SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez nos Conditions d’utilisation et notre Politique de confidentialité.
SlideShare utilise les cookies pour améliorer les fonctionnalités et les performances, et également pour vous montrer des publicités pertinentes. Si vous continuez à naviguer sur ce site, vous acceptez l’utilisation de cookies. Consultez notre Politique de confidentialité et nos Conditions d’utilisation pour en savoir plus.
Title: Enterprise Logging and Log Management: Hot TopicsDate & Time: Thursday, April 1, 2010, 11:00am Eastern Capturing log information is critical to IT organizations for many reasons, including for security incident detection and response, and for compliance with numerous regulations and standards. Join one of the foremost experts on log management, Dr. Anton Chuvakin, as we discuss enterprise logging challenges and issues.
No logging guidance for developers</li></ul>…but you MUST do it!<br />
Log Chaos - Login?<br /><18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User netscreen has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <br /><57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006<br /><122> Mar 4 09:23:15 localhostsshd: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2<br /><13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: POWERUSER <br />
Log Data Overview<br />From Where?<br />What logs?<br /><ul><li>Firewalls/intrusion prevention
Various alerts and other messages</li></li></ul><li>BTW, Do Your Logs Look Like This?<br />%PIX|ASA-3-713185 Error: Username too long - connection aborted<br />userenv[error] 1030 RCI-CORPwsupx No description available<br />ERROR: transport error 202: send failed: Success<br />Aug 11 09:11:19 xx null pif ? exit! 0 <br />
Cloud to the Rescue?<br />Question: do you think “cloud” will make logging better due to APIs, XML, structured data, etc?<br />Answer: <br /> "If your security and trust models suck now, you'll be pleasantly surprised by the lack of change when you move to cloud“<br />Chris Hoff @ Cisco<br />
Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and Science and Technology<br />April 2008<br />http://geer.tinho.net/geer.housetestimony.070423.txt<br />“In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you will have to pay.”<br />Daniel Geer, Sc.D.<br />
Logs = Accountability<br />Accountability<br />Accountability is answerability, enforcement, responsibility, blameworthiness, liability<br />Log Management<br />Log management is collecting, retaining and analyzing audit trails across the organization<br />There is a strong link between accountability and logging<br />B-I-G Picture: Logs as Enabler of Corporate Accountability<br />
Why Log Management?<br />Threat protection and discovery<br />Incident response<br />Forensics, e-discovery and litigation<br />Regulatory compliance<br />Internal policies and procedure compliance<br />Internal and external audit support<br />IT system and network troubleshooting<br />IT performance management<br />
Comp-what?-liance?<br />70-80% of SIEM/log management projects are funded by compliance budgets today<br />PCI DSS tops the charts! (see Requirement 10)<br />“Buy for compliance, use for security + operations” is very common<br />Logging is present in MOST, and are implied by ALL regulations – perfect compliance technology <br />
11%<br />82%<br /> 8%<br /> 14%<br />77%<br /> 9%<br /> 17%<br />74%<br /> 9%<br /> 15%<br />73%<br /> 12%<br /> 15%<br />69%<br /> 16%<br /> 19%<br />66%<br /> 15%<br /> 17%<br />66%<br /> 17%<br />24%<br />54%<br />22%<br />22%<br />51%<br />28%<br />Use Cases for Log Data Continue to Expand<br />Security detection and remediation<br />Security analysis and forensics<br />Monitoring IT controls for regulatory compliance<br />Troubleshooting IT problems<br />Monitoring end-user behavior<br />Service level/performance management<br />Configuration/change management<br />Monitoring IT administrator behavior<br />Capacity planning<br />Business analysis<br /> 7%<br />90%<br />2%<br />0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%<br /> (Percentage of respondants, N = 123)<br />Yes, we use SIM technologies for this today<br />No, we don’t use SIM technologies for this today, but plan or would like to do so in the future<br />No, we don’t use SIM technologies for this today and have no plans to do so<br />Source: Enterprise Strategy Group, 2007<br />
However…<br />“The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.”<br />
Journey to Log Management<br />What to log – and why? Logging policy<br />Note: BOTH operations + development!<br />Note: sometimes based on ‘what to review?’<br />What to centralize? Log collection <br />What to save? Log retention <br />What to look at? Periodic log review procedures<br />Ad hoc log review happens first<br />What to alert on? Log monitoring<br />
Follow maturity curve!</li></li></ul><li>Logging Questions: What to Log?<br />Devices? Systems? Applications?<br />What approach was taken to determine ‘what to log?’<br />What data are you logging and why are you logging it?<br />How you deal with custom log formats, e.g from custom applications?<br />Retention policy: why? How? What? For how long?<br />
Logging Questions: How to Do Log Management and Review?<br />What are your use cases for log management?<br />What motivated you to review logs?<br />What logs are looked at periodically?<br />What logs are looked at only after an incident?<br />What is automated?<br />What tools used for log review? Log management or SIEM?<br />How are they architected?<br />Who reviews logs?<br />
Top Log Management Mistakes<br />Not logging at all.<br />Approaching logs in silo’ed fashion<br />Storing logs for too short a time<br />Prioritizing the log records before collection<br />Ignoring the logs from applications<br />Not looking at the logs<br />Only looking at what youknow is bad<br />Thinking that compliance=log storage<br />
Conclusions<br />Today:<br />The importance of logging will ONLY GROW<br />Start logging – then start collecting logs – then start reviewing and analyzing logs<br />Software architects and developers need to “get” logging; security team will have to guide them<br />Cloud won’t save us: application logging needs to be dealt with, here or in the cloud!<br />Quick Look at the Future:<br />Logging standards are a MUST – and they will happen<br />Pending a global standard - use your own, but standard across your application infrastructure<br />
Security Warrior Consulting Services<br />Logging and log management policy<br />Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems <br />Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation<br />Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations<br />Help integrate SIEM and logging tools and processes into IT and business operations<br />Content development<br />Develop of correlation rules, reports and other content to make your SIEM and log management product more useful more applicable to your risk profile and compliance needs<br />Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations<br />More at www.SecurityWarriorConsulting.com<br />