“Zero Visibility”
Criticality of Centralized Logging
Prepared b A th
P      d by: Anthony Asher, CISSP, CEH
              ...
“Zero Visibility”
 Zero Visibility
Criticality of Centralized Logging
                    Quiz
               1

         ...
Q
Quiz – #1 What is this device?
Q
Quiz – #2 … and this device?
Q
Quiz – Question 3
       Q
   What do these things have in common?
     Geiger Counter                     Seismograph
 ...
Evolution of IT Attacks
                     •Technical Issue
                     •Unix
  > 1998
                     •Se...
MSRT disinfections by category, 2H05 – 2H07
                    y     g y,
      PW S
           /    K eyl
              ...
Evolution of IT Attacks (cont.)
Compliance Requirements & Penalties

      Regulation     Data Retention          Penalties
                     Requireme...
Compliance Requirements   10.10.1 Audit Logging: “Audit logs recording user
                           activities, excepti...
Log Management
                   Business Objectives


                   Are
                   A securityit            ...
Current IT Infrastructure
Average Environment:

      X 176
Current IT Infrastructure
            Average Environment:

                                X 176
                        ...
Current IT Infrastructure
Average Environment:




                             Domain
                Server             ...
Future IT Infrastructure


                           Server
                           Server
                         Se...
Solutions – Software Agent


                           Agent P
                           A   t Process


Server
        ...
Solutions – Appliance

              Appliance
  Server
               Process
               P
 Event 560




           ...
Research - Centralized Logging


Research:    Reviewed over fifteen products from open source
             to enterprise P...
Extended H@(|<5
           @(|

“hackers managed to steal data
               g
from transactions that occurred
between No...
Questions?
References

• Kevin Mandia – President & CEO, Mandiant
• Michael Suby – Director, Stratecast
• Microsoft Security Intellig...
Upcoming SlideShare
Loading in...5
×

Zero Visibility: Critcality of Centralized Log Management - v1

546

Published on

Presentation I gave on the importance on budgeting for a central log management solution.

Published in: Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
546
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Zero Visibility: Critcality of Centralized Log Management - v1

  1. 1. “Zero Visibility” Criticality of Centralized Logging Prepared b A th P d by: Anthony Asher, CISSP, CEH A h CISSP
  2. 2. “Zero Visibility” Zero Visibility Criticality of Centralized Logging Quiz 1 Evolution of IT Attacks 2 Compliance Requirements 3 Potential Solutions 4
  3. 3. Q Quiz – #1 What is this device?
  4. 4. Q Quiz – #2 … and this device?
  5. 5. Q Quiz – Question 3 Q What do these things have in common? Geiger Counter Seismograph g p Answer: Used to detect and identify events, events so that an action plan can be followed to lower risk.
  6. 6. Evolution of IT Attacks •Technical Issue •Unix > 1998 •Servers •Attacks were Nuisance •Technical/Business Issue •Windows Systems 1998 - 2002 •Servers Servers •Attacks were Nuisance •Technical/Business/Legal •Applications 2002 -Now •Windows •Attacks for Money
  7. 7. MSRT disinfections by category, 2H05 – 2H07 y g y, PW S / K eyl ogg e rs 2H07 Root k its 2H06 Vir us 1H07 e s 1H06 T roja ns 2H05 Worm s Back door s Dow nloa d ers/ Drop pe rs millions 0 5 10 15 20
  8. 8. Evolution of IT Attacks (cont.)
  9. 9. Compliance Requirements & Penalties Regulation Data Retention Penalties Requirements Sarbanes-Oxley 5 years Fines to $5M PCI Corporate Policy p y Fines / Loss of CC GLBA 6 years Fines FISMA 3 years Fines HIPAA 6 years y $25,000 NERC 3 years TBD
  10. 10. Compliance Requirements 10.10.1 Audit Logging: “Audit logs recording user activities, exceptions activities exceptions, and information security & Penalties events shall be produces and kept...” 10.10.2 Monitoring System Use: “Procedures for monitoring use of i f it i f information processing ti i facilities shall be established and results reviewed.” 10.10.3 10 10 3 Protection of log information: “Logging Logging 10.10.1-5 facilities and log information shall be protected against tampering and unauthorized access.” Section 10 10.10.4 10 10 4 Administrator and operator logs: “System ISO 27001 administrator and system operator activities shall be logged.” Compliance 10.10.5 Fault Logging: “Faults shall be logged, Faults analyzed, and appropriate action taken.
  11. 11. Log Management Business Objectives Are A securityit Can legally Compliance policies IT admissible being Operations proof be followed? shown? Can compliance Can IT be substantiated operations be Security Forensics and gaps improved? identified? Operations
  12. 12. Current IT Infrastructure Average Environment: X 176
  13. 13. Current IT Infrastructure Average Environment: X 176 Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server S Server S Server SS Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server S Server S Server S Server S Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Se e Server Server Server Server Server Server x 17 Client Server Server Server Server Server Server Server Server Server Server Server Server Server Environments Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server
  14. 14. Current IT Infrastructure Average Environment: Domain Server Policy Server Server Server Logging Point Single Logging Domain g gg g “Bottom Line: Log analysis is increasing in importance for regulatory compliance and overall enterprise monitoring and security” – Paul Proctor, META Group
  15. 15. Future IT Infrastructure Server Server Server Policy Analysis Alerting Centralized Reporting Logging gg g Individual environments become part of a larger, enterprise wide system, with central analysis, analysis alerting and reporting. reporting
  16. 16. Solutions – Software Agent Agent P A t Process Server Pr ary im e S it Reports & Alerts Server S Snare Lasso Server
  17. 17. Solutions – Appliance Appliance Server Process P Event 560 Server Event 680 Appliance Event 681 Server
  18. 18. Research - Centralized Logging Research: Reviewed over fifteen products from open source to enterprise Participated in vendor enterprise. demonstrations. Research paper on portal. Communications: C i ti Participated in security consortiums initiated with consortiums, Common Tools Team, interviewed NSS Security, and discussed with NOC. Potential Solutions: Currently working to narrow solutions, and scope potential options based on Unisys requirements. Goal: Implement a centralized logging solutions to allow policy compliance, and prevent security violations by having higher visibility into security events.
  19. 19. Extended H@(|<5 @(| “hackers managed to steal data g from transactions that occurred between November 2003 and April 2004 “ 2004. “…install programs that gathered enormous quantities of p q personal financial data” "I suspect that a lot of p p are p people unaware that their identifying information has been compromised," U.S. Attorney Michael Sullivan
  20. 20. Questions?
  21. 21. References • Kevin Mandia – President & CEO, Mandiant • Michael Suby – Director, Stratecast • Microsoft Security Intelligence Report (July – December 2007) • LogLogic – Best Practices for Log Management. M t
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×