What is the role of Log Data in legal cases, such as a database security breach? Learn how logs are used, best legal practices, logs as evidence, and what architecture and solutions can help.

1. Logs & The Law What is Admissible in Court? Dominique Levin, VP Product Management Logs & The Law: What’s Admissible in Court? MGT-4, June 12, 2006

3. Primary Sources Of Data in the Enterprise 10/09/200317:42:57,146.127.94.13,48352,146.127.97.14,909,,,accept,tcp,,,,909,146.127.93.29,,0,,4,3,,' 9Oct2003 17:42:57,accept,labcpngfp3,inbound,eth2c0,0,VPN-1 & FireWall-1,product=VPN-1 & FireWall-1[db_tag={0DE0E532-EEA0-11D7-BDFC-927F5D1DECEC};mgmt= labcpngfp3;date=1064415722;policy_name= Standard],labdragon,48352,146.127.97.14,909, tcp,146.127.93.145,',eth2c0,inbound Oct 9 16:29:49 [146.127.94.4] Oct 09 2003 16:44:50: %PIX-6-302013: Built outbound TCP connection 2245701 for outside:146.127.98.67/1487 (146.127.98.67/1487) to inside:146.127.94.13/42562 (146.127.93.145/42562) 2003-10-20|15:25:52|dragonapp-nids|TCP-SCAN|146.127.94.10|146.127.94.13|0|0|X|------S-|0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52| Oct 20 15:35:08 labsnort snort: [1:1421:2] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 146.127.94.10:43355 -> 146.127.94.13:705 SENSORDATAID="138715" SENSORNAME="146.127.94.23:network_sensor_1" ALERTID="QPQVIOAJKBNC6OONK6FTNLLESZ" LOCALTIMEZONEOFFSET="14400" ALERTNAME="pcAnywhere_Probe“ ALERTDATETIME="2003-10-20 19:35:21.0" SRCADDRESSNAME="146.127.94.10" SOURCEPORT="42444" INTRUDERPORT="42444" DESTADDRESSNAME="146.127.94.13" VICTIMPORT="5631" ALERTCOUNT="1" ALERTPRIORITY="3" PRODUCTID="3" PROTOCOLID="6" REASON="RSTsent" 2003-10-20|15:25:52|dragonapp-nids|TCP-SCAN|146.127.94.10|146.127.94.13|0|0|X|------S-|0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52| Oct 20 15:35:08 labsnort snort: [1:1421:2] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 146.127.94.10:43355 -> 146.127.94.13:705 Systems Structured Unstructured

5. Logs are a Fingerprint User and System Activity Privileges Assigned/Changed Customer Transaction Email BCC Failed Logon Security Breach File Up/Download Credit Card Data Access Information Leak

8. Preparedness is the Best Defense “ Unfortunately, that [no log data being available] happens more often than I would like… If your home had been robbed, you would have to tell the police office what was stolen and how the burglar got in. The same is also true for the network. If you simply tell us you have been broken into, and have no evidence to support it, we may be empathetic, but we can’t open a case.” Shelagh Sayers, special agent, FBI, San Francisco

19. Clear Benefits “ With forensically sounds logs, companies can reduce the potential of loosing a lawsuit, diminish the costs associated with discovery and defense, increase the likelihood of forcing an opponent into settlement, and be a resource to define against actions related to corporate governance.” Erin Kenneally FSA Times The Institute of Internal Auditors

20. Reducing Costs of Compliance Guillermo Kopp Vice President Cross-Industry Compliance Costs (USD in Billions) 40% 60% 84% 16% 85% 15% TACTICAL APPROACH REGULATORY ONSLAUGHT AUTOMATION Source: TowerGroup

21. Log Management & Intelligence Real-Time Analysis Historical Archives Complete Aggregation Automation Of Collection Processes & Controls

22. High-Performance Architecture for Global 2000 Best Practices Reports and Alerts Business Policies and IT Controls Definition IT Controls - Policy Statements Import Compliance Reports and Alerts Export 100% Message Collection. 100% Pure Storage. Behavioral Alerts. Compliance Reports. Real-time Search. Only the CEO should access this data What should be happening? Who is actually accessing this data? What is happening? Backup Software SAN/NAS Storage Enterprise Apps Mail Servers Proxy Servers Win/Linux Servers Network Devices Security Devices CEO COO CSO CIO HR Customer Legal BOD Operations Network Security Datacenter Audit

23. Architecting to meet Legal Obligations Disaster Recovery Site Main Data Center Existing Networked Storage Remote Office Remote Office Remote Office ST 2000 Raw Logs raw logs LX 2000 Meta Logs LX 500 metalogs LX 1000 metalogs LX 2000 metalogs NTP Server Microsecond accuracy: for example 30.123456 seconds

24. Securing Log Data Transport Disaster Recovery Site Main Data Center Existing Networked Storage Remote Office Remote Office Remote Office ST 2000 Raw Logs raw logs LX 2000 Meta Logs LX 500 metalogs LX 1000 metalogs LX 2000 metalogs Encryption, Authentication, TCP, Compression. Buffer in case of WAN Failure.

25. Avoid Collusion with Distributed Log Storage Disaster Recovery Site Main Data Center Existing Networked Storage Remote Office Remote Office Remote Office ST 2000 Raw Logs raw logs Off-site storage in 2 places: requires multi-party conspiracy to alter logs. LX 2000 Meta Logs LX 500 metalogs LX 1000 metalogs LX 2000 metalogs

26. Perform Analysis on a Copy of the Log Data Disaster Recovery Site Management Station SOAP Request XML Responses Main Data Center Existing Networked Storage raw logs ST 2000 Raw Logs Remote Office Remote Office Remote Office Raw Logs Log Analysis LX 2000 Meta Logs LX 500 metalogs LX 1000 metalogs LX 2000 metalogs

27. Make Archives Tamper Proof with Hashing Each 1 minute file has it’s own hash file.

28. No Human Intervention: Auto-Retention Settings Logs get deleted by software automatically, not by users.

31. Thank You! Join us for a demo! http://www.loglogic.com/resources/screencasts/ loglogic.com blog.loglogic.com Automating Compliance. Mitigating Risk.