Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Logs = Accountability Dr Anton Chuvakin Chief Logging Evangelist LogLogic, Inc
Outline <ul><li>Introduction to  Logs and Logging </li></ul><ul><li>Why  Logging: From Bits to Governance </li></ul><ul><l...
<ul><ul><li>“ In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by ...
What is a Log? User and System Activity User  Terminated Customer Transaction Email BCC Failed Logon Database Access File ...
Overview of Logs and Logging <ul><li>Audit logs </li></ul><ul><li>Transaction logs </li></ul><ul><li>Intrusion logs </li><...
Hierarchy of Logging Needs <ul><li>SOX </li></ul><ul><li>GLBA </li></ul><ul><li>FISMA </li></ul><ul><li>JPA </li></ul><ul>...
Corporate Accountability <ul><li>Accountability </li></ul><ul><li>Accountability is answerability, enforcement, responsibi...
Logging Challenges: Logging is Hard! <ul><li>Not knowing what to log </li></ul><ul><li>Log volume </li></ul><ul><li>Log di...
Logs vs Controls: Logging is  Easy! <ul><li>Myth:  Stringent access controls  will stop all attacks! </li></ul><ul><li>Wha...
Why Logs for Accountability <ul><li>Everybody leaves traces  in logs! </li></ul><ul><ul><li>Potentially, every action coul...
Focus on Information Monitoring vs. Information Gate Keeping <ul><li>Identify Management & Access Control </li></ul><ul><l...
What Logs Are Most Useful? <ul><li>#1 The ones that you  actually have! </li></ul><ul><li>#2 Logs from systems where the  ...
Example: Firewall/Network Logs <ul><li>Main : account of connectivity (in and out of the company) </li></ul><ul><li>Where ...
Firewall/Network Logs AIs <ul><li>Action items – to make these logs more useful for  instilling accountability : </li></ul...
Example: System Logs <ul><li>Main : account for most activities on systems </li></ul><ul><li>Login success/failure </li></...
Example: Database Audit <ul><li>Main : database logs record access to crown jewels </li></ul><ul><li>Database data access ...
What You MUST Do … <ul><li>…  to use logs for accountability. </li></ul><ul><li>Have logs </li></ul><ul><li>Centrally coll...
Why Log Management? <ul><li>Threat  protection and discovery </li></ul><ul><li>Incident  response </li></ul><ul><li>Forens...
Conclusions and Takeaways <ul><li>If you’re not serious about logs, you’re not serious about accountability </li></ul><ul>...
Thanks for Attending! <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul...
Upcoming SlideShare
Loading in …5
×

Logs = Accountability

5,577 views

Published on

Logs as a Vehicle for Accountability, in IT and Beyond

Published in: Technology
  • Its good, In my industry i have to decide the retention period of logs and what type of logs i need to preserve from the banking industry perspective.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Logs = Accountability

  1. 1. Logs = Accountability Dr Anton Chuvakin Chief Logging Evangelist LogLogic, Inc
  2. 2. Outline <ul><li>Introduction to Logs and Logging </li></ul><ul><li>Why Logging: From Bits to Governance </li></ul><ul><li>Logging is Hard! Log Challenges </li></ul><ul><li>Logging is Easy! Audit vs Control </li></ul><ul><li>How to Control the Logging Monster </li></ul><ul><li>Conclusions and Action Items </li></ul>
  3. 3. <ul><ul><li>“ In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you will have to pay.” </li></ul></ul>http://geer.tinho.net/geer.housetestimony.070423.txt Daniel Geer, Sc.D. Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and Science and Technology April 2008
  4. 4. What is a Log? User and System Activity User Terminated Customer Transaction Email BCC Failed Logon Database Access File Up/Download Credit Card Data Access Information Leak Privileges Assigned/ Changed 30%
  5. 5. Overview of Logs and Logging <ul><li>Audit logs </li></ul><ul><li>Transaction logs </li></ul><ul><li>Intrusion logs </li></ul><ul><li>Connection logs </li></ul><ul><li>System performance records </li></ul><ul><li>User activity logs </li></ul><ul><li>Various alerts and other messages </li></ul><ul><li>Firewalls/intrusion prevention </li></ul><ul><li>Routers/switches </li></ul><ul><li>Intrusion detection </li></ul><ul><li>Servers, desktops, mainframes </li></ul><ul><li>Business applications </li></ul><ul><li>Databases </li></ul><ul><li>Anti-virus </li></ul><ul><li>VPNs </li></ul>What logs? From Where?
  6. 6. Hierarchy of Logging Needs <ul><li>SOX </li></ul><ul><li>GLBA </li></ul><ul><li>FISMA </li></ul><ul><li>JPA </li></ul><ul><li>PCI </li></ul><ul><li>HIPAA </li></ul><ul><li>SLA Validation </li></ul><ul><li>Troubleshooting </li></ul><ul><li>Investigations </li></ul><ul><li>Forensics </li></ul><ul><li>Log Data Warehouse </li></ul><ul><li>NIST </li></ul><ul><li>ITIL </li></ul><ul><li>CoBit </li></ul><ul><li>ISO </li></ul><ul><li>jCoBit </li></ul>Lose Customers Get Fined Go To Jail Lose Job
  7. 7. Corporate Accountability <ul><li>Accountability </li></ul><ul><li>Accountability is answerability, enforcement, responsibility, blameworthiness, liability </li></ul><ul><li>“ Accountability” should focus on people </li></ul><ul><li>“ Surveillance” should focus on data </li></ul><ul><li>Log Management </li></ul><ul><li>Tremendously valuable data hidden away in log files </li></ul><ul><li>Challenge </li></ul><ul><ul><li>Centralize log file </li></ul></ul><ul><ul><li>Understand, what log messages mean </li></ul></ul><ul><ul><li>Track corporate behavior through activities reported in log files </li></ul></ul><ul><li>Log is the audit trail of a company </li></ul>There is a strong link between accountability and logging Big Picture: IT is a Key Enabler of Corporate Accountability
  8. 8. Logging Challenges: Logging is Hard! <ul><li>Not knowing what to log </li></ul><ul><li>Log volume </li></ul><ul><li>Log diversity </li></ul><ul><li>“Bad” logs </li></ul><ul><li>Getting the logs </li></ul><ul><li>Making sense of log data automatically </li></ul>
  9. 9. Logs vs Controls: Logging is Easy! <ul><li>Myth: Stringent access controls will stop all attacks! </li></ul><ul><li>What about those that have legitimate access ? What about those who “ break the rules ”? </li></ul>
  10. 10. Why Logs for Accountability <ul><li>Everybody leaves traces in logs! </li></ul><ul><ul><li>Potentially, every action could be logged! </li></ul></ul><ul><li>Control doesn’t scale , accountability (=logs!) does! </li></ul><ul><ul><li>More controls -> more complexity -> less control ! </li></ul></ul><ul><li>The only technology that makes IT users (legitimate and otherwise) accountable : logging! </li></ul><ul><ul><li>Provided legit actions are logged… </li></ul></ul>
  11. 11. Focus on Information Monitoring vs. Information Gate Keeping <ul><li>Identify Management & Access Control </li></ul><ul><li>Limit who can access what </li></ul><ul><li>Perfect solution, except </li></ul><ul><ul><li>Doesn’t scale </li></ul></ul><ul><ul><ul><li>Business changing at the “Speed of thought” </li></ul></ul></ul><ul><ul><ul><li>Too much new data introduced into the “controlled” environment </li></ul></ul></ul><ul><ul><li>Is complicated </li></ul></ul><ul><ul><ul><li>Complication is the bane of security </li></ul></ul></ul><ul><li>Accountability </li></ul><ul><li>Track flow of information </li></ul><ul><ul><li>Data in “motion” is critical for business success </li></ul></ul><ul><ul><li>Winning companies have the most amount of information in motion </li></ul></ul><ul><li>Reconstruct how information is used and when it is used badly </li></ul><ul><li>Highly scalable </li></ul>Conventional Approach Pragmatic Approach Best approach is a combination of the two
  12. 12. What Logs Are Most Useful? <ul><li>#1 The ones that you actually have! </li></ul><ul><li>#2 Logs from systems where the “crown jewels” are </li></ul><ul><li>#3 Logs that are associated with user identity </li></ul><ul><li>#4 Logs that cover system and application activity </li></ul>
  13. 13. Example: Firewall/Network Logs <ul><li>Main : account of connectivity (in and out of the company) </li></ul><ul><li>Where did the data go? </li></ul><ul><li>What did the system connect to? </li></ul><ul><li>Who connected to the system and who didn’t? </li></ul><ul><li>How many bytes were transferred out? </li></ul><ul><li>Who was denied when trying to connect to the system? </li></ul>
  14. 14. Firewall/Network Logs AIs <ul><li>Action items – to make these logs more useful for instilling accountability : </li></ul><ul><li>Enable logging of allowed connections </li></ul><ul><li>Enable logging for outbound connections , success and failed </li></ul><ul><li>Monitor unusual traffic from the inside out, e.g. successful and large data transfers to unusual sites </li></ul>
  15. 15. Example: System Logs <ul><li>Main : account for most activities on systems </li></ul><ul><li>Login success/failure </li></ul><ul><li>Account creation </li></ul><ul><li>Account deletion </li></ul><ul><li>Account settings and password changes </li></ul><ul><li>(On Windows) Various group policy and registry changes </li></ul><ul><li>File access (read/change/delete) </li></ul>
  16. 16. Example: Database Audit <ul><li>Main : database logs record access to crown jewels </li></ul><ul><li>Database data access </li></ul><ul><li>Data change </li></ul><ul><li>Database structures and configuration change </li></ul><ul><li>Database starts, stops, and other administration tasks </li></ul>
  17. 17. What You MUST Do … <ul><li>… to use logs for accountability. </li></ul><ul><li>Have logs </li></ul><ul><li>Centrally collect logs </li></ul><ul><li>Retain logs </li></ul><ul><li>Analyze and review logs </li></ul><ul><li>Protect logs </li></ul>
  18. 18. Why Log Management? <ul><li>Threat protection and discovery </li></ul><ul><li>Incident response </li></ul><ul><li>Forensics , “e-discovery” and litigation support </li></ul><ul><li>Regulatory compliance </li></ul><ul><li>Internal policies and procedure compliance </li></ul><ul><li>Internal and external audit support </li></ul><ul><li>IT system and network troubleshooting </li></ul><ul><li>IT performance management </li></ul>
  19. 19. Conclusions and Takeaways <ul><li>If you’re not serious about logs, you’re not serious about accountability </li></ul><ul><li>Ignoring logs </li></ul><ul><ul><li>Is dumb – not utilizing that very important resource for troubleshooting and security </li></ul></ul><ul><ul><li>Is illegal – due to many, many regulations </li></ul></ul><ul><ul><li>Is unethical – corporate accountability </li></ul></ul><ul><li>So, START your log management program NOW! </li></ul>
  20. 20. Thanks for Attending! <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul><li>LogLogic, Inc </li></ul><ul><li>Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007) </li></ul><ul><li>See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http://chuvakin.blogspot.com </li></ul>

×