• Save
Logs = Accountability
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Logs = Accountability

on

  • 6,206 views

Logs as a Vehicle for Accountability, in IT and Beyond

Logs as a Vehicle for Accountability, in IT and Beyond

Statistics

Views

Total Views
6,206
Views on SlideShare
6,096
Embed Views
110

Actions

Likes
4
Downloads
0
Comments
1

8 Embeds 110

http://chuvakin.blogspot.com 57
http://www.gustavobittencourt.com 43
http://www.mcmillengroup.com 4
http://www.slideshare.net 2
file:// 1
http://feeds.feedburner.com 1
http://chuvakin.blogspot.ca 1
http://gbitten.blogspot.com.br 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
  • Its good, In my industry i have to decide the retention period of logs and what type of logs i need to preserve from the banking industry perspective.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • TODO: Evolution of logging (Grab from new corp preso = on eHD) Get full Jay Leek preso (maybe) Grab from Tao: too many controls -> less control Grab ‘future log challenges’ blog post Add log taxonomy – guide to using logs for accountability DRAFT – 35-40 minutes This presentation will focus on logs as a vehicle for accountability in organization’s IT and even beyond. There are many other mechanisms of accountability in an organization, but logs are the one that pervades all IT. And if you IT is not accountable, your business is neither. Thus, if you tend to not be serious about logs, be aware that you are not serious about accountability. Is that the message your organization wants to be sending? Ignoring logs is not just dangerous (due to losing that important resources for troubleshooting and security), it is not only illegal (due to various regulations), but it is also unethical! The presentation will cover how logs can be used organization-wide to establish accountability of users, power-users, other IT as well as partners and others accessing systems and using your information. How to you make sure your users are accountable for their actions? How can you track their activities, if needed? How can auditors review the audit trails of various activities? Broad organization-wide log collection and analysis is the way to solve these and other problems related to accountability. NOTES: Strategic – CSO, etc LE, auditors, board, technical (users), case of breach, e-discovery, forensics, etc Accountability: from users/employees to the board FISMA? Tools? Frameworks? Action items? RAW: I was thinking about logs the other day :-) <p>And the following thought occurred to me: <b>Logs = accountability</b>. <p>So, what is accountability, really? <a href="http://en.wikipedia.org/wiki/Accountability">Wikipedia defines it</a> as "<b>Accountability</b> is a concept in <a href="http://en.wikipedia.org/wiki/Ethics">ethics</a> with several meanings. It is often used synonymously with such concepts as <a href="http://en.wikipedia.org/w/index.php?title=Answerability&action=edit">answerability</a>, enforcement, <a href="http://en.wikipedia.org/wiki/Social_responsibility">responsibility</a>, blameworthiness, <a href="http://en.wikipedia.org/wiki/Liability">liability</a> and other terms associated with the expectation of account-giving." <p>Yes, there are many other mechanisms of accountability in an organization, but logs are the one that pervades all IT. And if you IT is not accountable, your business is neither. Thus, if you tend to not be serious about logs, be aware that you are not serious about accountability. Is that the message your organization wants to be sending? <p>Ignoring logs is not just stupid (due to losing that important resources for troubleshooting and security), it is not only illegal (due to various regulations), but it is also unethical! :-)

Logs = Accountability Presentation Transcript

  • 1. Logs = Accountability Dr Anton Chuvakin Chief Logging Evangelist LogLogic, Inc
  • 2. Outline
    • Introduction to Logs and Logging
    • Why Logging: From Bits to Governance
    • Logging is Hard! Log Challenges
    • Logging is Easy! Audit vs Control
    • How to Control the Logging Monster
    • Conclusions and Action Items
  • 3.
      • “ In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you will have to pay.”
    http://geer.tinho.net/geer.housetestimony.070423.txt Daniel Geer, Sc.D. Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and Science and Technology April 2008
  • 4. What is a Log? User and System Activity User Terminated Customer Transaction Email BCC Failed Logon Database Access File Up/Download Credit Card Data Access Information Leak Privileges Assigned/ Changed 30%
  • 5. Overview of Logs and Logging
    • Audit logs
    • Transaction logs
    • Intrusion logs
    • Connection logs
    • System performance records
    • User activity logs
    • Various alerts and other messages
    • Firewalls/intrusion prevention
    • Routers/switches
    • Intrusion detection
    • Servers, desktops, mainframes
    • Business applications
    • Databases
    • Anti-virus
    • VPNs
    What logs? From Where?
  • 6. Hierarchy of Logging Needs
    • SOX
    • GLBA
    • FISMA
    • JPA
    • PCI
    • HIPAA
    • SLA Validation
    • Troubleshooting
    • Investigations
    • Forensics
    • Log Data Warehouse
    • NIST
    • ITIL
    • CoBit
    • ISO
    • jCoBit
    Lose Customers Get Fined Go To Jail Lose Job
  • 7. Corporate Accountability
    • Accountability
    • Accountability is answerability, enforcement, responsibility, blameworthiness, liability
    • “ Accountability” should focus on people
    • “ Surveillance” should focus on data
    • Log Management
    • Tremendously valuable data hidden away in log files
    • Challenge
      • Centralize log file
      • Understand, what log messages mean
      • Track corporate behavior through activities reported in log files
    • Log is the audit trail of a company
    There is a strong link between accountability and logging Big Picture: IT is a Key Enabler of Corporate Accountability
  • 8. Logging Challenges: Logging is Hard!
    • Not knowing what to log
    • Log volume
    • Log diversity
    • “Bad” logs
    • Getting the logs
    • Making sense of log data automatically
  • 9. Logs vs Controls: Logging is Easy!
    • Myth: Stringent access controls will stop all attacks!
    • What about those that have legitimate access ? What about those who “ break the rules ”?
  • 10. Why Logs for Accountability
    • Everybody leaves traces in logs!
      • Potentially, every action could be logged!
    • Control doesn’t scale , accountability (=logs!) does!
      • More controls -> more complexity -> less control !
    • The only technology that makes IT users (legitimate and otherwise) accountable : logging!
      • Provided legit actions are logged…
  • 11. Focus on Information Monitoring vs. Information Gate Keeping
    • Identify Management & Access Control
    • Limit who can access what
    • Perfect solution, except
      • Doesn’t scale
        • Business changing at the “Speed of thought”
        • Too much new data introduced into the “controlled” environment
      • Is complicated
        • Complication is the bane of security
    • Accountability
    • Track flow of information
      • Data in “motion” is critical for business success
      • Winning companies have the most amount of information in motion
    • Reconstruct how information is used and when it is used badly
    • Highly scalable
    Conventional Approach Pragmatic Approach Best approach is a combination of the two
  • 12. What Logs Are Most Useful?
    • #1 The ones that you actually have!
    • #2 Logs from systems where the “crown jewels” are
    • #3 Logs that are associated with user identity
    • #4 Logs that cover system and application activity
  • 13. Example: Firewall/Network Logs
    • Main : account of connectivity (in and out of the company)
    • Where did the data go?
    • What did the system connect to?
    • Who connected to the system and who didn’t?
    • How many bytes were transferred out?
    • Who was denied when trying to connect to the system?
  • 14. Firewall/Network Logs AIs
    • Action items – to make these logs more useful for instilling accountability :
    • Enable logging of allowed connections
    • Enable logging for outbound connections , success and failed
    • Monitor unusual traffic from the inside out, e.g. successful and large data transfers to unusual sites
  • 15. Example: System Logs
    • Main : account for most activities on systems
    • Login success/failure
    • Account creation
    • Account deletion
    • Account settings and password changes
    • (On Windows) Various group policy and registry changes
    • File access (read/change/delete)
  • 16. Example: Database Audit
    • Main : database logs record access to crown jewels
    • Database data access
    • Data change
    • Database structures and configuration change
    • Database starts, stops, and other administration tasks
  • 17. What You MUST Do …
    • … to use logs for accountability.
    • Have logs
    • Centrally collect logs
    • Retain logs
    • Analyze and review logs
    • Protect logs
  • 18. Why Log Management?
    • Threat protection and discovery
    • Incident response
    • Forensics , “e-discovery” and litigation support
    • Regulatory compliance
    • Internal policies and procedure compliance
    • Internal and external audit support
    • IT system and network troubleshooting
    • IT performance management
  • 19. Conclusions and Takeaways
    • If you’re not serious about logs, you’re not serious about accountability
    • Ignoring logs
      • Is dumb – not utilizing that very important resource for troubleshooting and security
      • Is illegal – due to many, many regulations
      • Is unethical – corporate accountability
    • So, START your log management program NOW!
  • 20. Thanks for Attending!
    • Dr Anton Chuvakin, GCIA, GCIH, GCFA
    • Chief Logging Evangelist
    • LogLogic, Inc
    • Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007)
    • See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http://chuvakin.blogspot.com