Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Preventing The Next Data Breach Through Log Management


Published on

Preventing The Next Data Breach Through Log Management by Ben Goodman, Principal Strategist, Novell

  • Be the first to comment

  • Be the first to like this

Preventing The Next Data Breach Through Log Management

  1. 1. P reventing T he N ex t D a ta B rea c h T hro ug h L og M a na g em ent Ben Goodman Principal Strategist Novell, Inc.
  2. 2. Agenda Why Should You Care? The Bottom Line Solutions Next Steps 22
  3. 3. Why Should You Care? 33
  4. 4. Business/IT Trends, From Security's Perspective Social Networks Economy Cloud/ SAAS Virt. Mobile 4
  5. 5. Infosec Trends Collide Social Networks Cyber Economy crime Cloud/ SAAS APT Virt. G2B Hacking Mobile 5
  6. 6. The Bottom Line 6
  7. 7. The Bottom Line  IT Trends exposing orgs to more risk  Strong incentives for hackers  Unsustainable and explosive situation  Security orgs are underfunded  Hard for business leaders to understand the expenses  Focus is on compliance, but compliance only protects your organization against fines  In order to do your job, must fight for mandate and budget like never before 7
  8. 8. Start with a Few Assumptions  No endpoint is secure  Employees will get duped into doing bad things  Not all employees have the best intentions  You will be breached, the question is just how badly  Business leaders must justify investments to a higher authority  Criminals are lazy 88
  9. 9. No Endpoint is Secure • Too many threat vectors to guard against them all – S ocial networking – 0-day vulnerabilities – Malware – S QL injection • Y our employees will get duped • Y our employees could even be getting paid 99
  10. 10. You Are Breached • R esearch suggests that a large portion of botnets comes from corporate networks – C an you guarantee every endpoint on your network is completely malware free? • S tart from the perspective that every endpoint on your network is already breached • Trust must be earned before being granted • Authentication only guarantees access • Inspect every tr 1010
  11. 11. “IT administrators were responsible for more data compromises than any other insider role. [However,] many will note the rather small difference between breaches caused by other employees and IT administrators. These findings are a reminder that high levels of access are not necessary in order to compromise data. – Verizon Business, 2008 Data Breach Investigations Report
  12. 12. Security Today • Keep “bad guys” away from the network • Build a gigantic wall around the enterprise • Deploy point technologies to guard against specific threat vectors at the edge 1212
  13. 13. Today's Reality • Data and workloads moving off-premise • Threats from insiders and outsiders... • Targeted attacks increasing 1313
  14. 14. Targeted Attacks Pose a Problem • Blurs the lines between an ins ider and outs ider • Hackers are incredibly good at covering their tracks – Heartland Data S ystems: Takes nine weeks of intense scrutiny to discover something was wrong • The evidence is there, but buried under a mountain of data! The central challenge of security is filtering the noise and finding inconsistencies in the data.
  15. 15. “Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: information regarding the attack was neither noticed nor acted upon.” – Verizon Business, 2008 Data Breach Investigations Report
  16. 16. Solutions
  17. 17. The Next Generation Security Program User Activity Monitoring SIEM + IAM Security Log Management Intelligence IDS/IPS Vuln Scan Basic blocking and Firewall Anti-virus Access Controls tackling 1717
  18. 18. What is Log Management, anyway? • A tool for collecting and s toring large amounts of security logs, with the ability to s earch and report • Typically deployed as a response to some sort of regulatory mandate – PCI – S arbanes Oxley – HIP AA • Often takes the place of a home grown log aggregation system
  19. 19. Silos of Data, Manual Processes and Little Insight Security Requires: SYS • Collect • Analyze TABLES LOGS • Consolidate • Notify Network • Understand • Report Databases Infrastructure • Oracle • Routers • SQLServer • Switches Must Translate Disparate Data to • DB2 • VPN Concentrators Standard Regulatory LOGS Language LOGS Security Devices Applications • Firewalls • SAP • • IDSs IPSs Not Practical • Oracle • Home Grown • A/V with Manual LOGS Processes LOGS Workstations Mainframes and Servers • RACF • Windows • ACF2 • Unix What's Happening? • TopSecret • Netware
  20. 20. Basic Log Management Functions • Collecting logs from various network devices, security applications, and business applications • S toring these logs for some defined retention period – ideally at the lowest possible cost • S earching through the stored logs on an ad- hoc basis for forensics, to find anomalies, etc. • S ending Reports to analysts, managers, etc. at periodic intervals to fulfill operational or regulatory requirements
  21. 21. What's In a Log? • C ertain activities that take place on a system generate an event or log file – S uccessful and failed login – P orts open/close – P rivelege E scalation • S yslog is a standard for taking these log files and streaming them to a central location – Wikipedia - “S yslog ... allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices, which would otherwise be unable to communicate, a means to notify administrators of problems or performance.” • If syslog is just a stream of information – how to make it useful? – Not much provided by default – C an save syslog to a file, grep through it – a completely manual effort
  22. 22. Events Explained • S ource + Priority + Mes s age = S ys log Event • ftp + warning + failed login • lpr + notice + low on ink • auth + warning + privilege escalation failed How Ido I know if something events? Can search through these is wrong? Can I create a report to see all the failed logins last week?
  23. 23. Using Log Management for Prevention • Log management provides the transparency required to discover potential threats and vulnerabilities – R equires a certain amount of diligence • Use log management to discover – If devices or software are misconfigured – Who is accessing data or files – Who is changing configurations – Who has access to sensitive data and systems (and then go and limit those with access where possible) – Whether administrators are sharing passwords or abusing privileged access
  24. 24. Using Log Management for Detection • Log management can help determine whether a breach event has occured – Knowing that you've been breached is often extremely difficult • Diligent log management tell you – If a new user was unexpectedly created – Who has elevated permissions – If the volume of attacks increases – If a vulnerable system was targeted with an exploit – Whether a configuration was tampered with
  25. 25. Using Log Management for Investigation • E vent logs are the most critical footprints within the enterprise to reconstruct an actual breach – Log Management provides visibility across all your IT infrastructure – Allows root cause analysis • Use log management to determine what happened and how it happened to remediate or mitigate: – Which systems and applications were compromised – The attack vector that was used – Which security systems failed – If the attack was detected but not acted on – If the attack was external or due to an insider (malicious or otherwise)
  26. 26. Next Steps 2626
  27. 27. Building User Activity Monitoring  UAM Is the weapon against trustless computing  Inject context into security events – Identities – Asset information  Examine transactions with all available information – Determine what happened? who did it? should I care?  Mine the data for inconsistencies  Where to start? 2727
  28. 28. The Maturity Model User Activity Security Monitoring CISO Monitoring and “Compliance is the Driver” Remediation Log • Manage User Access Risk Management • Monitor Identity Fraud • Enterprise View • Real-time Monitoring • Historical Analysis • Automated Remediation • Audit / Compliance Reporting • Collection, Storage, Analysis • Advanced Analytics
  29. 29. Security Management Capabilities Security • Detect and report on security Monitoring anomalies to reduce risk and • Automate remediation to improve security Remediation Log • Collect, archive, and report on Management log data • Forward data for further analysis
  30. 30. The Hacker • Manually checking system logs is prone to error Intruder With so many logs The intruder hacks payment- The intruder steals to monitor, into the payment- processing systems customers’ credit administrators processing system. logs the malicious and debit card overlook the activity. numbers. activity. Payment- processing System
  31. 31. Real-time Monitoring and Remediation • R eal-time monitoring and remediation stops malicious activity when it occurs Intruder IT Security Team Recognizing the …like alerting the The intruder of activity as out Thesecurity team IT payment- policy, the hacks into the processing down and locking system takes payment- the payment- system logs the immediate processing processing malicious activity. action… system. system. Payment- processing System
  32. 32. Apply  Quantify the risks to the business  Show cost and likelihood, estimate how security investments reduce each  Survey the technology in place today  Tie each investment to the risk it is reducing, or the agility it is enabling  Build out metrics to capture the value of each piece  Establish a baseline  Compare to industry norms  Show how specific investments will impact metrics  Establish weekly or monthly cadence with cross- functional security team 32