preventing the next data breach through log management
DESCRIPTION
Preventing The Next Data Breach Through Log Management by Ben Goodman, Principal Strategist, NovellTRANSCRIPT
![Page 1: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/1.jpg)
Preventing The N ext Data B reac h Throug h Log
M anag ementBen Goodman
Principal StrategistNovell, Inc.
![Page 2: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/2.jpg)
Why Should You Care?
The Bottom Line
Solutions
Next Steps
22
Agenda
![Page 3: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/3.jpg)
33
Why Should You Care?
![Page 4: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/4.jpg)
4
Economy
Cloud/SAAS
Virt.
Mobile
Social Networks
Business/IT Trends, From Security's Perspective
![Page 5: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/5.jpg)
5
Economy
Cloud/SAAS
Virt.
Mobile
Social Networks
Cybercrime
APT
G2B Hacking
Infosec Trends Collide
![Page 6: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/6.jpg)
6
The Bottom Line
![Page 7: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/7.jpg)
IT Trends exposing orgs to more risk Strong incentives for hackers Unsustainable and explosive situation
Security orgs are underfunded Hard for business leaders to understand the expenses Focus is on compliance, but compliance only protects your organization against
fines
In order to do your job, must fight for mandate and budget like never before
7
The Bottom Line
![Page 8: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/8.jpg)
No endpoint is secure Employees will get duped into doing bad things Not all employees have the best intentions You will be breached, the question is just how badly Business leaders must justify investments to a higher
authority Criminals are lazy
88
Start with a Few Assumptions
![Page 9: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/9.jpg)
99
No Endpoint is Secure• Too many threat vectors to guard against them
all– Social networking– 0-day vulnerabilities– Malware– SQL injection
• Your employees will get duped • Your employees could even be getting paid
![Page 10: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/10.jpg)
1010
• Research suggests that a large portion of botnets comes from corporate networks
– Can you guarantee every endpoint on your network is completely malware free?
• Start from the perspective that every endpoint on your network is already breached
• Trust must be earned before being granted• Authentication only guarantees access• Inspect every tr
You Are Breached
![Page 11: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/11.jpg)
“IT administrators were responsible for more data compromises than any other insider role. [However,] many will note the rather small difference between breaches caused by other employees and IT administrators. These findings are a reminder that high levels of access are not necessary in order to compromise data.
– Verizon Business, 2008 Data Breach Investigations Report
![Page 12: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/12.jpg)
1212
• Keep “bad guys” away from the network• Build a gigantic wall around the enterprise• Deploy point technologies to guard against specific threat vectors at the edge
Security Today
![Page 13: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/13.jpg)
1313
• Data and workloads moving off-premise• Threats from insiders and outsiders...• Targeted attacks increasing
Today's Reality
![Page 14: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/14.jpg)
• Blurs the lines between an insider and outsider• Hackers are incredibly good at covering their tracks
– Heartland Data Systems: Takes nine weeks of intense scrutinyto discover something was wrong
• The evidence is there, but buried under a mountain of data!
The central challenge of security is filtering the noise and finding inconsistencies in the data.
Targeted Attacks Pose a Problem
![Page 15: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/15.jpg)
“Evidence of events leading up to 82 percent of data breaches was available to the organization prior to actual compromise. Regardless of the particular type of event monitoring in use, the result was the same: information regarding the attack was neither noticed nor acted upon.”
– Verizon Business, 2008 Data Breach Investigations Report
![Page 16: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/16.jpg)
Solutions
![Page 17: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/17.jpg)
1717
Firewall Anti-virus Access Controls
IDS/IPS Vuln Scan
Log Management
SIEM +IAM
Basic blocking and tackling
Security Intelligence
User Activity Monitoring
The Next Generation Security Program
![Page 18: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/18.jpg)
• A tool for collecting and storing large amounts of security logs, with the ability to search and report
• Typically deployed as a response to some sort of regulatory mandate– P CI– Sarbanes Oxley– HIP AA
• Often takes the place of a home grown log aggregation system
What is Log Management, anyway?
![Page 19: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/19.jpg)
• Routers• Switches• VPN Concentrators
NetworkInfrastructure Databases
• Oracle• SQLServer• DB2
• Firewalls• IDSs• IPSs• A/V
Security Devices
• Windows• Unix• Netware
Workstations and Servers • RACF
• ACF2• TopSecret
Mainframes
• SAP• Oracle• Home Grown
Applications
What's Happening?
Must Translate Disparate Data to
Standard Regulatory Language
• Collect• Consolidate• Understand
• Analyze• Notify• Report
Security Requires:
Not Practicalwith Manual Processes
SYSLOGS
LOGS
LOGS
TABLES
LOGS
LOGS
Silos of Data, Manual Processes andLittle Insight
![Page 20: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/20.jpg)
• Collecting logs from various network devices, security applications, and business applications
• Storing these logs for some defined retention period – ideally at the lowest possible cost
• Searching through the stored logs on an ad-hoc basis for forensics, to find anomalies, etc.
• Sending Reports to analysts, managers, etc. at periodic intervals to fulfill operational or regulatory requirements
Basic Log Management Functions
![Page 21: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/21.jpg)
What's In a Log?• Certain activities that take place on a system generate an event
or log file– Successful and failed login– P orts open/close– P rivelege Escalation
• Syslog is a standard for taking these log files and streaming them to a central location– Wikipedia - “Syslog ... allows separation of the software that generates messages
from the system that stores them and the software that reports and analyzes them. It also provides devices, which would otherwise be unable to communicate, a means to notify administrators of problems or performance.”
• If syslog is just a stream of information – how to make it useful?– Not much provided by default– Can save syslog to a file, grep through it – a completely manual effort
![Page 22: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/22.jpg)
Events Explained• Source + Priority + Message =
Syslog Event• ftp + warning + failed login• lpr + notice + low on ink• auth + warning + privilege escalation
failed How do I know if something is wrong? Can I search through these events?Can I create a report to see all the failed logins last week?
![Page 23: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/23.jpg)
• Log management provides the transparency required to discover potential threats and vulnerabilities
– Requires a certain amount of diligence
• Use log management to discover– If devices or software are misconfigured– Who is accessing data or files– Who is changing configurations– Who has access to sensitive data and systems (and then go and limit those with
access where possible)– Whether administrators are sharing passwords or abusing privileged access
Using Log Management for Prevention
![Page 24: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/24.jpg)
• Log management can help determine whether a breach event has occured
– Knowing that you've been breached is often extremely difficult• Diligent log management tell you
– If a new user was unexpectedly created– Who has elevated permissions– If the volume of attacks increases– If a vulnerable system was targeted with an exploit– Whether a configuration was tampered with
Using Log Management for Detection
![Page 25: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/25.jpg)
• Event logs are the most critical footprints within the enterprise to reconstruct an actual breach
– Log Management provides visibility across all your IT infrastructure– Allows root cause analysis
• Use log management to determine what happened and how it happened to remediate or mitigate:
– Which systems and applications were compromised– The attack vector that was used– Which security systems failed– If the attack was detected but not acted on– If the attack was external or due to an insider (malicious or otherwise)
Using Log Management for Investigation
![Page 26: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/26.jpg)
2626
Next Steps
![Page 27: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/27.jpg)
UAM Is the weapon against trustless computing Inject context into security events– Identities– Asset information
Examine transactions with all available information– Determine what happened? who did it? should I care?
Mine the data for inconsistencies Where to start?
2727
Building User Activity Monitoring
![Page 28: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/28.jpg)
Log Management
Security Monitoring and Remediation
User Activity Monitoring
• Real-time Monitoring• Historical Analysis• Automated Remediation
• Audit / Compliance Reporting• Collection, Storage, Analysis• Advanced Analytics
• Manage User Access Risk• Monitor Identity Fraud• Enterprise View
CISO
“Compliance is the Driver”
The Maturity Model
![Page 29: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/29.jpg)
Security Management Capabilities
• Detect and report on security anomalies to reduce risk
• Automate remediation toimprove security
• Collect, archive, and report onlog data
• Forward data for further analysis
Security Monitoring and Remediation
Log Management
![Page 30: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/30.jpg)
The Hacker• Manually checking system logs is prone to error
Intruder
The intruder hacks into the payment-processing system.
The intruder steals customers’ credit and debit card numbers.
Payment-processing
System
The payment-processing systems logs the malicious activity.
With so many logs to monitor, administrators overlook the activity.
![Page 31: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/31.jpg)
Real-time Monitoring and Remediation
• Real-time monitoring and remediation stops malicious activity when it occurs
Intruder
The intruder hacks into the payment-processing system.
Payment-processing
System
The payment-processing system logs the malicious activity.
Recognizing the activity as out of policy, the system takes immediate action…
IT SecurityTeam
…like alerting the IT security team and locking down the payment-processing system.
![Page 32: Preventing The Next Data Breach Through Log Management](https://reader033.vdocument.in/reader033/viewer/2022051513/545c37e5b0af9fb32c8b474d/html5/thumbnails/32.jpg)
Quantify the risks to the business Show cost and likelihood, estimate how security investments reduce each
Survey the technology in place today Tie each investment to the risk it is reducing, or the agility it is enabling
Build out metrics to capture the value of each piece Establish a baseline Compare to industry norms Show how specific investments will impact metrics
Establish weekly or monthly cadence with cross-functional security team
32
Apply