SlideShare una empresa de Scribd logo

Log Analysis Across System Boundaries for Security, Compliance, and Operations

Anton Chuvakin
Anton Chuvakin

This article covers the importance of utilizing a cross-platform log management approach rather than a siloed approach to aggregating and reviewing logs for easier security and compliance initiatives.

Tecnología
1 de 4
Log Analysis Across System Boundaries for Security, Compliance, and Operations Dr. Anton Chuvakin WRITTEN: 2007 DISCLAIMER: Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around. This article covers the importance of utilizing a cross-platform log management approach rather than a siloed approach to aggregating and reviewing logs for easier security and compliance initiatives. All IT users, whether malicious or not, leave traces of their activity in various logs, generated by IT components, such as firewalls, routers, server and client operating systems, databases and even business applications. Such logs accumulate, creating mountains of log data. At the same time, more organizations are starting to become aware of the value of collecting and analyzing such data: it helps them keep an eye on the goings-on within the IT infrastructure-- the who’s, what’s when’s, and where’s of everything that happens. This also makes sense given the growing emphasis on data security (all companies want to avoid becoming the next TJ Maxx) and evolving regulatory compliance mandates such as PCI DSS and SOX. Of course, simply generating and collecting the logs is only half the battle. Being able to quickly search and report on log data in order to detect, manage, or even predict, security threats and to stay on top of compliance requirements is the other half. Logs have traditionally been handled by reviewing them on their individual points of origin and usually only after a major incident. Such approach is simply not working in this age of data breaches and stringent compliance requirements. It is not only inefficient and complex, but it also can cost a Fortune 1000–sized company millions of dollars and take weeks, thus destroying or severely reducing the positive effects of such “log review.” Today the call to action is shifting from merely having log data to centralized data collection, real-time analysis and in-depth reporting and searching to address IT security and regulatory compliance issues. Thus, the main log-related goals of a company should be both to enable log creation and centralized collection and then to find a way to search and review log data from disparate points of origin across the system boundaries, across the IT infrastructure. Let’s first look at what these logs are.
First, because logs contain information about IT activity, all logs generated within an organization could have relevance to computer security and regulatory compliance. Some logs are directly related to computer security: for example, intrusion detection alerts are aimed at notifying users that known malicious or suspicious activity is taking place. Other logs, such as server and network device logs, are certainly useful to information security, but in less direct ways. Server logs, such as those from Unix, Linux, or Windows servers, are automatically created and maintained by a server of activity performed on it; they represent activity on a single machine. Server logs are especially useful in cases of insider incidents; given that an insider attack or abuse might not involve any network access as well as not trigger intrusion detection systems and happen purely on the same system (with attackers using the console to use the system), server logs shed the most light on the situation. Relevant logged activities on a server include login success/failure, account creation and deletion, account settings and password changes, and file access, altering, or deletions and usually contain the information on the user who performed the actions. Network logs, on the other hand, describe data being sent and received over the network, so it makes sense that these are best-suited assist in detecting and monitoring abnormal network activity. Unlike server logs, which are limited to one machine and indicate only activity, network logs indicate a connection on the network, a source, and a destination. Relevant information found in network logs include the time a message was sent or received, the direction of the message, which network protocol was used to transmit the message, the total message length, and the first few bytes of the message. On the other hand, such logs typically do not provide the information on the actual user who attempted the connection. All logs (security, server, network, and others) make up one piece of the puzzle of IT infrastructure activity, so it makes sense that all log data is crucial to enterprise security, to regulatory compliance, and to IT operations. However, given the number of sources of logs and the varying information the logs contain, there are many different pieces of the IT infrastructure puzzle. While one can try to look at logs in siloed fashion, the logs will then fail to form the “big picture” of enterprise activity. Let us provide a few compelling reasons in favor of centralized log collection and cross- device analysis. First, logs from disparate sources reviewed in the context of other logs offer situational awareness which is key not only to managing security incidents but also to a company’s day-to- day IT operations. Routine log reviews and more in-depth analysis of stored logs from all sources simultaneously are beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems and for providing information useful for resolving such problems. Moreover, when responding to an incident, one needs to review all possible evidence, which means all the logs from all the affected and suspect systems. One query across all logs saves
time, and incident response, whether to internal and external security threats, requires quick access to all logs to figure out the details of the breach, especially if it involves more than one part of the IT infrastructure. For example, searching for a user or an IP address across 4000 servers might take days if one has to login to each server, find the logs and perform the searches. If logs are centralized and optimized for searching, it will literally take seconds or less. And we can’t ignore the high degree of operational efficiency that accompanies having all logs in one place. Further, troubleshooting issues across all systems becomes a one-click process, as does running high-level trend reports across all systems in a business unit. To seek out log data from individual sources, administrators have to consider too many things and spend too much time piecing together information to be efficient. But a single point of control means that with the click of a button, all relevant information can be at their fingertips and with a tweak of one knob, all logging configurations can be updated as security policies and compliance mandates evolve. What is no less relevant is a current onslaught of compliance mandates. Further pushing IT professionals towards a cross-device approach to log analysis, many compliance mandates put forth a broad call to action to examine and review logs, not specifically database logs, not only server logs, not just network logs…logs generally. For example, the Federal Information and Security Management Act (FISMA, via NIST SP 800-53 and NIST SP 800-92) describes the broad need for log management in federal agencies and how to establish log management controls including the generation, review, protection, and retention of audit records, and steps to take in the event of audit failure. The Health Insurance Portability and Accountability Act of 1996 (HIPAA, via NIST SP 800-66) describes the need for regular evaluation of information system activity by reviewing a variety of logs (including audit logs and access reports). The Payment Card Industry Data Security Standard (PCI DSS) mandates logging specific details and log review procedures to prevent credit card fraud, hacking, and other related security issues in companies that store, process, or transmit credit card data. Requirement 10 requires that logs for all system components be reviewed at least daily and those from in-scope systems be stored for at least one year as well as protected. Thus, the above regulations call for central control over all log retention, stringent access control and other log protection for evidentiary purposes and even logging access to all logs. All of these are only possible when logs are centralized. Another critical benefit of centralized log collection and cross-domain log analysis is that it enables privileged user monitoring by removing the logs from the control of the privileged IT users such as system and network administrators. Abuse of system and data access or even data theft by trusted users is unfortunately all too common and logging is one way to curtail that. Log data integrity of log data in a centralized repository can also be guaranteed by the access control rules based on the “need to know” basis, logging all access and the use of cryptographic technologies, such as hashing and encryption. In essence, the need to paint a total picture of IT infrastructure activity and the broad requirement of key regulatory compliance mandates to review logs generally means that IT professionals need to find a way to execute cross-boundary log analysis. Of course, this approach requiring centralized retention of logs from disparate sources has benefits.
The key point to remember is that any information that can be gleaned from log data is always present in enterprise logs. However, the limiting factor to how well that information can be put to good use is how quickly and efficiently the log data that contain it can be retrieved, searched, and reported on. If a company’s IT staff can not access the appropriate logs in time and as a result must spend all of its time fire-fighting security breaches rather than proactively preventing such breaches before they become major problems, this does not maximize efficiency and it leaves the company open to even more security threats as the team struggles to catch up. Log data storage in a centralized repository and cross-device analysis allows those seeking information to bypass the time- and- resource-consuming process of combing through each individual source of log data and piecing the information together afterwards. Instead of spending their time either searching for information, administrators have the data they need at their fingertips and also can proactively review any log data that might indicate abnormal activity and address security, compliance and operational issues before they become major company blunders. In order to maintain efficiency and effectiveness, enterprises must be able to break down log silos and allow the intelligent analysis of log data from disparate sources. ABOUT THE AUTHOR: This is an updated author bio, added to the paper at the time of reposting in 2009. Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.

Recomendados

A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage Detection
IJERA Editor
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
LindaWatson19
 
Search Inform DLP
Search Inform DLPSearch Inform DLP
Search Inform DLP
Sergei Yavchenko
 
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox
 
Executive Summary_2016
Executive Summary_2016Executive Summary_2016
Executive Summary_2016
Annie Cute
 
Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance Guide
Rapid7
 
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
csandit
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
Precisely
 

Recomendados

A Survey On Data Leakage Detection
A Survey On Data Leakage DetectionA Survey On Data Leakage Detection
A Survey On Data Leakage Detection
IJERA Editor
 
Extending Information Security to Non-Production Environments
Extending Information Security to Non-Production EnvironmentsExtending Information Security to Non-Production Environments
Extending Information Security to Non-Production Environments
LindaWatson19
 
Search Inform DLP
Search Inform DLPSearch Inform DLP
Search Inform DLP
Sergei Yavchenko
 
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox, Machine Learning, the Insider Threat and how UEBA protects the user ...
ZoneFox
 
Executive Summary_2016
Executive Summary_2016Executive Summary_2016
Executive Summary_2016
Annie Cute
 
Rapid7 CAG Compliance Guide
Rapid7 CAG Compliance GuideRapid7 CAG Compliance Guide
Rapid7 CAG Compliance Guide
Rapid7
 
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
C RITICAL A SSESSMENT OF A UDITING C ONTRIBUTIONS T O E FFECTIVE AND E FF...
csandit
 
IBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter MostIBM i Security: Identifying the Events That Matter Most
IBM i Security: Identifying the Events That Matter Most
Precisely
 
File Auditing in the Enterprise
File Auditing in the EnterpriseFile Auditing in the Enterprise
File Auditing in the Enterprise
Netwrix Corporation
 
Aspects of data security
Aspects of data securityAspects of data security
Aspects of data security
SaranSwathi1
 
LogRhythm E Phi Use Case
LogRhythm E Phi Use CaseLogRhythm E Phi Use Case
LogRhythm E Phi Use Case
jordagro
 
SecureWorks
SecureWorksSecureWorks
SecureWorks
jduhaime
 
Logs = Accountability
Logs = AccountabilityLogs = Accountability
Logs = Accountability
Anton Chuvakin
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External Attacks
Emmanuel Oshogwe Akpeokhai
 
GDPR & IBM i Security
GDPR & IBM i SecurityGDPR & IBM i Security
GDPR & IBM i Security
Precisely
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...
Zara Nawaz
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and tools
Vibhor Raut
 
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...
Christian Buckley
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident Response
Anton Chuvakin
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and compliance
Actian Corporation
 
Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.
Computer engineering company
 
Soc security-analytics
Soc security-analyticsSoc security-analytics
Soc security-analytics
bharti singhal
 
Soc security-analyticsof leotechnosoft
Soc security-analyticsof leotechnosoftSoc security-analyticsof leotechnosoft
Soc security-analyticsof leotechnosoft
hardik soni
 
SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]
Imperva
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
Zara Nawaz
 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expert
Chapter247 Infotech
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System Administration
Lisa Dowdell, MSISTM
 
What To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations ProceduresWhat To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations Procedures
- Mark - Fullbright
 
Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
Anton Chuvakin
 
Log Management in the Age of Compliance
Log Management in the Age of ComplianceLog Management in the Age of Compliance
Log Management in the Age of Compliance
Anton Chuvakin
 

Más contenido relacionado

La actualidad más candente

LogRhythm E Phi Use Case
LogRhythm E Phi Use CaseLogRhythm E Phi Use Case
LogRhythm E Phi Use Case
jordagro
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and tools
Vibhor Raut
 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expert
Chapter247 Infotech
 

La actualidad más candente (20)

File Auditing in the Enterprise
File Auditing in the EnterpriseFile Auditing in the Enterprise
File Auditing in the Enterprise
 
Aspects of data security
Aspects of data securityAspects of data security
Aspects of data security
 
LogRhythm E Phi Use Case
LogRhythm E Phi Use CaseLogRhythm E Phi Use Case
LogRhythm E Phi Use Case
 
SecureWorks
SecureWorksSecureWorks
SecureWorks
 
Logs = Accountability
Logs = AccountabilityLogs = Accountability
Logs = Accountability
 
How Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External AttacksHow Organizations can Secure Their Database From External Attacks
How Organizations can Secure Their Database From External Attacks
 
GDPR & IBM i Security
GDPR & IBM i SecurityGDPR & IBM i Security
GDPR & IBM i Security
 
information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...information security (Audit mechanism, intrusion detection, password manageme...
information security (Audit mechanism, intrusion detection, password manageme...
 
Security management and tools
Security management and toolsSecurity management and tools
Security management and tools
 
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...
Securing SharePoint -- 5 SharePoint Security Essentials You Cannot Afford to ...
 
FIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseFIRST 2006 Full-day Tutorial on Logs for Incident Response
FIRST 2006 Full-day Tutorial on Logs for Incident Response
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and compliance
 
Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.Security Management Strategies and Defense and their uses.
Security Management Strategies and Defense and their uses.
 
Soc security-analytics
Soc security-analyticsSoc security-analytics
Soc security-analytics
 
Soc security-analyticsof leotechnosoft
Soc security-analyticsof leotechnosoftSoc security-analyticsof leotechnosoft
Soc security-analyticsof leotechnosoft
 
SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]SharePoint Security Playbook [eBook]
SharePoint Security Playbook [eBook]
 
information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...information security(authentication application, Authentication and Access Co...
information security(authentication application, Authentication and Access Co...
 
The ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expertThe ultimate guide to cloud computing security-Hire cloud expert
The ultimate guide to cloud computing security-Hire cloud expert
 
Security Management | System Administration
Security Management | System AdministrationSecurity Management | System Administration
Security Management | System Administration
 
What To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations ProceduresWhat To Do If Compromised - Fraud Control and Investigations Procedures
What To Do If Compromised - Fraud Control and Investigations Procedures
 

Similar a Log Analysis Across System Boundaries for Security, Compliance, and Operations

Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
Sridhar Karnam
 
Events Classification in Log Audit
Events Classification in Log Audit Events Classification in Log Audit
Events Classification in Log Audit
IJNSA Journal
 

Similar a Log Analysis Across System Boundaries for Security, Compliance, and Operations (20)

Audit logs for Security and Compliance
Audit logs for Security and ComplianceAudit logs for Security and Compliance
Audit logs for Security and Compliance
 
Log Management in the Age of Compliance
Log Management in the Age of ComplianceLog Management in the Age of Compliance
Log Management in the Age of Compliance
 
Leveraging Log Management to provide business value
Leveraging Log Management to provide business valueLeveraging Log Management to provide business value
Leveraging Log Management to provide business value
 
Logging "BrainBox" Short Article
Logging "BrainBox" Short ArticleLogging "BrainBox" Short Article
Logging "BrainBox" Short Article
 
Securing your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWPSecuring your IT infrastructure with SOC-NOC collaboration TWP
Securing your IT infrastructure with SOC-NOC collaboration TWP
 
Events Classification in Log Audit
Events Classification in Log Audit Events Classification in Log Audit
Events Classification in Log Audit
 
Computer Forensics in the Age of Compliance
Computer Forensics in the Age of ComplianceComputer Forensics in the Age of Compliance
Computer Forensics in the Age of Compliance
 
A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...
 
A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...A self adaptive learning approach for optimum path evaluation of process for ...
A self adaptive learning approach for optimum path evaluation of process for ...
 
13 essential log_col_infog
13 essential log_col_infog13 essential log_col_infog
13 essential log_col_infog
 
What Every Organization Should Log And Monitor
What Every Organization Should Log And MonitorWhat Every Organization Should Log And Monitor
What Every Organization Should Log And Monitor
 
Logging, monitoring and auditing
Logging, monitoring and auditingLogging, monitoring and auditing
Logging, monitoring and auditing
 
Use Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiencyUse Exabeam Smart Timelines to improve your SOC efficiency
Use Exabeam Smart Timelines to improve your SOC efficiency
 
Security Event Analysis Through Correlation
Security Event Analysis Through CorrelationSecurity Event Analysis Through Correlation
Security Event Analysis Through Correlation
 
Where Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized EnvironmentsWhere Logs Hide: Logs in Virtualized Environments
Where Logs Hide: Logs in Virtualized Environments
 
Maceo Wattley Contributor Infosec
Maceo Wattley Contributor InfosecMaceo Wattley Contributor Infosec
Maceo Wattley Contributor Infosec
 
Product description shell control box 4 lts
Product description shell control box 4 ltsProduct description shell control box 4 lts
Product description shell control box 4 lts
 
IDS Research
IDS ResearchIDS Research
IDS Research
 
Log maintenance network securiy
Log maintenance network securiyLog maintenance network securiy
Log maintenance network securiy
 
NIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real WorldNIST 800-92 Log Management Guide in the Real World
NIST 800-92 Log Management Guide in the Real World
 

Más de Anton Chuvakin

SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
Anton Chuvakin
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
Anton Chuvakin
 

Más de Anton Chuvakin (20)

Future of SOC: More Security, Less Operations
Future of SOC: More Security, Less OperationsFuture of SOC: More Security, Less Operations
Future of SOC: More Security, Less Operations
 
SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?SOC Meets Cloud: What Breaks, What Changes, What to Do?
SOC Meets Cloud: What Breaks, What Changes, What to Do?
 
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton ChuvakinMeet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
 
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
SANS Webinar: The Future of Log Centralization for SIEMs and DFIR – Is the En...
 
SOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton ChuvakinSOC Lessons from DevOps and SRE by Anton Chuvakin
SOC Lessons from DevOps and SRE by Anton Chuvakin
 
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 BoothHey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
Hey SOC, Look LEFT! by Anton Chuvakin RSA 2023 Booth
 
20 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 202220 Years of SIEM - SANS Webinar 2022
20 Years of SIEM - SANS Webinar 2022
 
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
10X SOC - SANS Blue Summit Keynote 2021 - Anton Chuvakin
 
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC TrendsSOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
SOCstock 2020 Groovy SOC Tunes aka Modern SOC Trends
 
SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC SOCstock 2021 The Cloud-native SOC
SOCstock 2021 The Cloud-native SOC
 
Modern SOC Trends 2020
Modern SOC Trends 2020Modern SOC Trends 2020
Modern SOC Trends 2020
 
Anton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in BriefAnton's 2020 SIEM Best and Worst Practices - in Brief
Anton's 2020 SIEM Best and Worst Practices - in Brief
 
Generic siem how_2017
Generic siem how_2017Generic siem how_2017
Generic siem how_2017
 
Tips on SIEM Ops 2015
Tips on SIEM Ops 2015Tips on SIEM Ops 2015
Tips on SIEM Ops 2015
 
Five SIEM Futures (2012)
Five SIEM Futures (2012)Five SIEM Futures (2012)
Five SIEM Futures (2012)
 
RSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics PresentationRSA 2016 Security Analytics Presentation
RSA 2016 Security Analytics Presentation
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinFive Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
Five Best and Five Worst Practices for SIEM by Dr. Anton Chuvakin
 
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton ChuvakinPractical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
Practical Strategies to Compliance and Security with SIEM by Dr. Anton Chuvakin
 
SIEM Primer:
SIEM Primer:SIEM Primer:
SIEM Primer:
 

Último

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 

Último (20)

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 

Log Analysis Across System Boundaries for Security, Compliance, and Operations

  • 1. Log Analysis Across System Boundaries for Security, Compliance, and Operations Dr. Anton Chuvakin WRITTEN: 2007 DISCLAIMER: Security is a rapidly changing field of human endeavor. Threats we face literally change every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with such ever-changing reality, one has to evolve with the space as well. Thus, even though I hope that this document will be useful for to my readers, please keep in mind that is was possibly written years ago. Also, keep in mind that some of the URL might have gone 404, please Google around. This article covers the importance of utilizing a cross-platform log management approach rather than a siloed approach to aggregating and reviewing logs for easier security and compliance initiatives. All IT users, whether malicious or not, leave traces of their activity in various logs, generated by IT components, such as firewalls, routers, server and client operating systems, databases and even business applications. Such logs accumulate, creating mountains of log data. At the same time, more organizations are starting to become aware of the value of collecting and analyzing such data: it helps them keep an eye on the goings-on within the IT infrastructure-- the who’s, what’s when’s, and where’s of everything that happens. This also makes sense given the growing emphasis on data security (all companies want to avoid becoming the next TJ Maxx) and evolving regulatory compliance mandates such as PCI DSS and SOX. Of course, simply generating and collecting the logs is only half the battle. Being able to quickly search and report on log data in order to detect, manage, or even predict, security threats and to stay on top of compliance requirements is the other half. Logs have traditionally been handled by reviewing them on their individual points of origin and usually only after a major incident. Such approach is simply not working in this age of data breaches and stringent compliance requirements. It is not only inefficient and complex, but it also can cost a Fortune 1000–sized company millions of dollars and take weeks, thus destroying or severely reducing the positive effects of such “log review.” Today the call to action is shifting from merely having log data to centralized data collection, real-time analysis and in-depth reporting and searching to address IT security and regulatory compliance issues. Thus, the main log-related goals of a company should be both to enable log creation and centralized collection and then to find a way to search and review log data from disparate points of origin across the system boundaries, across the IT infrastructure. Let’s first look at what these logs are.
  • 2. First, because logs contain information about IT activity, all logs generated within an organization could have relevance to computer security and regulatory compliance. Some logs are directly related to computer security: for example, intrusion detection alerts are aimed at notifying users that known malicious or suspicious activity is taking place. Other logs, such as server and network device logs, are certainly useful to information security, but in less direct ways. Server logs, such as those from Unix, Linux, or Windows servers, are automatically created and maintained by a server of activity performed on it; they represent activity on a single machine. Server logs are especially useful in cases of insider incidents; given that an insider attack or abuse might not involve any network access as well as not trigger intrusion detection systems and happen purely on the same system (with attackers using the console to use the system), server logs shed the most light on the situation. Relevant logged activities on a server include login success/failure, account creation and deletion, account settings and password changes, and file access, altering, or deletions and usually contain the information on the user who performed the actions. Network logs, on the other hand, describe data being sent and received over the network, so it makes sense that these are best-suited assist in detecting and monitoring abnormal network activity. Unlike server logs, which are limited to one machine and indicate only activity, network logs indicate a connection on the network, a source, and a destination. Relevant information found in network logs include the time a message was sent or received, the direction of the message, which network protocol was used to transmit the message, the total message length, and the first few bytes of the message. On the other hand, such logs typically do not provide the information on the actual user who attempted the connection. All logs (security, server, network, and others) make up one piece of the puzzle of IT infrastructure activity, so it makes sense that all log data is crucial to enterprise security, to regulatory compliance, and to IT operations. However, given the number of sources of logs and the varying information the logs contain, there are many different pieces of the IT infrastructure puzzle. While one can try to look at logs in siloed fashion, the logs will then fail to form the “big picture” of enterprise activity. Let us provide a few compelling reasons in favor of centralized log collection and cross- device analysis. First, logs from disparate sources reviewed in the context of other logs offer situational awareness which is key not only to managing security incidents but also to a company’s day-to- day IT operations. Routine log reviews and more in-depth analysis of stored logs from all sources simultaneously are beneficial for identifying security incidents, policy violations, fraudulent activity, and operational problems and for providing information useful for resolving such problems. Moreover, when responding to an incident, one needs to review all possible evidence, which means all the logs from all the affected and suspect systems. One query across all logs saves
  • 3. time, and incident response, whether to internal and external security threats, requires quick access to all logs to figure out the details of the breach, especially if it involves more than one part of the IT infrastructure. For example, searching for a user or an IP address across 4000 servers might take days if one has to login to each server, find the logs and perform the searches. If logs are centralized and optimized for searching, it will literally take seconds or less. And we can’t ignore the high degree of operational efficiency that accompanies having all logs in one place. Further, troubleshooting issues across all systems becomes a one-click process, as does running high-level trend reports across all systems in a business unit. To seek out log data from individual sources, administrators have to consider too many things and spend too much time piecing together information to be efficient. But a single point of control means that with the click of a button, all relevant information can be at their fingertips and with a tweak of one knob, all logging configurations can be updated as security policies and compliance mandates evolve. What is no less relevant is a current onslaught of compliance mandates. Further pushing IT professionals towards a cross-device approach to log analysis, many compliance mandates put forth a broad call to action to examine and review logs, not specifically database logs, not only server logs, not just network logs…logs generally. For example, the Federal Information and Security Management Act (FISMA, via NIST SP 800-53 and NIST SP 800-92) describes the broad need for log management in federal agencies and how to establish log management controls including the generation, review, protection, and retention of audit records, and steps to take in the event of audit failure. The Health Insurance Portability and Accountability Act of 1996 (HIPAA, via NIST SP 800-66) describes the need for regular evaluation of information system activity by reviewing a variety of logs (including audit logs and access reports). The Payment Card Industry Data Security Standard (PCI DSS) mandates logging specific details and log review procedures to prevent credit card fraud, hacking, and other related security issues in companies that store, process, or transmit credit card data. Requirement 10 requires that logs for all system components be reviewed at least daily and those from in-scope systems be stored for at least one year as well as protected. Thus, the above regulations call for central control over all log retention, stringent access control and other log protection for evidentiary purposes and even logging access to all logs. All of these are only possible when logs are centralized. Another critical benefit of centralized log collection and cross-domain log analysis is that it enables privileged user monitoring by removing the logs from the control of the privileged IT users such as system and network administrators. Abuse of system and data access or even data theft by trusted users is unfortunately all too common and logging is one way to curtail that. Log data integrity of log data in a centralized repository can also be guaranteed by the access control rules based on the “need to know” basis, logging all access and the use of cryptographic technologies, such as hashing and encryption. In essence, the need to paint a total picture of IT infrastructure activity and the broad requirement of key regulatory compliance mandates to review logs generally means that IT professionals need to find a way to execute cross-boundary log analysis. Of course, this approach requiring centralized retention of logs from disparate sources has benefits.
  • 4. The key point to remember is that any information that can be gleaned from log data is always present in enterprise logs. However, the limiting factor to how well that information can be put to good use is how quickly and efficiently the log data that contain it can be retrieved, searched, and reported on. If a company’s IT staff can not access the appropriate logs in time and as a result must spend all of its time fire-fighting security breaches rather than proactively preventing such breaches before they become major problems, this does not maximize efficiency and it leaves the company open to even more security threats as the team struggles to catch up. Log data storage in a centralized repository and cross-device analysis allows those seeking information to bypass the time- and- resource-consuming process of combing through each individual source of log data and piecing the information together afterwards. Instead of spending their time either searching for information, administrators have the data they need at their fingertips and also can proactively review any log data that might indicate abnormal activity and address security, compliance and operational issues before they become major company blunders. In order to maintain efficiency and effectiveness, enterprises must be able to break down log silos and allow the intelligent analysis of log data from disparate sources. ABOUT THE AUTHOR: This is an updated author bio, added to the paper at the time of reposting in 2009. Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the field of log management and PCI DSS compliance. He is an author of books "Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information Security Management Handbook" and others. Anton has published dozens of papers on log management, correlation, data analysis, PCI DSS, security management (see list www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most popular in the industry. In addition, Anton teaches classes and presents at many security conferences across the world; he recently addressed audiences in United States, UK, Singapore, Spain, Russia and other countries. He works on emerging security standards and serves on the advisory boards of several security start-ups. Currently, Anton is developing his security consulting practice, focusing on logging and PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the world about the importance of logging for security, compliance and operations. Before LogLogic, Anton was employed by a security vendor in a strategic product management role. Anton earned his Ph.D. degree from Stony Brook University.