Log management and compliance: What's the real story? by Dr. Anton Chuvakin

1,712 views
1,639 views

Published on

Title: Log management and compliance: What's the real story? by Dr. Anton Chuvakin

One of the problems in making an Enterprise Content Management (ECM) strategy work with compliance initiatives is that compliance needs accountability at a very granular level. Consequently, IT shops are turning to log management as a solution, with many of those solutions being deployed for the purposes of regulatory compliance. The language however, regarding log management solutions can sometimes be vague which can lead to confusion. This session will lend some clarity to the regulations that affect log management. Topics will include:

Best practices for how to best mesh compliance ECM and compliance strategies with log management
Tips and suggestions for monitoring and auditing access to regulated content, with a focus on Microsoft Sharepoint logging.
An examination of a handful of the regulations affecting how organizations view log management and information security including The Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, The North American Electric Reliability Council (NERC), HIPAA and the HITECH Act.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,712
On SlideShare
0
From Embeds
0
Number of Embeds
19
Actions
Shares
0
Downloads
55
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • One of the problems in making an Enterprise Content Management (ECM) strategy work with compliance initiatives is that compliance needs accountability at a very granular level. Consequently, IT shops are turning to log management as a solution, with many of those solutions being deployed for the purposes of regulatory compliance. The language however, regarding log management solutions can sometimes be vague which can lead to confusion. This session will lend some clarity to the regulations that affect log management. Topics will include: Best practices for how to best mesh compliance ECM and compliance strategies with log management Tips and suggestions for monitoring and auditing access to regulated content, with a focus on Microsoft Sharepoint logging. An examination of a handful of the regulations affecting how organizations view log management and information security including The Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, The North American Electric Reliability Council (NERC), HIPAA and the HITECH Act.===ECM and compliance: what is the problem?Compliance needs accountability at granular level A lot of content has direct regulatory relevanceCustodian data and content: SSN, health records, etcLogging as a key vehicle for IT accountabilityLogging and complianceLogging practices and toolsECM + Compliance + Logging: how it all works togetherTips and suggestions for monitoring and auditing access to regulated contentExample: Sharepoint loggingConclusionsTrends in logging and compliance
  • Title: How to Gain Visibility and Control over Compliance Mandates, Security Threats and Data LeaksData integrity and confidentiality is critical. 62% of fraud is committed by insiders. Downtime is measured in millions of dollars per minute. Constant security threats and intense scrutiny by regulators and auditors require complete visibility and accountability, both in real-time and historically. Organizations face significant risks and exciting rewards during this period of economic and regulatory change.To meet the growing demands, you need to make a shift from worrying about the unknown to gaining a visibility and control over your operational threats. Top organizations are effectively managing their security threats and compliance requirements by building a foundation for internal investigations, forensics, and compliance that allows them to correlate information and detect real-time threats and fraud. By building pre-defined response plans they are able to significantly reduce the costs of managing network security and firewall policies. During this session we will cover how you can leverage the logs that you are already collecting to achieve regulatory compliance, protect valuable customer information and improve the efficiency of your IT operations team. This webcast will also feature a real world case study.(*) How to easily and cost-effectively automate your log management(*) How Log Management can be used to achieve compliance(*) How to protect valuable customer data(*) Best practices and tips for simplifying your life----I would like you to focus on the problem:(*) Data integrity and confidentiality is critical.(*) Constant security threats and intense scrutiny by regulators and auditors require complete visibility and accountability, both in real-time and historically.What organizations need to do:(*) To meet the growing demands, you need to make a shift from worrying about the unknown to gaining a visibility and control over your operational threats.(*) effectively managing the security threats and compliance requirements by building a foundation for internal investigations, forensics, and compliance that allows them to correlate information and detect real-time threats and fraud.(*) By building pre-defined response plans they are able to significantly reduce the costs of managing network security and firewall policies.=====We are trying to highlight all we do.This is infosec us audience====I'll be looking for a PPT presentation of between 12 and 20 slides, plus a spoken word preso of about 20 minutes from you - for submission one week ahead of the event itself - so can I suggest close of business on 01 December please?
  • Log management and compliance: What's the real story? by Dr. Anton Chuvakin

    1. 1. Log Management and Compliance: What's the Real Story?<br />Dr. Anton Chuvakin<br />2010<br />
    2. 2. Outline<br />Introduction to Logs and Log management<br />Compliance Mandates Affecting IT<br />Compliance and ECM = Disaster Brewing!<br />Logging, an Ultimate Compliance Technology <br />Logging for Compliance Practices<br />Conclusions and Action Items<br />
    3. 3. Log Data Overview<br />From Where?<br />What Logs?<br /><ul><li>Firewalls/intrusion prevention
    4. 4. Routers/switches
    5. 5. Intrusion detection
    6. 6. Servers, desktops, mainframes
    7. 7. Business applications
    8. 8. Databases
    9. 9. Anti-virus
    10. 10. VPNs
    11. 11. Audit logs
    12. 12. Transaction logs
    13. 13. Intrusion logs
    14. 14. Connection logs
    15. 15. System performance records
    16. 16. User activity logs
    17. 17. Various alerts and other messages</li></li></ul><li>Log Chaos: Login<br /><18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreendevice_id=ns5xp system-warning-00515: Admin User chuvakinhas logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <br /><57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:antonc] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006<br /><122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2<br /><13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon account:  ACHUVAKIN   <br />
    18. 18. Why Manage Logs?<br />Threatprotection and discovery<br />Incidentresponse and forensics<br />Regulatory compliance and audit<br />Internal policies and procedure compliance<br />IT system and network troubleshooting<br />System performancemanagement<br />
    19. 19. Unfortunately …<br />“The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.”<br />
    20. 20. Compliance – Why is it Here?<br />1. Corporations Stole<br />2. Got Caught<br />Sarbanes Oxley<br />4. Bill gets passed<br />5. Now we have to obey them<br />3. Politicians wrote laws<br />
    21. 21. RegulationsRequire Logs<br />MandatesDemand Logs<br />ControlsInclude Logs<br /><ul><li>SOX
    22. 22. GLBA
    23. 23. FISMA
    24. 24. JPA
    25. 25. PCI
    26. 26. HIPAA
    27. 27. COBIT
    28. 28. ISO
    29. 29. ITIL
    30. 30. PCI : Requirement 10 and beyond
    31. 31. Logging and user activities tracking are critical
    32. 32. Automate and secure audit trails for event reconstruction
    33. 33. Review logs daily
    34. 34. Retain audit trail history forat least one year
    35. 35. COBIT
    36. 36. Provide audit trailfor root-cause analysis
    37. 37. Use logging to detect unusual or abnormal activities
    38. 38. Regularly review access, privileges, changes
    39. 39. Verify backup completion
    40. 40. ISO27002
    41. 41. Maintain audit logs for system access and use, changes, faults, corrections, capacity demands
    42. 42. Review the results of monitoring activities regularly and ensure the accuracy of logs
    43. 43. NIST 800-53
    44. 44. Capture audit records
    45. 45. Regularly review audit records for unusual activity and violations
    46. 46. Automatically process audit records
    47. 47. Protect audit information from unauthorized deletion
    48. 48. Retain audit logs</li></ul>“Get fined, Get Sanctioned”<br />“Lose Customers, Reputation, Revenue or Job”<br />“Get fined, Go To Jail”<br />At the Same Time…<br />
    49. 49. More Laws! Privacy Laws<br />Mostly in Europe<br />Thus affect transnational companies<br />Govern not what MUST be logged, but what MUST NOT be logged!<br />Logging is typically mentioned as something that might help violate privacy<br />E.g. Google query logging and retention<br />
    50. 50. More Laws! Breach Laws Affected IR<br />Laws that control consumer notification in case of a security breach<br />Yesterday CA 1386<br />Today more than 45 US States<br />Tomorrow the world<br />Who to notify is key:<br />200,000 vs. 40,000,000 notifications? Major $$$ in play!<br />
    51. 51. What to do?<br />
    52. 52. Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and Science and Technology<br />April 2008<br />http://geer.tinho.net/geer.housetestimony.070423.txt<br />“In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you will have to pay.”<br />Daniel Geer, Sc.D.<br />
    53. 53. Why Logs for Accountability<br />Everybody leaves traces in logs!<br />Potentially, every action could be logged!<br />Control doesn’t scale, accountability (=logs!) does!<br />More controls -> more complexity -> less control!<br />The only technology that makes IT users (legitimate and otherwise) accountable:logging!<br />
    54. 54. Control vs Visibility<br />Myth: Stringent access controls will stop all attacks!<br />What about those that have legitimate access? What about those who “break the rules”?<br />The only control you can get is based on visibility and accountability!<br />
    55. 55. Corporate Accountability<br />Accountability<br />Accountability is answerability, enforcement, responsibility, blameworthiness, liability<br />Log Management<br />Log management is collecting, retaining and analyzing audit trails across the organization<br />There is a strong link between accountability and logging<br />Big Picture: Logs as Enabler of Corporate Accountability<br />
    56. 56. 11%<br />82%<br /> 8%<br /> 14%<br />77%<br /> 9%<br /> 17%<br />74%<br /> 9%<br /> 15%<br />73%<br /> 12%<br /> 15%<br />69%<br /> 16%<br /> 19%<br />66%<br /> 15%<br /> 17%<br />66%<br /> 17%<br />24%<br />54%<br />22%<br />22%<br />51%<br />28%<br />Security detection and remediation<br />Security analysis and forensics<br />Monitoring IT controls for regulatory compliance<br />Troubleshooting IT problems<br />Monitoring end-user behavior<br />Service level/performance management<br />Configuration/change management<br />Monitoring IT administrator behavior<br />Capacity planning<br />Business analysis<br /> 7%<br />90%<br />2%<br />0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%<br /> (Percentage of respondants, N = 123)<br />Yes, we use SIM technologies for this today<br />No, we don’t use SIM technologies for this today, but plan or would like to do so in the future<br />No, we don’t use SIM technologies for this today and have no plans to do so<br />Source: Enterprise Strategy Group, 2007<br />Use Cases for Log Data Continue to Expand<br />Does your organization use log management for any of the following?<br />
    57. 57. Six Mistakes of Log Management<br />1. Not logging at all<br />2. Not looking at the logs<br />3. Storing logs for too short a time<br />4. Prioritizing the log records before collection<br />5. Ignoring the logs from applications<br />6. Only looking at what you know is bad<br />
    58. 58. “Compliance+” Model At Work<br />You bought it for PCI DSS<br />You installed it<br />Your boss is happy<br />Your auditor is … gone<br />What are you going to do next?<br />
    59. 59. Conclusions<br />In today’s complex IT, the only control comes from visibility and accountability<br />Logs and log management is what enables it across all systems<br />Start logging – then start collecting logs – then start reviewing and analyzing logs<br />Prepare for incidents by deploying log management system!<br />
    60. 60. Questions?<br />Dr. Anton Chuvakin <br />Security Warrior Consulting<br />Log management , SIEM, PCI DSS<br />Email:anton@chuvakin.org<br />Site:http://www.chuvakin.org<br />Blog:http://www.securitywarrior.org<br />Twitter:@anton_chuvakin<br />Consulting:http://www.securitywarriorconsulting.com<br />
    61. 61. More on Anton<br />Consultant: http://www.securitywarriorconsulting.com<br />Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc<br />Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide<br />Standard developer: CEE, CVSS, OVAL, etc<br />Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others<br />Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager<br />
    62. 62. Want a PCI DSS Book?<br />“PCI Compliance” by Anton Chuvakin and Branden Williams<br />Useful reference for merchants, vendors – and everybody else<br />

    ×