Six Mistakes of Log Management  Dr Anton Chuvakin, GCIA, GCIH, GCFA Six Mistakes of Log Management
Summary <ul><li>The World of System, Network and Security Logs </li></ul><ul><li>Why Look at Logs? </li></ul><ul><li>Brief...
Log Data Overview <ul><li>Audit  records </li></ul><ul><li>Transaction logs </li></ul><ul><li>Intrusion alerts </li></ul><...
What Commonly “Gets Logged”? <ul><li>System or software  startup, shutdown, restart, and abnormal termination  (crash) </l...
<ul><li>“ Arrgh! Why Don’t We Just Ignore’Em?” </li></ul>
Regulations Mandate Logging and Log Review <ul><li>ISO 17799 </li></ul><ul><li>Maintain  audit logs  for system access and...
NIST 800-92 “Guide to Computer Security Log Management” <ul><li>The first ever official guidance on solving logging challe...
<ul><li>So, How Do People Do It? </li></ul>
Log Analysis Basics <ul><li>Manual </li></ul><ul><ul><li>‘ Tail’, ‘more’, ‘grep’, ‘notepad’, etc </li></ul></ul><ul><li>Fi...
<ul><li>Looks Complicated?! No Wonder People Make Mistakes … </li></ul>
Six  Mistakes of Log Management <ul><li>0.  Not logging  at all. </li></ul><ul><li>1.  Not looking  at the logs </li></ul>...
Conclusions <ul><li>Now you know: </li></ul><ul><ul><li>What are the logs? </li></ul></ul><ul><ul><li>Where they come from...
Thanks for Attending!!! <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangelist </li></ul><...
Upcoming SlideShare
Loading in …5
×

CSI NetSec 2007 Six MIstakes of Log Management by Anton Chuvakin

4,297 views

Published on

CSI NetSec 2007 Six MIstakes of Log Management by Anton Chuvakin

Published in: Business, Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,297
On SlideShare
0
From Embeds
0
Number of Embeds
41
Actions
Shares
0
Downloads
216
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • CSI NetSec 2007 Six MIstakes of Log Management by Anton Chuvakin

    1. 1. Six Mistakes of Log Management Dr Anton Chuvakin, GCIA, GCIH, GCFA Six Mistakes of Log Management
    2. 2. Summary <ul><li>The World of System, Network and Security Logs </li></ul><ul><li>Why Look at Logs? </li></ul><ul><li>Brief Log Analysis Overview </li></ul><ul><li>From Log Analysis to Log Management </li></ul><ul><li>Log Management Mistakes: from 0 to 5 </li></ul><ul><li>Conclusions </li></ul>
    3. 3. Log Data Overview <ul><li>Audit records </li></ul><ul><li>Transaction logs </li></ul><ul><li>Intrusion alerts </li></ul><ul><li>Connection logs </li></ul><ul><li>System performance records </li></ul><ul><li>User activity logs </li></ul><ul><li>Various alerts and other messages </li></ul><ul><li>Firewalls/NIPS </li></ul><ul><li>Routers/switches </li></ul><ul><li>Intrusion detection </li></ul><ul><li>Servers, desktops, mainframes </li></ul><ul><li>Business applications </li></ul><ul><li>Databases </li></ul><ul><li>Anti-virus </li></ul><ul><li>VPNs </li></ul>What logs? From Where?
    4. 4. What Commonly “Gets Logged”? <ul><li>System or software startup, shutdown, restart, and abnormal termination (crash) </li></ul><ul><li>Various thresholds being exceeded or reaching dangerous levels such as disk space full, memory exhausted, or processor load too high </li></ul><ul><li>Hardware health messages that the system can troubleshoot or at least detect and log </li></ul><ul><li>Access to resources and authentication decisions </li></ul><ul><li>Network connections , failed and successful </li></ul><ul><li>User access privilege changes such as the su command—both failed and successful </li></ul><ul><li>User credentials and access right changes , such as account updates, creation, and deletion—both failed and successful </li></ul><ul><li>System configuration changes and software updates—both failed and successful </li></ul>
    5. 5. <ul><li>“ Arrgh! Why Don’t We Just Ignore’Em?” </li></ul>
    6. 6. Regulations Mandate Logging and Log Review <ul><li>ISO 17799 </li></ul><ul><li>Maintain audit logs for system access and use, changes, faults, corrections, capacity demands </li></ul><ul><li>Review the results of monitoring activities regularly </li></ul><ul><li>Ensure the accuracy of the logs </li></ul><ul><li>NIST 800-53 </li></ul><ul><li>Capture audit records </li></ul><ul><li>Regularly review audit records for unusual activity and violations </li></ul><ul><li>Automatically process audit records </li></ul><ul><li>Protect audit information from unauthorized deletion </li></ul><ul><li>Retain audit logs </li></ul><ul><li>PCI </li></ul><ul><li>Requirement 10, etc </li></ul><ul><li>Logging and user activities tracking are critical </li></ul><ul><li>Automate and secure audit trails for event reconstruction </li></ul><ul><li>Review logs daily </li></ul><ul><li>Retain audit trail history for at least one year </li></ul><ul><li>COBIT </li></ul><ul><li>Provide adequate audit trail for root-cause analysis </li></ul><ul><li>Use logging and monitoring to detect unusual or abnormal activities </li></ul><ul><li>Regularly review access, privileges, changes </li></ul><ul><li>Monitor performance </li></ul><ul><li>Verify backup completion </li></ul>and NIST 800-92 “Guide to Security Log Management!”
    7. 7. NIST 800-92 “Guide to Computer Security Log Management” <ul><li>The first ever official guidance on solving logging challenges </li></ul><ul><li>Logging configurations </li></ul><ul><li>Logging policies and procedures </li></ul><ul><li>Log analysis tools and resources </li></ul>
    8. 8. <ul><li>So, How Do People Do It? </li></ul>
    9. 9. Log Analysis Basics <ul><li>Manual </li></ul><ul><ul><li>‘ Tail’, ‘more’, ‘grep’, ‘notepad’, etc </li></ul></ul><ul><li>Filtering </li></ul><ul><ul><li>Positive and negative (“Artificial ignorance”) </li></ul></ul><ul><li>Summarization and reports </li></ul><ul><ul><li>“ Top X of Y” </li></ul></ul><ul><li>Simple visualization </li></ul><ul><ul><li>“… worth a thousand words?” </li></ul></ul><ul><li>Correlation </li></ul><ul><ul><li>Rule-based and other </li></ul></ul><ul><li>Log data mining </li></ul>
    10. 10. <ul><li>Looks Complicated?! No Wonder People Make Mistakes … </li></ul>
    11. 11. Six Mistakes of Log Management <ul><li>0. Not logging at all. </li></ul><ul><li>1. Not looking at the logs </li></ul><ul><li>2. Storing logs for too short a time </li></ul><ul><li>3. Prioritizing the log records before collection </li></ul><ul><li>4. Ignoring the logs from applications </li></ul><ul><li>5. Only looking at what you know is bad </li></ul>
    12. 12. Conclusions <ul><li>Now you know: </li></ul><ul><ul><li>What are the logs? </li></ul></ul><ul><ul><li>Where they come from? </li></ul></ul><ul><ul><li>Why look at them? </li></ul></ul><ul><ul><li>How people do it? </li></ul></ul><ul><ul><li>What are some of the relevant regulations? </li></ul></ul><ul><ul><li>How to deal with them? </li></ul></ul><ul><li>And how to AVOID MISTAKES in log management ! </li></ul>
    13. 13. Thanks for Attending!!! <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul><li>http://www.chuvakin.org </li></ul><ul><li>Author of “Security Warrior” (O’Reilly, 2004) – http://www.securitywarrior.org </li></ul><ul><li>See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! </li></ul>

    ×