Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Logs vs Insiders

3,190 views

Published on

This presentation discusses using logs vs insider attacks (internal threat); it also goes into how to "insider-proof" your logging.

Published in: Technology, Business
  • DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... Download Full EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ACCESS WEBSITE for All Ebooks ......................................................................................................................... Download Full PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... Download EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... Download doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... 1.DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/y6a5rkg5 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD FULL BOOKS, INTO AVAILABLE FORMAT ......................................................................................................................... ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. PDF EBOOK here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. EPUB Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ,DOWNLOAD FULL. doc Ebook here { https://tinyurl.com/yyxo9sk7 } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Logs vs Insiders

  1. 1. Santa Clara Convention Center January 27 – 31, 2008 All The Technologies – One Great Place To Meet! Dr Anton Chuvakin Chief Logging Evangelist LogLogic Log Data: The Weapon Of Choice To Thwart Insider Threats
  2. 2. Outline <ul><li>Insider threat: what is it? </li></ul><ul><li>Separating hype from truth: why is it so hard? </li></ul><ul><li>Can you fight the insider threat? Should you? </li></ul><ul><li>Logs vs insiders: how to do it! </li></ul><ul><li>Examples and conclusions </li></ul>
  3. 3. Insider Threat? <ul><li>Everybody, everybody talks … </li></ul><ul><li>The famous 80%-20% threat direction MYTH </li></ul><ul><li>Occurrence vs damage from insider incidents? </li></ul><ul><li>Solved problem of “external” threats? </li></ul><ul><li>Stopping a dedicated insider: odds? </li></ul><ul><li>Insider “hacking” vs crime? </li></ul>
  4. 4. Defining “Insider Threat” <ul><li>Our definition of “insider threat” = any threat actor with level of access to your organization’s resources beyond that of the general public. </li></ul><ul><li>Example : partner’s engineer, janitor, window cleaner, CEO, CEO’s kid, etc </li></ul>
  5. 5. Key Distinction <ul><li>Malicious insider = one that aims at stealing, doing damage, etc or otherwise hurting your organization </li></ul><ul><li>Non-malicious insider = one that via its position helps those who aims at stealing, doing damage, etc or otherwise hurting your organization </li></ul>
  6. 6. Why Fight? <ul><li>The wooden horse </li></ul><ul><li>$7b loss at Societe Generale </li></ul><ul><li>Sysadmin rampage cases </li></ul><ul><li>Logic bomb stories </li></ul><ul><li>Hansen case and other espionage cases </li></ul>
  7. 7. Why NOT Fight? <ul><li>“We trust our employees” </li></ul><ul><li>“We have an open environment. We can’t clamp down” </li></ul><ul><li>“Insiders? Malware is ripping us to shreds!” </li></ul><ul><li>“Its an IMPOSSIBLE task!” </li></ul><ul><li>“We use principle of least privilege, separation of duty and pray. A lot!”  </li></ul>
  8. 8. Choices, Choices <ul><li>Tolerate? </li></ul><ul><li>Prevent </li></ul><ul><li>Block </li></ul><ul><li>Detect </li></ul><ul><li>Investigate </li></ul>
  9. 9. Repeat After Me … <ul><li>You cannot prevent insider attacks! </li></ul><ul><li>You cannot block many insider attacks! </li></ul><ul><li>You sometimes can detect insider attacks! </li></ul><ul><li>You must investigate insider attacks! </li></ul>
  10. 10. What About Access Controls? <ul><li>MYTH: Stringent access controls will stop insiders! </li></ul><ul><li>What about those insiders that have legitimate access ? </li></ul>
  11. 11. So, How Do You Fight!? <ul><li>Administrative/legal : policy, awareness, inevitability of punishment, background check, etc </li></ul><ul><li>Psychological : profiling, behavioral monitoring, risky trait detection, etc </li></ul><ul><li>Technical : access controls, IDS/IPS, logging, honeypots, encryption, etc </li></ul>
  12. 12. But will it work? <ul><li>In general, NO! </li></ul>
  13. 13. Overview of Logs and Logging <ul><li>Audit logs </li></ul><ul><li>Transaction logs </li></ul><ul><li>Intrusion logs </li></ul><ul><li>Connection logs </li></ul><ul><li>System performance records </li></ul><ul><li>User activity logs </li></ul><ul><li>Various alerts and other messages </li></ul><ul><li>Firewalls/intrusion prevention </li></ul><ul><li>Routers/switches </li></ul><ul><li>Intrusion detection </li></ul><ul><li>Servers, desktops, mainframes </li></ul><ul><li>Business applications </li></ul><ul><li>Databases </li></ul><ul><li>Anti-virus </li></ul><ul><li>VPNs </li></ul>What logs? From Where?
  14. 14. Why Logs vs Insiders? <ul><li>Everybody leaves traces in logs! </li></ul><ul><ul><li>Potentially, every action could be logged! </li></ul></ul><ul><li>Control doesn’t scale , accountability (=logs!) does! </li></ul><ul><ul><li>More controls -> more complexity -> less control ! </li></ul></ul><ul><li>The only technology that helps vs insider with legitimate access: logging! </li></ul><ul><ul><li>Provided legit actions are logged… </li></ul></ul>
  15. 15. Assumptions! <ul><li>Insider actually touches a computer system </li></ul><ul><li>Logging is present and logs are collected </li></ul><ul><li>Insider cannot modify the logs! </li></ul><ul><li>Incident loss might grow if the insider is not stopped </li></ul>
  16. 16. What Logs Are Most Useful? <ul><li>#1 The ones that you actually have! </li></ul><ul><li>#2 Logs from systems where the “crown jewels” are </li></ul><ul><li>#3 Logs that are associated with user identity </li></ul><ul><li>#4 Logs that cover system and application activity </li></ul>
  17. 17. Example: Firewall/Network Logs <ul><li>Main : proof of connectivity (in and out of the company) </li></ul><ul><li>Where did the data go? </li></ul><ul><li>What did the system connect to? </li></ul><ul><li>Who connected to the system and who didn’t? </li></ul><ul><li>How many bytes were transferred out? </li></ul><ul><li>Who was denied when trying to connect to the system? </li></ul>
  18. 18. Firewall/Network Logs AIs <ul><li>Action items – to make these logs more useful for insider threat: </li></ul><ul><li>Enable logging of allowed connections </li></ul><ul><li>Enable logging for outbound connections, success and failed </li></ul><ul><li>Monitor unusual traffic from the inside out, especially successful and with large data transfers to unusual sites </li></ul>
  19. 19. Example: VPN Logs <ul><li>Main : evidence on insider threats via remote access </li></ul><ul><li>Network login success/failure </li></ul><ul><li>Network logout </li></ul><ul><li>Connection session length and the number of bytes moved </li></ul>
  20. 20. VPN Logs AIs <ul><li>Action items – to make these logs more useful for insider threat: </li></ul><ul><li>Retain these logs for longer </li></ul><ul><li>Retain DHCP server logs in combination with VPN logs </li></ul><ul><li>Watch for large data transfers from corporate to remote sites </li></ul>
  21. 21. Example: System Logs <ul><li>Main : key logs on most activities </li></ul><ul><li>Login success/failure </li></ul><ul><li>Account creation </li></ul><ul><li>Account deletion </li></ul><ul><li>Account settings and password changes </li></ul><ul><li>(On Windows) Various group policy and registry changes </li></ul><ul><li>File access (read/change/delete) </li></ul>
  22. 22. Example: Web Logs <ul><li>Main : extrusion, data theft/loss records </li></ul><ul><li>Connection to a specific website </li></ul><ul><li>Data uploads </li></ul><ul><li>Webmail access </li></ul><ul><li>Some types of HTTP tunneling for data theft </li></ul><ul><li>Spyware activities </li></ul>
  23. 23. Example: Database Audit <ul><li>Main : database logs record access to crown jewels </li></ul><ul><li>Database data access </li></ul><ul><li>Data change </li></ul><ul><li>Database structures and configuration change </li></ul><ul><li>Database starts, stops, and other administration tasks </li></ul>
  24. 24. Database Audit AIs <ul><li>Action items – to make these logs more useful for insider threat: </li></ul><ul><li>Enable data access logging </li></ul><ul><li>Enable database change logging </li></ul><ul><li>Enable backup, export and other data-intensive procedure logging </li></ul><ul><li>Enable DBA action logging </li></ul><ul><li>Preserve logs from DBAs </li></ul>
  25. 25. Example: Honeypot Logs <ul><li>Main : evidence of actual insider threat activity </li></ul><ul><li>Active recon by malicious insiders </li></ul><ul><li>Record only malicious insider actions </li></ul><ul><li>Can provide a complete recording of “a crime” (such as data theft) </li></ul><ul><li>Needs other logs to build a case! </li></ul>
  26. 26. What You MUST Do?! <ul><li>Have logs </li></ul><ul><li>Collect logs </li></ul><ul><li>Retain logs </li></ul><ul><li>Review logs </li></ul><ul><li>Analyze logs </li></ul>
  27. 27. Case Study <ul><li>Honeytokens + lots of logging </li></ul><ul><li>Focus on CRM data </li></ul><ul><li>Honeytoken deployed into a database </li></ul><ul><li>Insane amount of logging: email, network IPS, server, application, database, etc </li></ul><ul><li>How the insider was caught? </li></ul><ul><li>What happened next? </li></ul>
  28. 28. How to optimize logging? <ul><li>Longer log retention : 1 year and more </li></ul><ul><ul><li>Might not be discovered for a while </li></ul></ul><ul><li>Broad range of log sources </li></ul><ul><ul><li>Insiders can do anything! </li></ul></ul><ul><li>Higher emphasis on log protection </li></ul><ul><ul><li>If you get sued (or intend to sue) </li></ul></ul><ul><li>More analysis of stored data </li></ul><ul><ul><li>Real-time won’t cut it! </li></ul></ul>
  29. 29. Conclusions <ul><li>You can’t stop insiders – but you can help yourself deal with the consequences </li></ul><ul><li>Logs is one technology that helps! </li></ul><ul><li>You need a broad platform approach to manage logs, not siloes, since you need many different types of logs in one place to recreate what the attacker did </li></ul>
  30. 30. Thanks for Attending the Presentation! <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul><li>LogLogic, Inc </li></ul><ul><li>Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007) books </li></ul><ul><li>See http://www.info-secure.org for my papers, books, reviews and other resources related to logs. Also see my blog at http://chuvakin.blogspot.com </li></ul>

×