SlideShare a Scribd company logo

Visa Security Logging Factsheet June 2012

Neira Jones
Neira Jones

A fact sheet form Visa Europe

1 of 8
Download to read offline
Life flows better with Visa Visa Europe Planning for and implementing security logging Introduction Most data security breaches have something in common; Any hacking activity, by its very nature, generates messages they are not overly technical, and in most cases they could that are logged by a wide variety of systems. Ideally these have been easily detected – far sooner than they are currently. logged events should act as a trigger for a response to limit The available evidence from forensic investigations has the likelihood of a successful attack and subsequent breach shown that over 40% of data breaches remain undetected of sensitive data, or at least to quickly detect a successful for months at a time. Our collective goal must be to work to attack to reduce the damage caused by the attack. detect data security breaches in order to reduce exposure Unfortunately, through investigation of many data breaches and harm to cardholders and card issuers. A successful log it has become clear that in many cases the organisation was management solution is no longer a recommendation but a operating completely unaware of a compromise because: must have element of any security strategy. • Logging had been either disabled due to perceived performance issues; • The logs were overwritten so frequently that trigger events were lost; • Logging had been enabled but it wasn’t been monitored • The compromised entity was unaware of what events were being logged. The available evidence from forensic investigations has shown that over 40% of data breaches remain undetected for months at a time
The goal of this guidance document is to assist businesses in developing a logging strategy and understanding how that information can be put to good use. Despite the general availability of information logged Background across an organisation, a robust logging solution catering for all relevant system components can require Logs are generated throughout an IT environment (by both a significant investment in time and resources, not to hardware and software) by recording any events taking place mention financial commitment. The issue facing many within these systems. However, in many cases these events small retailers is understanding what they should log, or are frequently not analysed, not acted upon or are deleted/ knowing what questions to ask when they are developing overwritten after a short period of time. a logging strategy. With so much information available one of the major issues The goal of this guidance document is to assist businesses identifying what log events your business may be interested in developing a logging strategy and understanding how in. For example, a single failed login on a particular system that information can be put to good use. In highlighting is not necessarily unusual or cause for concern, but multiple the availability of this information and the benefits of failed logins on a single system, or on multiple systems across a logging solution, both from a security and business the network, within a few seconds of each other should be operations point of view, we can work cooperatively to cause for concern and could indicate a potential attack. limit data security breaches. If the worst does happen we can reduce the window of exposure to both cardholders Before considering the many available solutions, be they in- and the business affected by self-detecting a potential data house or as part of logging solution provided by a third party, breaches at an early stage. it is important to spend time considering the data that you may need to log. This is especially true considering the wide range and cost of potential solutions available to you. For example, it may make little financial sense to invest funds in a solution that can generate hundreds of alerts per day and weekly reports if you do not have the staff to review and act upon these alerts and reports. Considering this, simply committing large financial sums into purchasing very expensive tools is not the most effective route to follow. Spending time up front to consider the overall objective, such as helping to reduce organisational risk, it becomes clear that it is important to understand your requirements. In highlighting the availability of this information and the benefits of a logging solution, both from a security and business operations point of view, we can work cooperatively to limit data security breaches.
Logging and PCI DSS Summary PCI DSS requires not only the creation and retention of log Implementing an event log analysis system is a complex information, but also that the logs are reviewed on a daily process, but by considering the points in this paper your basis. Depending on the nature of your environment, the organisation can ensure that your solution is fit for purpose daily reviews can be via log management tools or manually. and adding value to the organisation through careful By performing these daily reviews, it will provide you with an consideration and planning. important element of your security strategy by alerting you to any potential security issues within your infrastructure. It is important to highlight once more that there will always be an administrative workload associated with performing The logging requirements for PCI DSS are well defined and any effective log analysis, and it is for this reason that the tools/ logging solution developed should at a minimum include: solutions selected should be carefully screened and tested before committing to any investment. • establishing a logging policy for all system components Lastly, understanding your organisation’s event logs • logging events and relevant supporting information will, without a doubt, open a new dimension of business intelligence that can lead to enhanced security, increased • syncronising times across critical systems providing service uptime, and overall operational improvements. log information An efficient logging and event management program could • securing log data to prevent misuse actually be considered a business enabler, linking Marketing Information, Business Continuity, Incident Response and • reviewing logs daily Disaster Recovery with network and system health. • maintaining log information for at least one year. Additional Resources This paper is designed to assist in developing a logging PCI DSS solution that meets your requirements from both a business • The current PCI DSS requirements can be found here: and PCI DSS perspective. The following Appendix will www.pcisecuritystandards.org walk you through the process of designing, developing and implementing a logging solution that meets the needs Verizon Breach Report 2012 of your business. Depending on the nature and size of • A copy of the latest Verizon Breach report can be found your business, individual elements or all elements may be here: http://www.verizonbusiness.com/resources/reports/ appropriate for your needs. rp_data-breach-investigations-report-2012_en_xg.pdf Addition Information • Nist Guide for Security Log Management can be found here: www.csrc.nist.gov/publications/nistpubs/800-92/ SP800-92.pdf • Artec Group: How to do application logging right can be found here: http://arctecgroup.net/pdf/howtoapplogging.pdf By performing these daily reviews, it will provide you with an important element of your security strategy by alerting you to any potential security issues within your infrastructure.
Appendix Designing and deploying a logging solution Understanding the drivers Preparing for Log Analysis To properly prepare and implement a logging strategy there are many Items to consider. Time spent at this stage of the process will provide a greater understanding of your requirements and simplify the later steps in the process. Items to be considered include, but are not limited to: • daily reports of unique visitors’ to your website • operations-related alerts and reporting • compliance and security requirements, including PCI DSS • system utilisation and performance metrics • annual reports of hardware failures per vendor Depending on the size and nature of your business it may be necessary to select a group of people from different areas of the organisation and form a team to define your logging requirements. The benefit of this approach is that this team may be able to address multiple areas in which logging would assist. For example, Security / Operations / User Management / Supplier Management Considering the areas of interest that this exercise highlights will help provide your business with a plan for logging. This equally applies to in-house systems and systems operated by your suppliers. For example, if you have a contract with a webhost, you may want it reporting on how often the service was not available and for how long. Analyse Business Drivers and Compliance Requirements To get the maximum benefit from a logging solution it is important that the following information is understood: • Which systems provide log information • How available and accessible is this log information • How long is it necessary to keep these logs • How can log information from several systems be compared • How can findings from log events be reported. • Does the solution meet the requirements laid out in the PCI DSS It is important to include any in-house developed applications or applications that have been customised to your requirements at this stage of the process.
Policy and Process Development Solution Scoping and Logging Strategy Once this initial information has been gathered then it can be expanded upon to add details for the systems and applications within scope of the logging strategy. This should also consider the volume of log data that is generated by each of these systems and applications as that may influence your choice of solution. The following items should assist in building your strategy: • Scope: – List the systems and applications within scope of the solution. – Is the initial solution expected to be deployed throughout the business, or will it be initially deployed in one area and then additional systems brought on board. – Are certain systems excluded? What is the impact of excluding certain systems from the scope and is the effort justified if the solution does not provide full visibility? – Do any logs contain sensitive business data? – Ensure every system is time synchronised across your organisation. • Capacity / Volumes: – Estimate data volumes and processing requirements (live/daily/weekly/etc.) as accurately as possible. • Base Logging Configuration, per system: – Understand and document which events and conditions should be logged (logins/logouts, fails/ successes) – Wherever possible, define the relationships between important or significant events. • Define and document event categories for the system, application and security events that are expected to be handled by the solution. For example, application logs, system logs and where relevant other logs such as finance web application etc. • Standardisation: – Apply a standard naming convention for the different fields (set tags), so everybody in the organisation will identify fields uniformly; For example, username, application name, etc. – Systems within functional units are applied with the same level of logging detail to ensure maximum correlation for potentially significant events. • Relations & Correlation: – If possible, document the relation between the different systems’ naming conventions (e.g. a username on one system, may be referred to as account on another) – At the minimum define how the data is going to be processed, which interactions between systems are expected to take place and provide examples (e,g, VPN logs should be correlated with mainframe access logs). • Define roles and responsibilities with clear structures around what information would be accessible to which individuals or groups. • Establish integration with existing authentication and authorization systems. • Secure transport: How is the source log data transmitted to the logging system and how is it protected to make sure it is not altered?
Log Analysis Policy Development The next stage is to define your Log Analysis policy. This should describe: • What event information needs to be captured and from what system(s)? • How long the information will be maintained by the solution(s) (consider online and offline storage) • How and when the data should be archived • Who is allowed access to which parts of the information • Most importantly, which team is responsible of reviewing alerts, reports and escalations or responses. The following items are recommended as the minimum components of the event’s information. • Identification of the user account and/or system account involved • Definition of the event type • Result or action of the event • Origin and location of the event • Details of the data, system component or resource affected by the event • Accurate date and time of the event, including an awareness of the time zone involved • A contextual, event family or session ID of the event which would permit associated events to be linked or grouped. It is imperative that this policy is accepted by senior management and is consistently enforced across the IT organisation in order to deliver a successful log analysis solution. Solution Selection and Implementation Develop a Solution Evaluation Criteria Based on the criteria developed in the prior Requirements Analysis it should be possible to use these criteria to develop a well defined set of questions that can be used to evaluate any solution that is being considered. It is particularly useful to consider how solutions function under well-defined scenarios. For example, how would a series of unsuccessful logon attempts be reported by the solution? Consideration in selecting a solution should include: • The complexity of setting up a new source of events • How to define a new log format • Describing a complex correlation rule • How to integrate in- house applications To help evaluate any potential solutions a scoring matrix can assist in determining how a particular solution meets your requirements. This should include a weighting element for each set of logs. For example, a business may consider that support for a given mainframe system logs are critical and should therefore receive the highest weighting available whereas support for a particular proxy server logs, depending upon your environment, may be desirable but not vital and receive a lesser weighting. This upfront analysis can help eliminate solutions that may provide additional features that may seem initially useful, but are ultimately not required.
Evaluating your options It is important to set aside enough time at this stage to review your alternatives. This may be evaluating the cost of developing an in-house solution or going through an RFI/RFP process with a list of potential solution providers. There is a direct relationship between the amount of time dedicated to this stage of the process and time saved during proof of concept presentations. Thanks to the creation of the evaluation criteria, a balanced and clearly defined method is available to compare and contrast what may appear to be a disparate array of products and solutions. The solution category types available are broadly: • Open Source solutions • Fully in-sourced commercial products • Fully managed and hosted solution. One of the most important aspects of this is to evaluate the implications of using one solution against the other by balancing licence, hardware and operational costs along with a detailed understanding of the sensitivity of the business logs. Proof of Concept Once a list of potential candidates is selected, a proof of concept implementation to demonstrate that a solution can deliver what is described in the response is highly recommended. This proof of concept is critical since once selected and implemented, the costs associated with changing supplier or fixing gaps may prove to be very costly. For example, a proof of concept may show that a potential solution fails to detect a system breach or potential compromise. It is thus vitally important to verify that any feature that is deemed critical to your organisation, and a solution claims to support, is demonstrated at this stage. Deploying Log Analysis In general, logs will either be • Automatically forwarded by the application generating the information • Automatically forwarded by processes installed on each system that are designed to collect and forward log information • Periodically pulled from a log concentrator The preferred approach is undoubtedly real time feeds as the tool selected should be able to process events as they arrive and generate alerts as events take place. There are, however, some issues that must be considered such as • network-related factors including the volume of log traffic generated by the different devices, • the position of the log analyser in the network, • the usage of intermediate log collectors etc. Depending on your business needs one approach to add log sources to the log analysis solution in an incremental basis. • Add log sources based on their classification. • Once the logs are being captured, the solution’s administrator must ensure that all relevant log lines are being catered for (carefully analysed and correlated). • Confirm each source is correctly configured and reported before introducing the next source. • Review rules to create more effective filters and correlation rules, therefore raising the value of the overall solution. This can then be repeated for other log sources.
Maintaining and Utilising your Logging Solution Review and Refine Log Solution Deployment A common mistake is that most organisations expect the solution to auto-magically process logs as they arrive, from different platforms. However, the reality is that any solution will need some degree of human help and interaction to understand the context, the importance and value of the different assets, as well as other key aspects. This is especially true after any system changes. It should be emphasised that a correctly implemented log management solution will pay dividends in the efficiencies it creates in effectively managing and responding to the abundant log sources available. An organisation should consider at the minimum: • Revisit the implemented solution quarterly • Ensure it is kept updated with changes in the IT organisation, including new systems, • Ensure it is producing effective reporting and alerts • Ensure it is meeting any relevant compliance requirements. © Visa Europe 2012

Recommended

Stone gate ips
Stone gate ipsStone gate ips
Stone gate ipsMultibyte Consultoria
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementSafeNet
 
Enterprise security incident management
Enterprise security incident managementEnterprise security incident management
Enterprise security incident managementzapp0
 
Privacy Impact Assessment Final
Privacy Impact Assessment FinalPrivacy Impact Assessment Final
Privacy Impact Assessment FinalBen Omoakin Oguntala, developingafrica(dot)net
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesJorge Sebastiao
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstrationasundaram1
 

Recommended

Stone gate ips
Stone gate ipsStone gate ips
Stone gate ipsMultibyte Consultoria
 
Charting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementCharting Your Path to Enterprise Key Management
Charting Your Path to Enterprise Key ManagementSafeNet
 
Enterprise security incident management
Enterprise security incident managementEnterprise security incident management
Enterprise security incident managementzapp0
 
Privacy Impact Assessment Final
Privacy Impact Assessment FinalPrivacy Impact Assessment Final
Privacy Impact Assessment FinalBen Omoakin Oguntala, developingafrica(dot)net
 
Information Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesInformation Security Cost Effective Managed Services
Information Security Cost Effective Managed ServicesJorge Sebastiao
 
Enterprise security management II
Enterprise security management IIEnterprise security management II
Enterprise security management IIzapp0
 
10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and Reponse10 Tips to Improve Your Security Incident Readiness and Reponse
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
 
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstration2008 Issa Journal Security Metrics Hype Reality And Value Demonstration
2008 Issa Journal Security Metrics Hype Reality And Value Demonstrationasundaram1
 
Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security ProgramSeccuris Inc.
 
Data Protection Top Ten Concerns
Data Protection Top Ten ConcernsData Protection Top Ten Concerns
Data Protection Top Ten Concernshealthcareisi
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Stepsagiliancecommunity
 
Detection of Anomalous Behavior
Detection of Anomalous BehaviorDetection of Anomalous Behavior
Detection of Anomalous BehaviorCapgemini
 
NiTO Ebook
NiTO EbookNiTO Ebook
NiTO EbookNiTOROMInc
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...DFLABS SRL
 
Ca Additional Research Charts
Ca Additional Research ChartsCa Additional Research Charts
Ca Additional Research ChartsCA RMDM Latam
 
Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks Micah Altman
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecLaura Tibbo
 
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...South Tyrol Free Software Conference
 
Troubleshooting The Troubleshootingsystem Kl480
Troubleshooting The Troubleshootingsystem Kl480Troubleshooting The Troubleshootingsystem Kl480
Troubleshooting The Troubleshootingsystem Kl480Jens Refflinghaus
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Carl Booth
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response PlanResilient Systems
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Expert letter kp is for security management
Expert letter kp is for security managementExpert letter kp is for security management
Expert letter kp is for security managementTiniey Cayang
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 
Card Security Training
Card Security Training Card Security Training
Card Security Training Viarsen Rajah
 
Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11Neira Jones
 

More Related Content

What's hot

Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security ProgramSeccuris Inc.
 
Data Protection Top Ten Concerns
Data Protection Top Ten ConcernsData Protection Top Ten Concerns
Data Protection Top Ten Concernshealthcareisi
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017EQS Group
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec
 
Detection of Anomalous Behavior
Detection of Anomalous BehaviorDetection of Anomalous Behavior
Detection of Anomalous BehaviorCapgemini
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHEQS Group
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...DFLABS SRL
 
Ca Additional Research Charts
Ca Additional Research ChartsCa Additional Research Charts
Ca Additional Research ChartsCA RMDM Latam
 
Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks Micah Altman
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecLaura Tibbo
 
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...South Tyrol Free Software Conference
 
Troubleshooting The Troubleshootingsystem Kl480
Troubleshooting The Troubleshootingsystem Kl480Troubleshooting The Troubleshootingsystem Kl480
Troubleshooting The Troubleshootingsystem Kl480Jens Refflinghaus
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Carl Booth
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response PlanResilient Systems
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Expert letter kp is for security management
Expert letter kp is for security managementExpert letter kp is for security management
Expert letter kp is for security managementTiniey Cayang
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFLABS SRL
 

What's hot (20)

Improving Your Information Security Program
Improving Your Information Security ProgramImproving Your Information Security Program
Improving Your Information Security Program
 
Data Protection Top Ten Concerns
Data Protection Top Ten ConcernsData Protection Top Ten Concerns
Data Protection Top Ten Concerns
 
M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017M&A security - E-crime Congress 2017
M&A security - E-crime Congress 2017
 
Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012Symantec Control Compliance Suite 11, February 2012
Symantec Control Compliance Suite 11, February 2012
 
Agiliance Wp Key Steps
Agiliance Wp Key StepsAgiliance Wp Key Steps
Agiliance Wp Key Steps
 
Detection of Anomalous Behavior
Detection of Anomalous BehaviorDetection of Anomalous Behavior
Detection of Anomalous Behavior
 
NiTO Ebook
NiTO EbookNiTO Ebook
NiTO Ebook
 
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACHMergers & Acquisitions security - (ISC)2 Secure Summit DACH
Mergers & Acquisitions security - (ISC)2 Secure Summit DACH
 
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
Cyber Crime Conference 2017 - DFLabs Supervised Active Intelligence - Andrea ...
 
Ca Additional Research Charts
Ca Additional Research ChartsCa Additional Research Charts
Ca Additional Research Charts
 
Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks Auditing Distributed Preservation Networks
Auditing Distributed Preservation Networks
 
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 DecXavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
Xavier Marguinaud in Corporate Livewire Cyber Security Expert Guide 2017 Dec
 
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
SFScon21 - Christian Notdurfter - Data Protection by Design and by Default fo...
 
Troubleshooting The Troubleshootingsystem Kl480
Troubleshooting The Troubleshootingsystem Kl480Troubleshooting The Troubleshootingsystem Kl480
Troubleshooting The Troubleshootingsystem Kl480
 
Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2Xero Risk Product Presentation V3.2
Xero Risk Product Presentation V3.2
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident Response
 
5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan5 Steps to Improve Your Incident Response Plan
5 Steps to Improve Your Incident Response Plan
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016
 
Expert letter kp is for security management
Expert letter kp is for security managementExpert letter kp is for security management
Expert letter kp is for security management
 
DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013DFlabs corporate profile 01-2013
DFlabs corporate profile 01-2013
 

Viewers also liked

Card Security Training
Card Security Training Card Security Training
Card Security Training Viarsen Rajah
 
Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11Neira Jones
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIThiteshasnani94
 
EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0Neira Jones
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1Abdelfatah hegazy
 
Point of Sale Merchant Procedures
Point of Sale Merchant ProceduresPoint of Sale Merchant Procedures
Point of Sale Merchant Procedures- Mark - Fullbright
 

Viewers also liked (6)

Card Security Training
Card Security Training Card Security Training
Card Security Training
 
Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11Barclaycard Payment Security Newsletter Jan11
Barclaycard Payment Security Newsletter Jan11
 
Payment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVITPayment card security By Hitesh Asnani SVIT
Payment card security By Hitesh Asnani SVIT
 
EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0EPA White Paper - Protecting us from the storm v1-0
EPA White Paper - Protecting us from the storm v1-0
 
E security and payment 2013-1
E security and payment 2013-1E security and payment 2013-1
E security and payment 2013-1
 
Point of Sale Merchant Procedures
Point of Sale Merchant ProceduresPoint of Sale Merchant Procedures
Point of Sale Merchant Procedures
 

Similar to Visa Security Logging Factsheet June 2012

Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...Anton Chuvakin
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftAppsian
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructureAnton Chuvakin
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementAnton Chuvakin
 
Business Continuity for Mission Critical Applications
Business Continuity for Mission Critical ApplicationsBusiness Continuity for Mission Critical Applications
Business Continuity for Mission Critical ApplicationsDataCore Software
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityTripwire
 
Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data” Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data” EMC
 
Business Intelligence Maturity
Business Intelligence MaturityBusiness Intelligence Maturity
Business Intelligence MaturityLouis Fernandes
 
It asset management_wp
It asset management_wpIt asset management_wp
It asset management_wpwardell henley
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and ComplianceAnton Chuvakin
 
Kusnetzky Group: Maximizing the Benefits of Virtualization with Real-time Co...
Kusnetzky Group: Maximizing the Benefits of Virtualization with Real-time Co...Kusnetzky Group: Maximizing the Benefits of Virtualization with Real-time Co...
Kusnetzky Group: Maximizing the Benefits of Virtualization with Real-time Co...IBM India Smarter Computing
 
Data_Protection_WP - Jon Toigo
Data_Protection_WP - Jon ToigoData_Protection_WP - Jon Toigo
Data_Protection_WP - Jon ToigoEd Ahl
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptxPiyush Jain
 
The CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss PreventionThe CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss PreventionDigital Guardian
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability ManagementGFI Software
 
Maximizing the Benefits of Virtualization with Real-­time Compression
Maximizing the Benefits of Virtualization with Real-­time CompressionMaximizing the Benefits of Virtualization with Real-­time Compression
Maximizing the Benefits of Virtualization with Real-­time CompressionIBM India Smarter Computing
 

Similar to Visa Security Logging Factsheet June 2012 (20)

Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
 
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
 
Enterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoftEnterprise GRC for PEoplesoft
Enterprise GRC for PEoplesoft
 
Take back your security infrastructure
Take back your security infrastructureTake back your security infrastructure
Take back your security infrastructure
 
Five Mistakes of Vulnerability Management
Five Mistakes of Vulnerability ManagementFive Mistakes of Vulnerability Management
Five Mistakes of Vulnerability Management
 
Business Continuity for Mission Critical Applications
Business Continuity for Mission Critical ApplicationsBusiness Continuity for Mission Critical Applications
Business Continuity for Mission Critical Applications
 
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for SecurityA Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
A Pragmatic Approach to SIEM: Buy for Compliance, Use for Security
 
It Budget Tips
It Budget TipsIt Budget Tips
It Budget Tips
 
Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data” Getting Real About Security Management and “Big Data”
Getting Real About Security Management and “Big Data”
 
Business Intelligence Maturity
Business Intelligence MaturityBusiness Intelligence Maturity
Business Intelligence Maturity
 
It asset management_wp
It asset management_wpIt asset management_wp
It asset management_wp
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
 
Kusnetzky Group: Maximizing the Benefits of Virtualization with Real-time Co...
Kusnetzky Group: Maximizing the Benefits of Virtualization with Real-time Co...Kusnetzky Group: Maximizing the Benefits of Virtualization with Real-time Co...
Kusnetzky Group: Maximizing the Benefits of Virtualization with Real-time Co...
 
IG-101
IG-101IG-101
IG-101
 
Data_Protection_WP - Jon Toigo
Data_Protection_WP - Jon ToigoData_Protection_WP - Jon Toigo
Data_Protection_WP - Jon Toigo
 
Prevent & Protect
Prevent & ProtectPrevent & Protect
Prevent & Protect
 
Understanding security operation.pptx
Understanding security operation.pptxUnderstanding security operation.pptx
Understanding security operation.pptx
 
The CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss PreventionThe CISO’s Guide to Data Loss Prevention
The CISO’s Guide to Data Loss Prevention
 
Vulnerability Management
Vulnerability ManagementVulnerability Management
Vulnerability Management
 
Maximizing the Benefits of Virtualization with Real-­time Compression
Maximizing the Benefits of Virtualization with Real-­time CompressionMaximizing the Benefits of Virtualization with Real-­time Compression
Maximizing the Benefits of Virtualization with Real-­time Compression
 

More from Neira Jones

Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...Neira Jones
 
Accourt press release neira jones joins accourt
Accourt press release neira jones joins accourtAccourt press release neira jones joins accourt
Accourt press release neira jones joins accourtNeira Jones
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira Jones
 
The Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementThe Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementNeira Jones
 
EMV US whitepaper Bell ID
EMV US whitepaper Bell IDEMV US whitepaper Bell ID
EMV US whitepaper Bell IDNeira Jones
 
Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11Neira Jones
 
Sc World Congress Econference March 2011
Sc World Congress Econference March 2011Sc World Congress Econference March 2011
Sc World Congress Econference March 2011Neira Jones
 

More from Neira Jones (7)

Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
Mobile Money For The Bottom of The Pyramid... Serving the unbanked...
 
Accourt press release neira jones joins accourt
Accourt press release neira jones joins accourtAccourt press release neira jones joins accourt
Accourt press release neira jones joins accourt
 
Neira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf readyNeira jones pci london january 2013 pdf ready
Neira jones pci london january 2013 pdf ready
 
The Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk ManagementThe Big Picture: Beyond Compliance To Risk Management
The Big Picture: Beyond Compliance To Risk Management
 
EMV US whitepaper Bell ID
EMV US whitepaper Bell IDEMV US whitepaper Bell ID
EMV US whitepaper Bell ID
 
Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11Mobile Practices European Release Final 27 04 11
Mobile Practices European Release Final 27 04 11
 
Sc World Congress Econference March 2011
Sc World Congress Econference March 2011Sc World Congress Econference March 2011
Sc World Congress Econference March 2011
 

Visa Security Logging Factsheet June 2012

  • 1. Life flows better with Visa Visa Europe Planning for and implementing security logging Introduction Most data security breaches have something in common; Any hacking activity, by its very nature, generates messages they are not overly technical, and in most cases they could that are logged by a wide variety of systems. Ideally these have been easily detected – far sooner than they are currently. logged events should act as a trigger for a response to limit The available evidence from forensic investigations has the likelihood of a successful attack and subsequent breach shown that over 40% of data breaches remain undetected of sensitive data, or at least to quickly detect a successful for months at a time. Our collective goal must be to work to attack to reduce the damage caused by the attack. detect data security breaches in order to reduce exposure Unfortunately, through investigation of many data breaches and harm to cardholders and card issuers. A successful log it has become clear that in many cases the organisation was management solution is no longer a recommendation but a operating completely unaware of a compromise because: must have element of any security strategy. • Logging had been either disabled due to perceived performance issues; • The logs were overwritten so frequently that trigger events were lost; • Logging had been enabled but it wasn’t been monitored • The compromised entity was unaware of what events were being logged. The available evidence from forensic investigations has shown that over 40% of data breaches remain undetected for months at a time
  • 2. The goal of this guidance document is to assist businesses in developing a logging strategy and understanding how that information can be put to good use. Despite the general availability of information logged Background across an organisation, a robust logging solution catering for all relevant system components can require Logs are generated throughout an IT environment (by both a significant investment in time and resources, not to hardware and software) by recording any events taking place mention financial commitment. The issue facing many within these systems. However, in many cases these events small retailers is understanding what they should log, or are frequently not analysed, not acted upon or are deleted/ knowing what questions to ask when they are developing overwritten after a short period of time. a logging strategy. With so much information available one of the major issues The goal of this guidance document is to assist businesses identifying what log events your business may be interested in developing a logging strategy and understanding how in. For example, a single failed login on a particular system that information can be put to good use. In highlighting is not necessarily unusual or cause for concern, but multiple the availability of this information and the benefits of failed logins on a single system, or on multiple systems across a logging solution, both from a security and business the network, within a few seconds of each other should be operations point of view, we can work cooperatively to cause for concern and could indicate a potential attack. limit data security breaches. If the worst does happen we can reduce the window of exposure to both cardholders Before considering the many available solutions, be they in- and the business affected by self-detecting a potential data house or as part of logging solution provided by a third party, breaches at an early stage. it is important to spend time considering the data that you may need to log. This is especially true considering the wide range and cost of potential solutions available to you. For example, it may make little financial sense to invest funds in a solution that can generate hundreds of alerts per day and weekly reports if you do not have the staff to review and act upon these alerts and reports. Considering this, simply committing large financial sums into purchasing very expensive tools is not the most effective route to follow. Spending time up front to consider the overall objective, such as helping to reduce organisational risk, it becomes clear that it is important to understand your requirements. In highlighting the availability of this information and the benefits of a logging solution, both from a security and business operations point of view, we can work cooperatively to limit data security breaches.
  • 3. Logging and PCI DSS Summary PCI DSS requires not only the creation and retention of log Implementing an event log analysis system is a complex information, but also that the logs are reviewed on a daily process, but by considering the points in this paper your basis. Depending on the nature of your environment, the organisation can ensure that your solution is fit for purpose daily reviews can be via log management tools or manually. and adding value to the organisation through careful By performing these daily reviews, it will provide you with an consideration and planning. important element of your security strategy by alerting you to any potential security issues within your infrastructure. It is important to highlight once more that there will always be an administrative workload associated with performing The logging requirements for PCI DSS are well defined and any effective log analysis, and it is for this reason that the tools/ logging solution developed should at a minimum include: solutions selected should be carefully screened and tested before committing to any investment. • establishing a logging policy for all system components Lastly, understanding your organisation’s event logs • logging events and relevant supporting information will, without a doubt, open a new dimension of business intelligence that can lead to enhanced security, increased • syncronising times across critical systems providing service uptime, and overall operational improvements. log information An efficient logging and event management program could • securing log data to prevent misuse actually be considered a business enabler, linking Marketing Information, Business Continuity, Incident Response and • reviewing logs daily Disaster Recovery with network and system health. • maintaining log information for at least one year. Additional Resources This paper is designed to assist in developing a logging PCI DSS solution that meets your requirements from both a business • The current PCI DSS requirements can be found here: and PCI DSS perspective. The following Appendix will www.pcisecuritystandards.org walk you through the process of designing, developing and implementing a logging solution that meets the needs Verizon Breach Report 2012 of your business. Depending on the nature and size of • A copy of the latest Verizon Breach report can be found your business, individual elements or all elements may be here: http://www.verizonbusiness.com/resources/reports/ appropriate for your needs. rp_data-breach-investigations-report-2012_en_xg.pdf Addition Information • Nist Guide for Security Log Management can be found here: www.csrc.nist.gov/publications/nistpubs/800-92/ SP800-92.pdf • Artec Group: How to do application logging right can be found here: http://arctecgroup.net/pdf/howtoapplogging.pdf By performing these daily reviews, it will provide you with an important element of your security strategy by alerting you to any potential security issues within your infrastructure.
  • 4. Appendix Designing and deploying a logging solution Understanding the drivers Preparing for Log Analysis To properly prepare and implement a logging strategy there are many Items to consider. Time spent at this stage of the process will provide a greater understanding of your requirements and simplify the later steps in the process. Items to be considered include, but are not limited to: • daily reports of unique visitors’ to your website • operations-related alerts and reporting • compliance and security requirements, including PCI DSS • system utilisation and performance metrics • annual reports of hardware failures per vendor Depending on the size and nature of your business it may be necessary to select a group of people from different areas of the organisation and form a team to define your logging requirements. The benefit of this approach is that this team may be able to address multiple areas in which logging would assist. For example, Security / Operations / User Management / Supplier Management Considering the areas of interest that this exercise highlights will help provide your business with a plan for logging. This equally applies to in-house systems and systems operated by your suppliers. For example, if you have a contract with a webhost, you may want it reporting on how often the service was not available and for how long. Analyse Business Drivers and Compliance Requirements To get the maximum benefit from a logging solution it is important that the following information is understood: • Which systems provide log information • How available and accessible is this log information • How long is it necessary to keep these logs • How can log information from several systems be compared • How can findings from log events be reported. • Does the solution meet the requirements laid out in the PCI DSS It is important to include any in-house developed applications or applications that have been customised to your requirements at this stage of the process.
  • 5. Policy and Process Development Solution Scoping and Logging Strategy Once this initial information has been gathered then it can be expanded upon to add details for the systems and applications within scope of the logging strategy. This should also consider the volume of log data that is generated by each of these systems and applications as that may influence your choice of solution. The following items should assist in building your strategy: • Scope: – List the systems and applications within scope of the solution. – Is the initial solution expected to be deployed throughout the business, or will it be initially deployed in one area and then additional systems brought on board. – Are certain systems excluded? What is the impact of excluding certain systems from the scope and is the effort justified if the solution does not provide full visibility? – Do any logs contain sensitive business data? – Ensure every system is time synchronised across your organisation. • Capacity / Volumes: – Estimate data volumes and processing requirements (live/daily/weekly/etc.) as accurately as possible. • Base Logging Configuration, per system: – Understand and document which events and conditions should be logged (logins/logouts, fails/ successes) – Wherever possible, define the relationships between important or significant events. • Define and document event categories for the system, application and security events that are expected to be handled by the solution. For example, application logs, system logs and where relevant other logs such as finance web application etc. • Standardisation: – Apply a standard naming convention for the different fields (set tags), so everybody in the organisation will identify fields uniformly; For example, username, application name, etc. – Systems within functional units are applied with the same level of logging detail to ensure maximum correlation for potentially significant events. • Relations & Correlation: – If possible, document the relation between the different systems’ naming conventions (e.g. a username on one system, may be referred to as account on another) – At the minimum define how the data is going to be processed, which interactions between systems are expected to take place and provide examples (e,g, VPN logs should be correlated with mainframe access logs). • Define roles and responsibilities with clear structures around what information would be accessible to which individuals or groups. • Establish integration with existing authentication and authorization systems. • Secure transport: How is the source log data transmitted to the logging system and how is it protected to make sure it is not altered?
  • 6. Log Analysis Policy Development The next stage is to define your Log Analysis policy. This should describe: • What event information needs to be captured and from what system(s)? • How long the information will be maintained by the solution(s) (consider online and offline storage) • How and when the data should be archived • Who is allowed access to which parts of the information • Most importantly, which team is responsible of reviewing alerts, reports and escalations or responses. The following items are recommended as the minimum components of the event’s information. • Identification of the user account and/or system account involved • Definition of the event type • Result or action of the event • Origin and location of the event • Details of the data, system component or resource affected by the event • Accurate date and time of the event, including an awareness of the time zone involved • A contextual, event family or session ID of the event which would permit associated events to be linked or grouped. It is imperative that this policy is accepted by senior management and is consistently enforced across the IT organisation in order to deliver a successful log analysis solution. Solution Selection and Implementation Develop a Solution Evaluation Criteria Based on the criteria developed in the prior Requirements Analysis it should be possible to use these criteria to develop a well defined set of questions that can be used to evaluate any solution that is being considered. It is particularly useful to consider how solutions function under well-defined scenarios. For example, how would a series of unsuccessful logon attempts be reported by the solution? Consideration in selecting a solution should include: • The complexity of setting up a new source of events • How to define a new log format • Describing a complex correlation rule • How to integrate in- house applications To help evaluate any potential solutions a scoring matrix can assist in determining how a particular solution meets your requirements. This should include a weighting element for each set of logs. For example, a business may consider that support for a given mainframe system logs are critical and should therefore receive the highest weighting available whereas support for a particular proxy server logs, depending upon your environment, may be desirable but not vital and receive a lesser weighting. This upfront analysis can help eliminate solutions that may provide additional features that may seem initially useful, but are ultimately not required.
  • 7. Evaluating your options It is important to set aside enough time at this stage to review your alternatives. This may be evaluating the cost of developing an in-house solution or going through an RFI/RFP process with a list of potential solution providers. There is a direct relationship between the amount of time dedicated to this stage of the process and time saved during proof of concept presentations. Thanks to the creation of the evaluation criteria, a balanced and clearly defined method is available to compare and contrast what may appear to be a disparate array of products and solutions. The solution category types available are broadly: • Open Source solutions • Fully in-sourced commercial products • Fully managed and hosted solution. One of the most important aspects of this is to evaluate the implications of using one solution against the other by balancing licence, hardware and operational costs along with a detailed understanding of the sensitivity of the business logs. Proof of Concept Once a list of potential candidates is selected, a proof of concept implementation to demonstrate that a solution can deliver what is described in the response is highly recommended. This proof of concept is critical since once selected and implemented, the costs associated with changing supplier or fixing gaps may prove to be very costly. For example, a proof of concept may show that a potential solution fails to detect a system breach or potential compromise. It is thus vitally important to verify that any feature that is deemed critical to your organisation, and a solution claims to support, is demonstrated at this stage. Deploying Log Analysis In general, logs will either be • Automatically forwarded by the application generating the information • Automatically forwarded by processes installed on each system that are designed to collect and forward log information • Periodically pulled from a log concentrator The preferred approach is undoubtedly real time feeds as the tool selected should be able to process events as they arrive and generate alerts as events take place. There are, however, some issues that must be considered such as • network-related factors including the volume of log traffic generated by the different devices, • the position of the log analyser in the network, • the usage of intermediate log collectors etc. Depending on your business needs one approach to add log sources to the log analysis solution in an incremental basis. • Add log sources based on their classification. • Once the logs are being captured, the solution’s administrator must ensure that all relevant log lines are being catered for (carefully analysed and correlated). • Confirm each source is correctly configured and reported before introducing the next source. • Review rules to create more effective filters and correlation rules, therefore raising the value of the overall solution. This can then be repeated for other log sources.
  • 8. Maintaining and Utilising your Logging Solution Review and Refine Log Solution Deployment A common mistake is that most organisations expect the solution to auto-magically process logs as they arrive, from different platforms. However, the reality is that any solution will need some degree of human help and interaction to understand the context, the importance and value of the different assets, as well as other key aspects. This is especially true after any system changes. It should be emphasised that a correctly implemented log management solution will pay dividends in the efficiencies it creates in effectively managing and responding to the abundant log sources available. An organisation should consider at the minimum: • Revisit the implemented solution quarterly • Ensure it is kept updated with changes in the IT organisation, including new systems, • Ensure it is producing effective reporting and alerts • Ensure it is meeting any relevant compliance requirements. © Visa Europe 2012