How to Gain Visibility and Control: Compliance Mandates, Security Threats and Data Leaks by Dr. Anton Chuvakin

1. How to Gain Visibility and Control:Compliance Mandates, Security Threats and Data Leaks Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com Nov 2009

2. Outline Threats: From Hackers to Auditors What’s in Common? Accountability! Log Management for Accountability, Visibility and Control “Compliance“+”: Many Uses for Logs When Incident Strikes Conclusions

3. “It Can’t Happen to Me!” It probably already did!

4. Moreover… “The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.”

6. GLBA

7. FISMA

8. JPA

9. PCI

10. HIPAA

11. SLAs

12. COBIT

13. ISO

14. ITIL

15. PCI : Requirement 10 and beyond

16. Logging and user activities tracking are critical

17. Automate and secure audit trails for event reconstruction

18. Review logs daily

19. Retain audit trail history forat least one year

20. COBIT 4

21. Provide audit trailfor root-cause analysis

22. Use logging to detect unusual or abnormal activities

23. Regularly review access, privileges, changes

24. Verify backup completion

25. ISO17799

26. Maintain audit logs for system access and use, changes, faults, corrections, capacity demands

27. Review the results of monitoring activities regularly and ensure the accuracy of logs

28. NIST 800-53

29. Capture audit records

30. Regularly review audit records for unusual activity and violations

31. Automatically process audit records

32. Protect audit information from unauthorized deletion

33. Retain audit logs“Get fined, Get Sanctioned” “Lose Customers, Reputation, Revenue or Job” “Get fined, Go To Jail” At the Same Time…

34. Security and Compliance Today <- This is the enemy! This is NOT the enemy! -> However, BOTH want your attention!

35. What to do?

36. Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and Science and Technology April 2008 http://geer.tinho.net/geer.housetestimony.070423.txt “In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you will have to pay.” Daniel Geer, Sc.D.

37. Why Logs for Accountability Everybody leaves traces in logs! Potentially, every action could be logged! Control doesn’t scale, accountability (=logs!) does! More controls -> more complexity -> less control! The only technology that makes IT users (legitimate and otherwise) accountable:logging!

38. Control vs Visibility Myth: Stringent access controls will stop all attacks! What about those that have legitimate access? What about those who “break the rules”? The only control you can get is based on visibility and accountability!

39. Corporate Accountability Accountability Accountability is answerability, enforcement, responsibility, blameworthiness, liability Log Management Log management is collecting, retaining and analyzing audit trails across the organization There is a strong link between accountability and logging Big Picture: Logs as Enabler of Corporate Accountability

41. Routers/switches

42. Intrusion detection

43. Servers, desktops, mainframes

44. Business applications

45. Databases

46. Anti-virus

47. VPNs

48. Audit logs

49. Transaction logs

50. Intrusion logs

51. Connection logs

52. System performance records

53. User activity logs

55. 11% 82% 8% 14% 77% 9% 17% 74% 9% 15% 73% 12% 15% 69% 16% 19% 66% 15% 17% 66% 17% 24% 54% 22% 22% 51% 28% Security detection and remediation Security analysis and forensics Monitoring IT controls for regulatory compliance Troubleshooting IT problems Monitoring end-user behavior Service level/performance management Configuration/change management Monitoring IT administrator behavior Capacity planning Business analysis 7% 90% 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% (Percentage of respondants, N = 123) Yes, we use SIM technologies for this today No, we don’t use SIM technologies for this today, but plan or would like to do so in the future No, we don’t use SIM technologies for this today and have no plans to do so Source: Enterprise Strategy Group, 2007 Use Cases for Log Data Continue to Expand Does your organization use log management for any of the following?

56. “Compliance+” Model At Work You bought it for PCI DSS You installed it Your boss is happy Your auditor is … gone What are you going to do next?

57. Get More Info! “PCI Compliance” by Anton Chuvakin and Branden Williams www.pcicompliancebook.info Useful reference for merchants, vendors – and everybody else Out in December 2009!

58. “Compliance+” Model At Work You bought it for PCI DSS You installed it Your boss is happy Your auditor is … gone What are you going to do next?

59. Frequent First Use of Logs Logs for Incident Response Priorities: Have response process! Have logging enabled Have logs centralized Have logs searchable Have logs “baselined”

60. Conclusions In today’s complex IT, the only control comes from visibility and accountability Logs and log management is what enables it across all systems Start logging – then start collecting logs – then start reviewing and analyzing logs Prepare for incidents by deploying log management system!

61. Questions Dr. Anton Chuvakin Email:anton@chuvakin.org Google Voice: 510-771-7106 Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org LinkedIn:http://www.linkedin.com/in/chuvakin Twitter:@anton_chuvakin Consulting: www.securitywarriorconsulting.com

62. More on Anton Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, Consultant

63. Security Warrior Consulting Services Logging and log management policy Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate logging tools and processes into IT and business operations Content development Develop of correlation rules, reports and other content to make your SIEM and log management product more useful to you and more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com