Logs vs Insiders


Published on

This presentation discusses using logs vs insider attacks (internal threat); it also goes into how to "insider-proof" your logging.

Published in: Technology, Business
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Title: Log Data: The Weapon Of Choice to Thwart Insider Threats Description: Insider threats are always of concern to organizations. There is a way to track insider activity to provide a continuous fingerprint of everything that happens within the security perimeter. All users, whether trusted and non-malicious or malicious, leave traces of their activity in logs. As Anton Chuvakin will discuss, by analyzing these logs, organizations can gain insight into insider behavior and activity and can help investigate, detect, or even predict and prevent insider attacks. Outline: Basics on “insider threats” Types, research, past work (sheer amount of it!), etc Why “insider problem” is hard Can’t be solved by technology alone Also, hard to assess the scale Block vs log: control vs accountability Logs vs insiders Types of logs Case study Conclusion TRACK, not FIGHT insiders with technology Fight them with non-technology means, after you “got them”
  • Logs vs Insiders

    1. 1. Santa Clara Convention Center January 27 – 31, 2008 All The Technologies – One Great Place To Meet! Dr Anton Chuvakin Chief Logging Evangelist LogLogic Log Data: The Weapon Of Choice To Thwart Insider Threats
    2. 2. Outline <ul><li>Insider threat: what is it? </li></ul><ul><li>Separating hype from truth: why is it so hard? </li></ul><ul><li>Can you fight the insider threat? Should you? </li></ul><ul><li>Logs vs insiders: how to do it! </li></ul><ul><li>Examples and conclusions </li></ul>
    3. 3. Insider Threat? <ul><li>Everybody, everybody talks … </li></ul><ul><li>The famous 80%-20% threat direction MYTH </li></ul><ul><li>Occurrence vs damage from insider incidents? </li></ul><ul><li>Solved problem of “external” threats? </li></ul><ul><li>Stopping a dedicated insider: odds? </li></ul><ul><li>Insider “hacking” vs crime? </li></ul>
    4. 4. Defining “Insider Threat” <ul><li>Our definition of “insider threat” = any threat actor with level of access to your organization’s resources beyond that of the general public. </li></ul><ul><li>Example : partner’s engineer, janitor, window cleaner, CEO, CEO’s kid, etc </li></ul>
    5. 5. Key Distinction <ul><li>Malicious insider = one that aims at stealing, doing damage, etc or otherwise hurting your organization </li></ul><ul><li>Non-malicious insider = one that via its position helps those who aims at stealing, doing damage, etc or otherwise hurting your organization </li></ul>
    6. 6. Why Fight? <ul><li>The wooden horse </li></ul><ul><li>$7b loss at Societe Generale </li></ul><ul><li>Sysadmin rampage cases </li></ul><ul><li>Logic bomb stories </li></ul><ul><li>Hansen case and other espionage cases </li></ul>
    7. 7. Why NOT Fight? <ul><li>“We trust our employees” </li></ul><ul><li>“We have an open environment. We can’t clamp down” </li></ul><ul><li>“Insiders? Malware is ripping us to shreds!” </li></ul><ul><li>“Its an IMPOSSIBLE task!” </li></ul><ul><li>“We use principle of least privilege, separation of duty and pray. A lot!”  </li></ul>
    8. 8. Choices, Choices <ul><li>Tolerate? </li></ul><ul><li>Prevent </li></ul><ul><li>Block </li></ul><ul><li>Detect </li></ul><ul><li>Investigate </li></ul>
    9. 9. Repeat After Me … <ul><li>You cannot prevent insider attacks! </li></ul><ul><li>You cannot block many insider attacks! </li></ul><ul><li>You sometimes can detect insider attacks! </li></ul><ul><li>You must investigate insider attacks! </li></ul>
    10. 10. What About Access Controls? <ul><li>MYTH: Stringent access controls will stop insiders! </li></ul><ul><li>What about those insiders that have legitimate access ? </li></ul>
    11. 11. So, How Do You Fight!? <ul><li>Administrative/legal : policy, awareness, inevitability of punishment, background check, etc </li></ul><ul><li>Psychological : profiling, behavioral monitoring, risky trait detection, etc </li></ul><ul><li>Technical : access controls, IDS/IPS, logging, honeypots, encryption, etc </li></ul>
    12. 12. But will it work? <ul><li>In general, NO! </li></ul>
    13. 13. Overview of Logs and Logging <ul><li>Audit logs </li></ul><ul><li>Transaction logs </li></ul><ul><li>Intrusion logs </li></ul><ul><li>Connection logs </li></ul><ul><li>System performance records </li></ul><ul><li>User activity logs </li></ul><ul><li>Various alerts and other messages </li></ul><ul><li>Firewalls/intrusion prevention </li></ul><ul><li>Routers/switches </li></ul><ul><li>Intrusion detection </li></ul><ul><li>Servers, desktops, mainframes </li></ul><ul><li>Business applications </li></ul><ul><li>Databases </li></ul><ul><li>Anti-virus </li></ul><ul><li>VPNs </li></ul>What logs? From Where?
    14. 14. Why Logs vs Insiders? <ul><li>Everybody leaves traces in logs! </li></ul><ul><ul><li>Potentially, every action could be logged! </li></ul></ul><ul><li>Control doesn’t scale , accountability (=logs!) does! </li></ul><ul><ul><li>More controls -> more complexity -> less control ! </li></ul></ul><ul><li>The only technology that helps vs insider with legitimate access: logging! </li></ul><ul><ul><li>Provided legit actions are logged… </li></ul></ul>
    15. 15. Assumptions! <ul><li>Insider actually touches a computer system </li></ul><ul><li>Logging is present and logs are collected </li></ul><ul><li>Insider cannot modify the logs! </li></ul><ul><li>Incident loss might grow if the insider is not stopped </li></ul>
    16. 16. What Logs Are Most Useful? <ul><li>#1 The ones that you actually have! </li></ul><ul><li>#2 Logs from systems where the “crown jewels” are </li></ul><ul><li>#3 Logs that are associated with user identity </li></ul><ul><li>#4 Logs that cover system and application activity </li></ul>
    17. 17. Example: Firewall/Network Logs <ul><li>Main : proof of connectivity (in and out of the company) </li></ul><ul><li>Where did the data go? </li></ul><ul><li>What did the system connect to? </li></ul><ul><li>Who connected to the system and who didn’t? </li></ul><ul><li>How many bytes were transferred out? </li></ul><ul><li>Who was denied when trying to connect to the system? </li></ul>
    18. 18. Firewall/Network Logs AIs <ul><li>Action items – to make these logs more useful for insider threat: </li></ul><ul><li>Enable logging of allowed connections </li></ul><ul><li>Enable logging for outbound connections, success and failed </li></ul><ul><li>Monitor unusual traffic from the inside out, especially successful and with large data transfers to unusual sites </li></ul>
    19. 19. Example: VPN Logs <ul><li>Main : evidence on insider threats via remote access </li></ul><ul><li>Network login success/failure </li></ul><ul><li>Network logout </li></ul><ul><li>Connection session length and the number of bytes moved </li></ul>
    20. 20. VPN Logs AIs <ul><li>Action items – to make these logs more useful for insider threat: </li></ul><ul><li>Retain these logs for longer </li></ul><ul><li>Retain DHCP server logs in combination with VPN logs </li></ul><ul><li>Watch for large data transfers from corporate to remote sites </li></ul>
    21. 21. Example: System Logs <ul><li>Main : key logs on most activities </li></ul><ul><li>Login success/failure </li></ul><ul><li>Account creation </li></ul><ul><li>Account deletion </li></ul><ul><li>Account settings and password changes </li></ul><ul><li>(On Windows) Various group policy and registry changes </li></ul><ul><li>File access (read/change/delete) </li></ul>
    22. 22. Example: Web Logs <ul><li>Main : extrusion, data theft/loss records </li></ul><ul><li>Connection to a specific website </li></ul><ul><li>Data uploads </li></ul><ul><li>Webmail access </li></ul><ul><li>Some types of HTTP tunneling for data theft </li></ul><ul><li>Spyware activities </li></ul>
    23. 23. Example: Database Audit <ul><li>Main : database logs record access to crown jewels </li></ul><ul><li>Database data access </li></ul><ul><li>Data change </li></ul><ul><li>Database structures and configuration change </li></ul><ul><li>Database starts, stops, and other administration tasks </li></ul>
    24. 24. Database Audit AIs <ul><li>Action items – to make these logs more useful for insider threat: </li></ul><ul><li>Enable data access logging </li></ul><ul><li>Enable database change logging </li></ul><ul><li>Enable backup, export and other data-intensive procedure logging </li></ul><ul><li>Enable DBA action logging </li></ul><ul><li>Preserve logs from DBAs </li></ul>
    25. 25. Example: Honeypot Logs <ul><li>Main : evidence of actual insider threat activity </li></ul><ul><li>Active recon by malicious insiders </li></ul><ul><li>Record only malicious insider actions </li></ul><ul><li>Can provide a complete recording of “a crime” (such as data theft) </li></ul><ul><li>Needs other logs to build a case! </li></ul>
    26. 26. What You MUST Do?! <ul><li>Have logs </li></ul><ul><li>Collect logs </li></ul><ul><li>Retain logs </li></ul><ul><li>Review logs </li></ul><ul><li>Analyze logs </li></ul>
    27. 27. Case Study <ul><li>Honeytokens + lots of logging </li></ul><ul><li>Focus on CRM data </li></ul><ul><li>Honeytoken deployed into a database </li></ul><ul><li>Insane amount of logging: email, network IPS, server, application, database, etc </li></ul><ul><li>How the insider was caught? </li></ul><ul><li>What happened next? </li></ul>
    28. 28. How to optimize logging? <ul><li>Longer log retention : 1 year and more </li></ul><ul><ul><li>Might not be discovered for a while </li></ul></ul><ul><li>Broad range of log sources </li></ul><ul><ul><li>Insiders can do anything! </li></ul></ul><ul><li>Higher emphasis on log protection </li></ul><ul><ul><li>If you get sued (or intend to sue) </li></ul></ul><ul><li>More analysis of stored data </li></ul><ul><ul><li>Real-time won’t cut it! </li></ul></ul>
    29. 29. Conclusions <ul><li>You can’t stop insiders – but you can help yourself deal with the consequences </li></ul><ul><li>Logs is one technology that helps! </li></ul><ul><li>You need a broad platform approach to manage logs, not siloes, since you need many different types of logs in one place to recreate what the attacker did </li></ul>
    30. 30. Thanks for Attending the Presentation! <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul><li>LogLogic, Inc </li></ul><ul><li>Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007) books </li></ul><ul><li>See http://www.info-secure.org for my papers, books, reviews and other resources related to logs. Also see my blog at http://chuvakin.blogspot.com </li></ul>