Beyond “Classic” Log Management Uses  Dr Anton Chuvakin
Use Cases for Log Data Continue to Expand <ul><li>Does your organization use log management  for any of the following? </l...
“Compliance+” Model At Work <ul><li>You bought it for PCI DSS </li></ul><ul><li>You installed it </li></ul><ul><li>Your bo...
Three Use Cases for Log Management <ul><li>Logging for  e-discovery:  respond faster to avoid fines </li></ul><ul><li>Audi...
Log Management for e-Discovery <ul><li>What Is e-Discovery? </li></ul><ul><ul><li>A need to provide requested information ...
How Log Management Helps <ul><li>Myth #1: E-Discovery is about email! </li></ul><ul><li>Truth:  ALL types of information c...
Log Management for e-Discovery <ul><li>Common requirements: </li></ul><ul><li>Raw , unmodified logs (as they come from log...
What You Will Do About It?! <ul><li>Deploy a  log management system  to take control over logs </li></ul><ul><li>Preserve ...
If You Can Only Do One Thing… <ul><li>Save all raw logs.  Just save them and keep them around for a documented time period...
Log Management for Web Tracking and “DLP” <ul><li>Web proxy stores, passes, blocks, authenticates, and secures web traffic...
What is in proxy logs: details <ul><li>Typical proxy log contains: </li></ul><ul><ul><li>Time stamp </li></ul></ul><ul><ul...
What Are They Good For? <ul><li>Security – compliance - operations </li></ul><ul><li>Web access policy violations </li></u...
Proxy Logs for Basic “DLP” <ul><li>How? </li></ul><ul><li>Search  for POST requests  AND  specific document content-types ...
If You Can Only Do One Thing… <ul><li>Search proxy logs for  “sensitive” file names/types + POST request type </li></ul>
Log Management for Database Audit <ul><li>Q: First:  do databases log? Oracle, MS SQL, IBM DB2. </li></ul><ul><li>A:  Yes,...
Example: Oracle Logging <ul><li>Defaults :  </li></ul><ul><ul><li>minimum system logging </li></ul></ul><ul><ul><li>minimu...
Using Database Logs: “Hidden Gold” <ul><li>Database and Schema Modifications </li></ul><ul><li>Data and Object Modificatio...
Types of Database Log Reporting: S + C + O Database Start/Stop Events Business Continuity All Database Events IT Infrastru...
If You Can Only Do One Thing… <ul><li>Watch database logs for  table   backups/data dumps at unusual times </li></ul>
Thanks for Attending! <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul...
Upcoming SlideShare
Loading in …5
×

Log Management For e-Discovery, Database Monitoring and Other Unusual Uses

3,450 views

Published on

Log Management For e-Discovery, Database Monitoring and Other Unusual Uses

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,450
On SlideShare
0
From Embeds
0
Number of Embeds
102
Actions
Shares
0
Downloads
0
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Here is a reminder of what you will be covering. E-discovery Trouble shooting the health of your database, Database audit activities User Activity tracking via Proxy logs 
  • Log Management For e-Discovery, Database Monitoring and Other Unusual Uses

    1. 1. Beyond “Classic” Log Management Uses Dr Anton Chuvakin
    2. 2. Use Cases for Log Data Continue to Expand <ul><li>Does your organization use log management for any of the following? </li></ul>Security detection and remediation Security analysis and forensics Monitoring IT controls for regulatory compliance Troubleshooting IT problems Monitoring end-user behavior Service level/performance management Configuration/change management Monitoring IT administrator behavior Capacity planning Business analysis 7% 90% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% Yes, we use SIM technologies for this today No, we don’t use SIM technologies for this today, but plan or would like to do so in the future No, we don’t use SIM technologies for this today and have no plans to do so Source: Enterprise Strategy Group, 2007 (Percentage of respondants, N = 123) 2% 22% 51% 28% 24% 54% 22% 17% 66% 17% 19% 66% 15% 15% 69% 16% 15% 73% 12% 17% 74% 9% 14% 77% 9% 11% 82% 8%
    3. 3. “Compliance+” Model At Work <ul><li>You bought it for PCI DSS </li></ul><ul><li>You installed it </li></ul><ul><li>Your boss is happy </li></ul><ul><li>Your auditor is … gone </li></ul><ul><li>What are you going to do next? </li></ul>
    4. 4. Three Use Cases for Log Management <ul><li>Logging for e-discovery: respond faster to avoid fines </li></ul><ul><li>Audit database activities and monitor database access </li></ul><ul><li>User activity tracking and basic data leakage detection via proxy logs  </li></ul>
    5. 5. Log Management for e-Discovery <ul><li>What Is e-Discovery? </li></ul><ul><ul><li>A need to provide requested information based upon the attorney request (if your company is involved in a suit) </li></ul></ul><ul><li>What Is It About? </li></ul><ul><ul><li>Find and present the information or pay the fines! </li></ul></ul><ul><li>Main Challenges? </li></ul><ul><ul><li>Find a needle in a haystack – satisfy a very specific request of face fines </li></ul></ul><ul><ul><li>Pick ALL needles from a haystack – satisfy or contest a general request for the information </li></ul></ul>
    6. 6. How Log Management Helps <ul><li>Myth #1: E-Discovery is about email! </li></ul><ul><li>Truth: ALL types of information can be requested. </li></ul><ul><li>Yes, that includes logs! </li></ul><ul><li>How does one make logs “discoverable?” </li></ul><ul><li>What if you don’t? </li></ul>
    7. 7. Log Management for e-Discovery <ul><li>Common requirements: </li></ul><ul><li>Raw , unmodified logs (as they come from log sources!) </li></ul><ul><li>Log security and reliability (collection and storage) </li></ul><ul><li>Fast search for keywords (user, email, file name) </li></ul><ul><li>What logs you might need to discover? </li></ul><ul><li>What the user did? </li></ul><ul><li>What files were accessed? </li></ul>
    8. 8. What You Will Do About It?! <ul><li>Deploy a log management system to take control over logs </li></ul><ul><li>Preserve original logs as they are generated </li></ul><ul><li>Take steps to protect them from accidental and malicious modification </li></ul><ul><li>Define and enforce credible log retention policy </li></ul>
    9. 9. If You Can Only Do One Thing… <ul><li>Save all raw logs. Just save them and keep them around for a documented time period. </li></ul>
    10. 10. Log Management for Web Tracking and “DLP” <ul><li>Web proxy stores, passes, blocks, authenticates, and secures web traffic </li></ul><ul><li>Examples : Squid, Blue Coat, NetCache, ISA, etc </li></ul><ul><li>What is in proxy logs </li></ul><ul><ul><li>Users’ activities on the web </li></ul></ul><ul><ul><li>Applications HTTP activity </li></ul></ul><ul><ul><li>Web-enabled malware traffic </li></ul></ul><ul><ul><li>Proxy performance metrics </li></ul></ul>
    11. 11. What is in proxy logs: details <ul><li>Typical proxy log contains: </li></ul><ul><ul><li>Time stamp </li></ul></ul><ul><ul><li>Source IP and possibly user name </li></ul></ul><ul><ul><li>Browser type (“User-agent”) and OS (indirectly) </li></ul></ul><ul><ul><li>Destination URL and sometimes its category </li></ul></ul><ul><ul><li>HTTP method and response code </li></ul></ul><ul><ul><li>Proxy actions (blocked, proxied, passed, etc) </li></ul></ul><ul><li>Example : 2006-05-08 16:15:01 2 192.168.1.3 Mary - authentication_redirect_from_virtual_host DENIED &quot;Search Engines/Portals&quot; - 307 TCP_AUTH_REDIRECT GET - http www.comcast.net 80 /home.html - html &quot;Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)&quot; 192.168.1.2 970 425 - - none - - </li></ul>
    12. 12. What Are They Good For? <ul><li>Security – compliance - operations </li></ul><ul><li>Web access policy violations </li></ul><ul><li>User activity monitoring </li></ul><ul><li>Internal spyware and malware tracking </li></ul><ul><li>Web client attack detection </li></ul><ul><li>Server attacks by hackers from inside </li></ul><ul><li>IP theft and information leakage detection </li></ul><ul><li>Proxy performance measurement </li></ul>
    13. 13. Proxy Logs for Basic “DLP” <ul><li>How? </li></ul><ul><li>Search for POST requests AND specific document content-types (e.g. msword, powerpoint, etc) </li></ul><ul><li>What ? </li></ul><ul><li>Look for a uploads to unusual sites (especially with unresolved IPs), web mail, or for sensitive document names </li></ul><ul><li>Especially, look for uploads to unusual ports </li></ul><ul><li>More details on LogBlog (Tip #12) </li></ul>
    14. 14. If You Can Only Do One Thing… <ul><li>Search proxy logs for “sensitive” file names/types + POST request type </li></ul>
    15. 15. Log Management for Database Audit <ul><li>Q: First: do databases log? Oracle, MS SQL, IBM DB2. </li></ul><ul><li>A: Yes, they do! If you make them. </li></ul>
    16. 16. Example: Oracle Logging <ul><li>Defaults : </li></ul><ul><ul><li>minimum system logging </li></ul></ul><ul><ul><li>minimum database server access </li></ul></ul><ul><ul><li>no data access logging </li></ul></ul><ul><li>So, where is … </li></ul><ul><ul><li>data access audit </li></ul></ul><ul><ul><li>schema and data change audit </li></ul></ul><ul><ul><li>configuration change audit </li></ul></ul>
    17. 17. Using Database Logs: “Hidden Gold” <ul><li>Database and Schema Modifications </li></ul><ul><li>Data and Object Modifications </li></ul><ul><li>User and Privileged User Access </li></ul><ul><li>Failed User Access </li></ul><ul><li>Failures, Crashes and Restarts </li></ul>LOOK AT LOGS! 
    18. 18. Types of Database Log Reporting: S + C + O Database Start/Stop Events Business Continuity All Database Events IT Infrastructure Monitoring Suspicious Database Activity Security and Threat Management Database System Modifications Database Privilege Modifications Change Management Database Data Access User Activity Database Server Access Identity and Access Database Reports Category
    19. 19. If You Can Only Do One Thing… <ul><li>Watch database logs for table backups/data dumps at unusual times </li></ul>
    20. 20. Thanks for Attending! <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul><li>LogLogic, Inc </li></ul><ul><li>Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007) </li></ul><ul><li>See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http://chuvakin.blogspot.com </li></ul>

    ×