Logs & The Law: What is Admissible in Court?

2,951 views

Published on

What is the role of Log Data in legal cases, such as a database security breach? Learn how logs are used, best legal practices, logs as evidence, and what architecture and solutions can help.

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
2,951
On SlideShare
0
From Embeds
0
Number of Embeds
28
Actions
Shares
0
Downloads
47
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • 08/19/09
  • Logs & The Law: What is Admissible in Court?

    1. 1. Logs & The Law What is Admissible in Court? Dominique Levin, VP Product Management Logs & The Law: What’s Admissible in Court? MGT-4, June 12, 2006
    2. 2. Agenda <ul><li>Introduction to logs </li></ul><ul><li>Uses </li></ul><ul><li>Logs & the Law: Best Practices </li></ul><ul><li>Logs as Evidence </li></ul><ul><li>Architecture & Solutions </li></ul>
    3. 3. Primary Sources Of Data in the Enterprise 10/09/200317:42:57,146.127.94.13,48352,146.127.97.14,909,,,accept,tcp,,,,909,146.127.93.29,,0,,4,3,,' 9Oct2003 17:42:57,accept,labcpngfp3,inbound,eth2c0,0,VPN-1 & FireWall-1,product=VPN-1 & FireWall-1[db_tag={0DE0E532-EEA0-11D7-BDFC-927F5D1DECEC};mgmt= labcpngfp3;date=1064415722;policy_name= Standard],labdragon,48352,146.127.97.14,909, tcp,146.127.93.145,',eth2c0,inbound Oct 9 16:29:49 [146.127.94.4] Oct 09 2003 16:44:50: %PIX-6-302013: Built outbound TCP connection 2245701 for outside:146.127.98.67/1487 (146.127.98.67/1487) to inside:146.127.94.13/42562 (146.127.93.145/42562) 2003-10-20|15:25:52|dragonapp-nids|TCP-SCAN|146.127.94.10|146.127.94.13|0|0|X|------S-|0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52| Oct 20 15:35:08 labsnort snort: [1:1421:2] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 146.127.94.10:43355 -> 146.127.94.13:705 SENSORDATAID=&quot;138715&quot; SENSORNAME=&quot;146.127.94.23:network_sensor_1&quot; ALERTID=&quot;QPQVIOAJKBNC6OONK6FTNLLESZ&quot; LOCALTIMEZONEOFFSET=&quot;14400&quot; ALERTNAME=&quot;pcAnywhere_Probe“ ALERTDATETIME=&quot;2003-10-20 19:35:21.0&quot; SRCADDRESSNAME=&quot;146.127.94.10&quot; SOURCEPORT=&quot;42444&quot; INTRUDERPORT=&quot;42444&quot; DESTADDRESSNAME=&quot;146.127.94.13&quot; VICTIMPORT=&quot;5631&quot; ALERTCOUNT=&quot;1&quot; ALERTPRIORITY=&quot;3&quot; PRODUCTID=&quot;3&quot; PROTOCOLID=&quot;6&quot; REASON=&quot;RSTsent&quot; 2003-10-20|15:25:52|dragonapp-nids|TCP-SCAN|146.127.94.10|146.127.94.13|0|0|X|------S-|0|total=484,min=1,max=1024,up=246,down=237,flags=------S-,Oct20-15:25:34,Oct20-15:25:52| Oct 20 15:35:08 labsnort snort: [1:1421:2] SNMP AgentX/tcp request [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 146.127.94.10:43355 -> 146.127.94.13:705 Systems Structured Unstructured
    4. 4. Log Data is 30% of all Data <ul><li>High volume </li></ul><ul><li>Sensitive (customer, employee) </li></ul><ul><li>Dispersed </li></ul><ul><li>Inconsistent formats </li></ul><ul><li>Heterogeneous </li></ul><ul><li>Few clear policies or procedures </li></ul><ul><li>‘ Handling’ at odds with other policies </li></ul><ul><li>Little awareness or consistency </li></ul><ul><li>More than search or forensics </li></ul><ul><li>Now critical to mitigating risk and meeting compliance and legal requirements! </li></ul>Systems 30% of all data
    5. 5. Logs are a Fingerprint User and System Activity Privileges Assigned/Changed Customer Transaction Email BCC Failed Logon Security Breach File Up/Download Credit Card Data Access Information Leak
    6. 6. Logs Can Tell You Who Is Doing What … <ul><li>Access Activity </li></ul><ul><li>Cisco ACS </li></ul><ul><li>MS IAS </li></ul><ul><li>RCS ACE </li></ul><ul><li>(Un)Successful Login </li></ul><ul><li>Users Created & Deleted </li></ul><ul><li>Server Activity </li></ul><ul><li>Apple MacOS </li></ul><ul><li>HP UX </li></ul><ul><li>IBM AIX </li></ul><ul><li>Microsoft </li></ul><ul><li>Novell SuSe </li></ul><ul><li>RedHat Linux </li></ul><ul><li>Files & Program Access </li></ul><ul><li>Privileges Changed </li></ul><ul><li>VPN Activity </li></ul><ul><li>Cisco 3000 </li></ul><ul><li>Check Point VPN Juniper SSL VPN </li></ul><ul><li>Nortel Contivity </li></ul><ul><li>Bytes Transferred </li></ul><ul><li># & Length Connections </li></ul><ul><li>Proxy Activity </li></ul><ul><li>BlueCoat </li></ul><ul><li>NetApp NetCache </li></ul><ul><li>Microsoft ISA </li></ul><ul><li>Microsoft IIS </li></ul><ul><li>Squid </li></ul><ul><li>Web Apps Accessed </li></ul><ul><li>Files Uploaded Downloaded </li></ul><ul><li>E-Mail Activity </li></ul><ul><li>Microsoft </li></ul><ul><li>Exchange </li></ul><ul><li>E-mails sent & bounced </li></ul><ul><li>Information Transferred </li></ul>
    7. 7. Many Precedents For Using Logs <ul><li>Martha Stewart: Logs prove digital phone messages had been altered and later restored </li></ul><ul><li>F100 Bank: Failed to furnish records – much of which was log data, resulting in $10m civil penalty </li></ul><ul><li>In re J.P. Morgan Securities, Inc. – failure to have adequate email preservation systems or procedures resulted in a $2,100,000 settlement and consent to establish procedures </li></ul><ul><li>In re Prudential Ins. Co. Sales Practices Litig. $1,000,000 fine by the court was imposed for document destruction </li></ul><ul><li>“ Electronic data are the modern-day equivalent of the paper trail” – Judge Maass </li></ul>
    8. 8. Preparedness is the Best Defense “ Unfortunately, that [no log data being available] happens more often than I would like… If your home had been robbed, you would have to tell the police office what was stolen and how the burglar got in. The same is also true for the network. If you simply tell us you have been broken into, and have no evidence to support it, we may be empathetic, but we can’t open a case.” Shelagh Sayers, special agent, FBI, San Francisco
    9. 9. You have Legal Obligations <ul><li>Protect customer information </li></ul><ul><li>Prevent information leakage </li></ul><ul><li>Meet compliance requirements </li></ul><ul><li>Satisfy regulations </li></ul><ul><li>Establish controls and processes </li></ul><ul><li>Employee misuse </li></ul><ul><li>Privacy and security are among the most active legislative areas impacting information technology—each day potential liability grows </li></ul><ul><li>A Fortune 500 retailer paid $60 million to settle a case alleging inappropriate sharing of customer information. </li></ul><ul><li>By 2006, 20-30% of Global 1000 will suffer exposure due to privacy mismanagement, and costs to recover from privacy mistakes will range from $5-$20 million each </li></ul><ul><ul><ul><ul><ul><li>Source: Gartner </li></ul></ul></ul></ul></ul>
    10. 10. Layers Of Compliance <ul><li>Corporate Governance and Internal controls </li></ul><ul><ul><li>COBIT 4.0, ISO 17799, NIST 800-53, PCI </li></ul></ul><ul><li>Civil investigations and regulatory compliance </li></ul><ul><ul><li>SOX, SEC, FTC, Comptroller of the Currency, HIPAA, GLBA </li></ul></ul><ul><li>Private litigation </li></ul><ul><ul><li>Class Action </li></ul></ul><ul><ul><li>Interplay with regulatory investigations and compliance </li></ul></ul><ul><ul><li>Zubulake (destruction of records) </li></ul></ul>
    11. 11. Best Practices Recommend Log Management <ul><li>ISO 17799 </li></ul><ul><li>Maintain audit logs for system access and use, changes, faults, corrections, capacity demands </li></ul><ul><li>Review the results of monitoring activities regularly </li></ul><ul><li>Ensure the accuracy of the logs </li></ul><ul><li>NIST 800-53 </li></ul><ul><li>Capture audit records </li></ul><ul><li>Regularly review audit records for unusual activity and violations </li></ul><ul><li>Automatically process audit records </li></ul><ul><li>Protect audit information from unauthorized deletion </li></ul><ul><li>Retain audit logs </li></ul><ul><li>PCI </li></ul><ul><li>Requirement 10 </li></ul><ul><li>Logging and user activities tracking are critical </li></ul><ul><li>Automate and secure audit trails for event reconstruction </li></ul><ul><li>Review logs daily </li></ul><ul><li>Retain audit trail history for at least one year </li></ul><ul><li>CobiT 4 </li></ul><ul><li>Provide adequate audit trail for root-cause analysis </li></ul><ul><li>Use logging and monitoring to detect unusual or abnormal activities </li></ul><ul><li>Regularly review access, privileges, changes </li></ul><ul><li>Monitor performance </li></ul><ul><li>Verify backup completion </li></ul>
    12. 12. Federal, State & Intl’ Laws Impacting Log Data <ul><li>Electronic Communications Privacy Act </li></ul><ul><li>Computer Fraud & Abuse Act of 1984 </li></ul><ul><li>Gramm-Leach-Bliley Act (finance – but not just finance) </li></ul><ul><li>CALEA (communications) </li></ul><ul><li>HIPAA (health care) </li></ul><ul><li>Sarbanes-Oxley (Section 302 and 404) </li></ul><ul><li>Telecommuncations Act of 1996 (Section 222) </li></ul><ul><li>FTC Enforcement (Petco and BJ’s scenario) </li></ul><ul><li>More than 35 states have introduced legislation regarding consumer protection relating to security issues </li></ul><ul><li>California and its notice of security breach law has been the model and key battleground </li></ul><ul><li>EU Data Directive </li></ul><ul><li>Japan Data Directive </li></ul><ul><li>EU Data Directive </li></ul><ul><li>Canadian Data Protection Law </li></ul><ul><li>Japan Data Directive </li></ul>
    13. 13. Log Lies, Myths & Rumor… <ul><li>There is no precedent for using log data… </li></ul><ul><li>If I time stamp a log file it is inadmissible… </li></ul><ul><li>I don’t need a clean set of my log data… </li></ul><ul><li>I only need to worry about this when we get sued… </li></ul><ul><li>I don’t need to capture all my log data… </li></ul><ul><li>Homegrown solutions are just fine… </li></ul><ul><li>Lawyers need to worry about this, not me… </li></ul>
    14. 14. Immutable Logs Matter <ul><li>Increase security, trust and accountability </li></ul><ul><li>Increase admissibility </li></ul><ul><li>Reduce and mitigate risk </li></ul>“ When audited logs are immutable and cannot be altered, there are additional advantages for deterrence and proof of policy or legal violations With immutability, deterrence may be improved for all users of the system.” Markle Foundation Implementing a Trusted Information Sharing Environment February, 2006
    15. 15. Overcoming Admissibility Hurdles <ul><li>Authentication: are the logs what you claim them to be </li></ul><ul><ul><li>Document and prove each transaction between the collection of evidence and the appearance in court </li></ul></ul><ul><li>Hearsay: are logs kept in the course of a regularly conducted business activity </li></ul><ul><ul><li>What is the motive for logging? </li></ul></ul><ul><ul><li>“ Documents created solely at the authors discretion create motivational concerns and lack reliability and trustworthiness.” </li></ul></ul><ul><li>Best Evidence: use the original, or duplicate </li></ul>
    16. 16. Ten Steps To Immutable Logs <ul><li>Process & Controls </li></ul><ul><ul><li>Accurately document how evidence is created, stored and protected – improves admissibility </li></ul></ul><ul><li>Retention (as long as business records) </li></ul><ul><ul><li>6 month minimum </li></ul></ul><ul><ul><li>Longer in an investigation </li></ul></ul><ul><ul><li>Start retaining on first indication of trouble </li></ul></ul><ul><li>Defined collection (no log left behind) </li></ul><ul><ul><li>100% is possible </li></ul></ul><ul><ul><li>Unfiltered – some solutions (SIEM) process less than 5% of log data </li></ul></ul><ul><li>Unaltered record </li></ul><ul><ul><li>Separate collection, storage and future processing </li></ul></ul><ul><li>Enhanced via processing (date & time stamp) </li></ul><ul><ul><li>You can improve the raw log – much like you can improve a document being stored by adding a date stamp </li></ul></ul>
    17. 17. Ten Steps To Immutable Logs <ul><li>Secure storage and transport </li></ul><ul><ul><li>Prevent alteration or loss </li></ul></ul><ul><ul><li>You have a “due diligence” responsibility for “reasonable care” to protect and preserve electronic evidence – and to have a plan to address threats to those assets </li></ul></ul><ul><li>Access control: Establish chain of custody over log data </li></ul><ul><ul><li>When did you know? </li></ul></ul><ul><ul><li>What did you know? </li></ul></ul><ul><ul><li>Who knew it? </li></ul></ul><ul><li>Centralize core data set </li></ul><ul><ul><li>Turn Logs into an efficient and valuable resource </li></ul></ul><ul><ul><li>Ensure Logs are complete, accurate and verifiable </li></ul></ul><ul><li>Distributed processing & storage – FBI </li></ul><ul><li>Automate alerting and reporting </li></ul><ul><ul><li>Promotes admissibility by reducing concerns related to authenticity, hearsay and best evidence </li></ul></ul>
    18. 18. Things to Avoid <ul><li>Low redundancy – your processes and system should be high availability </li></ul><ul><li>Shutdown of logging – automated alerting when logging declines or stops </li></ul><ul><li>Minimal audit – audit the system and processes </li></ul><ul><li>Programs that reduce log data – or – modify negatively the log data (e.g. access time of files) </li></ul><ul><li>Conflicts with other corporate processes and controls – e.g. privacy, access, email retention </li></ul>
    19. 19. Clear Benefits “ With forensically sounds logs, companies can reduce the potential of loosing a lawsuit, diminish the costs associated with discovery and defense, increase the likelihood of forcing an opponent into settlement, and be a resource to define against actions related to corporate governance.” Erin Kenneally FSA Times The Institute of Internal Auditors
    20. 20. Reducing Costs of Compliance Guillermo Kopp Vice President Cross-Industry Compliance Costs (USD in Billions) 40% 60% 84% 16% 85% 15% TACTICAL APPROACH REGULATORY ONSLAUGHT AUTOMATION Source: TowerGroup
    21. 21. Log Management & Intelligence Real-Time Analysis Historical Archives Complete Aggregation Automation Of Collection Processes & Controls
    22. 22. High-Performance Architecture for Global 2000 Best Practices Reports and Alerts Business Policies and IT Controls Definition IT Controls - Policy Statements Import Compliance Reports and Alerts Export 100% Message Collection. 100% Pure Storage. Behavioral Alerts. Compliance Reports. Real-time Search. Only the CEO should access this data What should be happening? Who is actually accessing this data? What is happening? Backup Software SAN/NAS Storage Enterprise Apps Mail Servers Proxy Servers Win/Linux Servers Network Devices Security Devices CEO COO CSO CIO HR Customer Legal BOD Operations Network Security Datacenter Audit
    23. 23. Architecting to meet Legal Obligations Disaster Recovery Site Main Data Center Existing Networked Storage Remote Office Remote Office Remote Office ST 2000 Raw Logs raw logs LX 2000 Meta Logs LX 500 metalogs LX 1000 metalogs LX 2000 metalogs NTP Server Microsecond accuracy: for example 30.123456 seconds
    24. 24. Securing Log Data Transport Disaster Recovery Site Main Data Center Existing Networked Storage Remote Office Remote Office Remote Office ST 2000 Raw Logs raw logs LX 2000 Meta Logs LX 500 metalogs LX 1000 metalogs LX 2000 metalogs Encryption, Authentication, TCP, Compression. Buffer in case of WAN Failure.
    25. 25. Avoid Collusion with Distributed Log Storage Disaster Recovery Site Main Data Center Existing Networked Storage Remote Office Remote Office Remote Office ST 2000 Raw Logs raw logs Off-site storage in 2 places: requires multi-party conspiracy to alter logs. LX 2000 Meta Logs LX 500 metalogs LX 1000 metalogs LX 2000 metalogs
    26. 26. Perform Analysis on a Copy of the Log Data Disaster Recovery Site Management Station SOAP Request XML Responses Main Data Center Existing Networked Storage raw logs ST 2000 Raw Logs Remote Office Remote Office Remote Office Raw Logs Log Analysis LX 2000 Meta Logs LX 500 metalogs LX 1000 metalogs LX 2000 metalogs
    27. 27. Make Archives Tamper Proof with Hashing Each 1 minute file has it’s own hash file.
    28. 28. No Human Intervention: Auto-Retention Settings Logs get deleted by software automatically, not by users.
    29. 29. Store Logs on WORM or encrypted device <ul><li>EMC Centera: Magnetic disk based WORM device </li></ul><ul><li>NetApp Decru: Encryption of log data at rest </li></ul>ST 2000 raw logs LX 2000 metalogs ST 2000 raw logs LX 2000 metalogs NAS NetApp Decru.
    30. 30. Take Action! <ul><li>Turn on logging – it’s your responsibility! </li></ul><ul><li>Assess role of systems data in meeting compliance requirements, mitigating security risks and improving availability </li></ul><ul><li>Implement platform and architecture for systems data collection, storage and analysis as a first step on the path to compliance, availability and security mgmt </li></ul><ul><li>Identify project and define success criteria for automation and vendor selection </li></ul><ul><li>Request a trial </li></ul>
    31. 31. Thank You! Join us for a demo! http://www.loglogic.com/resources/screencasts/ loglogic.com blog.loglogic.com Automating Compliance. Mitigating Risk.

    ×