Logs = Accountability

Logs = Accountability Dr Anton Chuvakin Chief Logging Evangelist LogLogic, Inc

Outline
Introduction to Logs and Logging
Why Logging: From Bits to Governance
Logging is Hard! Log Challenges
Logging is Easy! Audit vs Control
How to Control the Logging Monster
Conclusions and Action Items

“ In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you will have to pay.”
http://geer.tinho.net/geer.housetestimony.070423.txt Daniel Geer, Sc.D. Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and Science and Technology April 2008

What is a Log? User and System Activity User Terminated Customer Transaction Email BCC Failed Logon Database Access File Up/Download Credit Card Data Access Information Leak Privileges Assigned/ Changed 30%

Overview of Logs and Logging
Audit logs
Transaction logs
Intrusion logs
Connection logs
System performance records
User activity logs
Various alerts and other messages
Firewalls/intrusion prevention
Routers/switches
Intrusion detection
Servers, desktops, mainframes
Business applications
Databases
Anti-virus
VPNs
What logs? From Where?

Hierarchy of Logging Needs
SOX
GLBA
FISMA
JPA
PCI
HIPAA
SLA Validation
Troubleshooting
Investigations
Forensics
Log Data Warehouse
NIST
ITIL
CoBit
ISO
jCoBit
Lose Customers Get Fined Go To Jail Lose Job

Corporate Accountability
Accountability
Accountability is answerability, enforcement, responsibility, blameworthiness, liability
“ Accountability” should focus on people
“ Surveillance” should focus on data
Log Management
Tremendously valuable data hidden away in log files
Challenge
Centralize log file
Understand, what log messages mean
Track corporate behavior through activities reported in log files
Log is the audit trail of a company
There is a strong link between accountability and logging Big Picture: IT is a Key Enabler of Corporate Accountability

Logging Challenges: Logging is Hard!
Not knowing what to log
Log volume
Log diversity
“Bad” logs
Getting the logs
Making sense of log data automatically

Logs vs Controls: Logging is Easy!
Myth: Stringent access controls will stop all attacks!
What about those that have legitimate access ? What about those who “ break the rules ”?

Why Logs for Accountability
Everybody leaves traces in logs!
Potentially, every action could be logged!
Control doesn’t scale , accountability (=logs!) does!
More controls -> more complexity -> less control !
The only technology that makes IT users (legitimate and otherwise) accountable : logging!
Provided legit actions are logged…

Focus on Information Monitoring vs. Information Gate Keeping
Identify Management & Access Control
Limit who can access what
Perfect solution, except
Doesn’t scale
Business changing at the “Speed of thought”
Too much new data introduced into the “controlled” environment
Is complicated
Complication is the bane of security
Accountability
Track flow of information
Data in “motion” is critical for business success
Winning companies have the most amount of information in motion
Reconstruct how information is used and when it is used badly
Highly scalable
Conventional Approach Pragmatic Approach Best approach is a combination of the two

What Logs Are Most Useful?
#1 The ones that you actually have!
#2 Logs from systems where the “crown jewels” are
#3 Logs that are associated with user identity
#4 Logs that cover system and application activity

Example: Firewall/Network Logs
Main : account of connectivity (in and out of the company)
Where did the data go?
What did the system connect to?
Who connected to the system and who didn’t?
How many bytes were transferred out?
Who was denied when trying to connect to the system?

Firewall/Network Logs AIs
Action items – to make these logs more useful for instilling accountability :
Enable logging of allowed connections
Enable logging for outbound connections , success and failed
Monitor unusual traffic from the inside out, e.g. successful and large data transfers to unusual sites

Example: System Logs
Main : account for most activities on systems
Login success/failure
Account creation
Account deletion
Account settings and password changes
(On Windows) Various group policy and registry changes
File access (read/change/delete)

Example: Database Audit
Main : database logs record access to crown jewels
Database data access
Data change
Database structures and configuration change
Database starts, stops, and other administration tasks

What You MUST Do …
… to use logs for accountability.
Have logs
Centrally collect logs
Retain logs
Analyze and review logs
Protect logs

Why Log Management?
Threat protection and discovery
Incident response
Forensics , “e-discovery” and litigation support
Regulatory compliance
Internal policies and procedure compliance
Internal and external audit support
IT system and network troubleshooting
IT performance management

Conclusions and Takeaways
If you’re not serious about logs, you’re not serious about accountability
Ignoring logs
Is dumb – not utilizing that very important resource for troubleshooting and security
Is illegal – due to many, many regulations
Is unethical – corporate accountability
So, START your log management program NOW!

Thanks for Attending!
Dr Anton Chuvakin, GCIA, GCIH, GCFA
Chief Logging Evangelist
LogLogic, Inc
Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007)
See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http://chuvakin.blogspot.com

http://chuvakin.blogspot.com	55
http://www.gustavobittencourt.com	43
http://www.mcmillengroup.com	4
http://www.slideshare.net	2
file://	1
http://feeds.feedburner.com	1

Logs = Accountability

by Anton Chuvakin on Sep 26, 2008

Accessibility

Categories

Tags

Upload Details

Usage Rights

6 Embeds 106

Statistics

Logs = Accountability — Presentation Transcript