<br />When Incident Strikes<br />Conclusions<br />
    3. 3. “It Can’t Happen to Me!”<br />It probably already did!<br />
    4. 4. Moreover…<br />“The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.”<br />
    5. 5. RegulationsRequire Logs<br />MandatesDemand Logs<br />ControlsInclude Logs<br /><ul><li>SOX
    6. 6. GLBA
    7. 7. FISMA
    8. 8. JPA
    9. 9. PCI
    10. 10. HIPAA
    11. 11. SLAs
    12. 12. COBIT
    13. 13. ISO
    14. 14. ITIL
    15. 15. PCI : Requirement 10 and beyond
    16. 16. Logging and user activities tracking are critical
    17. 17. Automate and secure audit trails for event reconstruction
    18. 18. Review logs daily
    19. 19. Retain audit trail history forat least one year
    20. 20. COBIT 4
    21. 21. Provide audit trailfor root-cause analysis
    22. 22. Use logging to detect unusual or abnormal activities
    23. 23. Regularly review access, privileges, changes
    24. 24. Verify backup completion
    25. 25. ISO17799
    26. 26. Maintain audit logs for system access and use, changes, faults, corrections, capacity demands
    27. 27. Review the results of monitoring activities regularly and ensure the accuracy of logs
    28. 28. NIST 800-53
    29. 29. Capture audit records
    30. 30. Regularly review audit records for unusual activity and violations
    31. 31. Automatically process audit records
    32. 32. Protect audit information from unauthorized deletion
    33. 33. Retain audit logs</li></ul>“Get fined, Get Sanctioned”<br />“Lose Customers, Reputation, Revenue or Job”<br />“Get fined, Go To Jail”<br />At the Same Time…<br />
    34. 34. Security and Compliance Today<br /> <- This is the enemy!<br />This is NOT the enemy! -><br />However, BOTH want your attention!<br />
    35. 35. What to do?<br />
    36. 36. Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and Science and Technology<br />April 2008<br />http://geer.tinho.net/geer.housetestimony.070423.txt<br />“In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you will have to pay.”<br />Daniel Geer, Sc.D.<br />
    37. 37. Why Logs for Accountability<br />Everybody leaves traces in logs!<br />Potentially, every action could be logged!<br />Control doesn’t scale, accountability (=logs!) does!<br />More controls -> more complexity -> less control!<br />The only technology that makes IT users (legitimate and otherwise) accountable:logging!<br />
    38. 38. Control vs Visibility<br />Myth: Stringent access controls will stop all attacks!<br />What about those that have legitimate access? What about those who “break the rules”?<br />The only control you can get is based on visibility and accountability!<br />
    39. 39. Corporate Accountability<br />Accountability<br />Accountability is answerability, enforcement, responsibility, blameworthiness, liability<br />Log Management<br />Log management is collecting, retaining and analyzing audit trails across the organization<br />There is a strong link between accountability and logging<br />Big Picture: Logs as Enabler of Corporate Accountability<br />
    40. 40. What Logs?<br />From Where?<br />What logs?<br /><ul><li>Firewalls/intrusion prevention
    41. 41. Routers/switches
    42. 42. Intrusion detection
    43. 43. Servers, desktops, mainframes
    44. 44. Business applications
    45. 45. Databases
    46. 46. Anti-virus
    47. 47. VPNs
    48. 48. Audit logs
    49. 49. Transaction logs
    50. 50. Intrusion logs
    51. 51. Connection logs
    52. 52. System performance records
    53. 53. User activity logs
    54. 54. Various alerts and other messages</li></li></ul><li>Why Log Management and SIEM?<br />Threat protection and discovery<br />Incident response<br />Forensics, “e-discovery” and litigation support<br />Regulatory compliance<br />Internal policies and procedure compliance<br />Internal and external audit support<br />IT system and network troubleshooting<br />IT performance management<br />
    55. 55. 11%<br />82%<br /> 8%<br /> 14%<br />77%<br /> 9%<br /> 17%<br />74%<br /> 9%<br /> 15%<br />73%<br /> 12%<br /> 15%<br />69%<br /> 16%<br /> 19%<br />66%<br /> 15%<br /> 17%<br />66%<br /> 17%<br />24%<br />54%<br />22%<br />22%<br />51%<br />28%<br />Security detection and remediation<br />Security analysis and forensics<br />Monitoring IT controls for regulatory compliance<br />Troubleshooting IT problems<br />Monitoring end-user behavior<br />Service level/performance management<br />Configuration/change management<br />Monitoring IT administrator behavior<br />Capacity planning<br />Business analysis<br /> 7%<br />90%<br />2%<br />0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%<br /> (Percentage of respondants, N = 123)<br />Yes, we use SIM technologies for this today<br />No, we don’t use SIM technologies for this today, but plan or would like to do so in the future<br />No, we don’t use SIM technologies for this today and have no plans to do so<br />Source: Enterprise Strategy Group, 2007<br />Use Cases for Log Data Continue to Expand<br />Does your organization use log management for any of the following?<br />
    56. 56. “Compliance+” Model At Work<br />You bought it for PCI DSS<br />You installed it<br />Your boss is happy<br />Your auditor is … gone<br />What are you going to do next?<br />
    57. 57. Get More Info!<br />“PCI Compliance” by Anton Chuvakin and Branden Williams<br />www.pcicompliancebook.info<br />Useful reference for merchants, vendors – and everybody else<br />Out in December 2009!<br />
    58. 58. “Compliance+” Model At Work<br />You bought it for PCI DSS<br />You installed it<br />Your boss is happy<br />Your auditor is … gone<br />What are you going to do next?<br />
    59. 59. Frequent First Use of Logs<br />Logs for Incident Response Priorities:<br />Have response process!<br />Have logging enabled<br />Have logs centralized<br />Have logs searchable<br />Have logs “baselined”<br />
    60. 60. Conclusions<br />In today’s complex IT, the only control comes from visibility and accountability<br />Logs and log management is what enables it across all systems<br />Start logging – then start collecting logs – then start reviewing and analyzing logs<br />Prepare for incidents by deploying log management system!<br />
    61. 61. Questions<br />Dr. Anton Chuvakin<br />Email:anton@chuvakin.org<br />Google Voice: 510-771-7106 <br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />LinkedIn:http://www.linkedin.com/in/chuvakin<br />Twitter:@anton_chuvakin<br />Consulting: www.securitywarriorconsulting.com<br />
    62. 62. More on Anton<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, Consultant<br />
    63. 63. Security Warrior Consulting Services<br />Logging and log management policy<br />Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems <br />Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation<br />Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations<br />Help integrate logging tools and processes into IT and business operations<br />Content development<br />Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs<br />Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations<br />More at www.SecurityWarriorConsulting.com<br />

    ×