Logs = Accountability Dr Anton Chuvakin Chief Logging Evangelist LogLogic, Inc

Outline Introduction to Logs and Logging Why Logging: From Bits to Governance Logging is Hard! Log Challenges Logging is Easy! Audit vs Control How to Control the Logging Monster Conclusions and Action Items

Introduction to Logs and Logging

Why Logging: From Bits to Governance

Logging is Hard! Log Challenges

Logging is Easy! Audit vs Control

How to Control the Logging Monster

Conclusions and Action Items

“ In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you will have to pay.” http://geer.tinho.net/geer.housetestimony.070423.txt Daniel Geer, Sc.D. Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and Science and Technology April 2008

“ In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you will have to pay.”

What is a Log? User and System Activity User Terminated Customer Transaction Email BCC Failed Logon Database Access File Up/Download Credit Card Data Access Information Leak Privileges Assigned/ Changed 30%

Overview of Logs and Logging Audit logs Transaction logs Intrusion logs Connection logs System performance records User activity logs Various alerts and other messages Firewalls/intrusion prevention Routers/switches Intrusion detection Servers, desktops, mainframes Business applications Databases Anti-virus VPNs What logs? From Where?

Audit logs

Transaction logs

Intrusion logs

Connection logs

System performance records

User activity logs

Various alerts and other messages

Firewalls/intrusion prevention

Routers/switches

Intrusion detection

Servers, desktops, mainframes

Business applications

Databases

Anti-virus

VPNs

Hierarchy of Logging Needs SOX GLBA FISMA JPA PCI HIPAA SLA Validation Troubleshooting Investigations Forensics Log Data Warehouse NIST ITIL CoBit ISO jCoBit Lose Customers Get Fined Go To Jail Lose Job

SOX

GLBA

FISMA

JPA

PCI

HIPAA

SLA Validation

Troubleshooting

Investigations

Forensics

Log Data Warehouse

NIST

ITIL

CoBit

ISO

jCoBit

Corporate Accountability Accountability Accountability is answerability, enforcement, responsibility, blameworthiness, liability “ Accountability” should focus on people “ Surveillance” should focus on data Log Management Tremendously valuable data hidden away in log files Challenge Centralize log file Understand, what log messages mean Track corporate behavior through activities reported in log files Log is the audit trail of a company There is a strong link between accountability and logging Big Picture: IT is a Key Enabler of Corporate Accountability

Accountability

Accountability is answerability, enforcement, responsibility, blameworthiness, liability

“ Accountability” should focus on people

“ Surveillance” should focus on data

Log Management

Tremendously valuable data hidden away in log files

Challenge

Centralize log file

Understand, what log messages mean

Track corporate behavior through activities reported in log files

Log is the audit trail of a company

Logging Challenges: Logging is Hard! Not knowing what to log Log volume Log diversity “Bad” logs Getting the logs Making sense of log data automatically

Not knowing what to log

Log volume

Log diversity

“Bad” logs

Getting the logs

Making sense of log data automatically

Logs vs Controls: Logging is Easy! Myth: Stringent access controls will stop all attacks! What about those that have legitimate access ? What about those who “ break the rules ”?

Myth: Stringent access controls will stop all attacks!

What about those that have legitimate access ? What about those who “ break the rules ”?

Why Logs for Accountability Everybody leaves traces in logs! Potentially, every action could be logged! Control doesn’t scale , accountability (=logs!) does! More controls -> more complexity -> less control ! The only technology that makes IT users (legitimate and otherwise) accountable : logging! Provided legit actions are logged…

Everybody leaves traces in logs!

Potentially, every action could be logged!

Control doesn’t scale , accountability (=logs!) does!

More controls -> more complexity -> less control !

The only technology that makes IT users (legitimate and otherwise) accountable : logging!

Provided legit actions are logged…

Focus on Information Monitoring vs. Information Gate Keeping Identify Management & Access Control Limit who can access what Perfect solution, except Doesn’t scale Business changing at the “Speed of thought” Too much new data introduced into the “controlled” environment Is complicated Complication is the bane of security Accountability Track flow of information Data in “motion” is critical for business success Winning companies have the most amount of information in motion Reconstruct how information is used and when it is used badly Highly scalable Conventional Approach Pragmatic Approach Best approach is a combination of the two

Identify Management & Access Control

Limit who can access what

Perfect solution, except

Doesn’t scale

Business changing at the “Speed of thought”

Too much new data introduced into the “controlled” environment

Is complicated

Complication is the bane of security

Accountability

Track flow of information

Data in “motion” is critical for business success

Winning companies have the most amount of information in motion

Reconstruct how information is used and when it is used badly

Highly scalable

What Logs Are Most Useful? #1 The ones that you actually have! #2 Logs from systems where the “crown jewels” are #3 Logs that are associated with user identity #4 Logs that cover system and application activity

#1 The ones that you actually have!

#2 Logs from systems where the “crown jewels” are

#3 Logs that are associated with user identity

#4 Logs that cover system and application activity

Example: Firewall/Network Logs Main : account of connectivity (in and out of the company) Where did the data go? What did the system connect to? Who connected to the system and who didn’t? How many bytes were transferred out? Who was denied when trying to connect to the system?

Main : account of connectivity (in and out of the company)

Where did the data go?

What did the system connect to?

Who connected to the system and who didn’t?

How many bytes were transferred out?

Who was denied when trying to connect to the system?

Firewall/Network Logs AIs Action items – to make these logs more useful for instilling accountability : Enable logging of allowed connections Enable logging for outbound connections , success and failed Monitor unusual traffic from the inside out, e.g. successful and large data transfers to unusual sites

Action items – to make these logs more useful for instilling accountability :

Enable logging of allowed connections

Enable logging for outbound connections , success and failed

Monitor unusual traffic from the inside out, e.g. successful and large data transfers to unusual sites

Example: System Logs Main : account for most activities on systems Login success/failure Account creation Account deletion Account settings and password changes (On Windows) Various group policy and registry changes File access (read/change/delete)

Main : account for most activities on systems

Login success/failure

Account creation

Account deletion

Account settings and password changes

(On Windows) Various group policy and registry changes

File access (read/change/delete)

Example: Database Audit Main : database logs record access to crown jewels Database data access Data change Database structures and configuration change Database starts, stops, and other administration tasks

Main : database logs record access to crown jewels

Database data access

Data change

Database structures and configuration change

Database starts, stops, and other administration tasks

What You MUST Do … … to use logs for accountability. Have logs Centrally collect logs Retain logs Analyze and review logs Protect logs

… to use logs for accountability.

Have logs

Centrally collect logs

Retain logs

Analyze and review logs

Protect logs

Why Log Management? Threat protection and discovery Incident response Forensics , “e-discovery” and litigation support Regulatory compliance Internal policies and procedure compliance Internal and external audit support IT system and network troubleshooting IT performance management

Threat protection and discovery

Incident response

Forensics , “e-discovery” and litigation support

Regulatory compliance

Internal policies and procedure compliance

Internal and external audit support

IT system and network troubleshooting

IT performance management

Conclusions and Takeaways If you’re not serious about logs, you’re not serious about accountability Ignoring logs Is dumb – not utilizing that very important resource for troubleshooting and security Is illegal – due to many, many regulations Is unethical – corporate accountability So, START your log management program NOW!

If you’re not serious about logs, you’re not serious about accountability

Ignoring logs

Is dumb – not utilizing that very important resource for troubleshooting and security

Is illegal – due to many, many regulations

Is unethical – corporate accountability

So, START your log management program NOW!

Thanks for Attending! Dr Anton Chuvakin, GCIA, GCIH, GCFA Chief Logging Evangelist LogLogic, Inc Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007) See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http://chuvakin.blogspot.com

Dr Anton Chuvakin, GCIA, GCIH, GCFA

Chief Logging Evangelist

LogLogic, Inc

Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007)

See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http://chuvakin.blogspot.com