zero visibility: critcality of centralized log management - v1
DESCRIPTION
Presentation I gave on the importance on budgeting for a central log management solution.TRANSCRIPT
“Zero Visibility”“Zero Visibility”“Zero Visibility”“Zero Visibility”Criticality of Centralized LoggingCriticality of Centralized LoggingP d b A th A h CISSP CEHPrepared by: Anthony Asher, CISSP, CEH
“Zero Visibility”“Zero Visibility”Zero VisibilityZero VisibilityCriticality of Centralized LoggingCriticality of Centralized Logging
Quiz
Evolution of IT Attacks
1
Compliance Requirements3
2
Potential Solutions4
3
Quiz – #1 What is this device?Q
Quiz – #2 … and this device?Q
Quiz – Question 3Q QWhat do these things have in common?
Geiger Counter SeismographGeiger Counter g p
Answer: Used to detect and identify events so that an action plan can beevents, so that an action plan can be followed to lower risk.
Evolution of IT Attacks
•Technical Issue•Unix
19981998 •Servers•Attacks were Nuisance
> 1998> 1998
1998 - 20021998 - 2002
•Technical/Business Issue•Windows Systems•ServersServers•Attacks were Nuisance
2002 -Now2002 -Now
•Technical/Business/Legal•Applications•Windows•Attacks for Money•Attacks for Money
MSRT disinfections by category, 2H05 – 2H07y g y,PWS / Keyloggers
2H07
Viruses
Rootkits
2H07
2H06
1H07
Worms
Trojans
1H06
2H05
Downloaders/ Droppers
Backdoors
0 5 10 15 20millions
Evolution of IT Attacks (cont.)
Compliance Requirements & Penalties
Regulation Data RetentionRequirements
Penalties
Sarbanes-Oxley 5 years Fines to $5M
PCI Corporate Policy Fines / Loss of CCp y
GLBA 6 years Fines
FISMA 3 years FinesFISMA 3 years Fines
HIPAA 6 years $25,000y
NERC 3 years TBD
10.10.1 Audit Logging: “Audit logs recording user activities exceptions and information security
Compliance Requirements & Penalties
10.10.2 Monitoring System Use: “Procedures for it i f i f ti i
activities, exceptions, and information security events shall be produces and kept...”& Penalties
monitoring use of information processing facilities shall be established and results
reviewed.”
10 10 3 Protection of log information: “Logging10.10.3 Protection of log information: Logging facilities and log information shall be protected against tampering and unauthorized access.”
10 10 4 Administrator and operator logs: “System
Section 10
10.10.1-5
10.10.4 Administrator and operator logs: “System administrator and system operator activities
shall be logged.”
10.10.5 Fault Logging: “Faults shall be logged,Compliance
ISO 27001
10.10.5 Fault Logging: Faults shall be logged, analyzed, and appropriate action taken.
Compliance
Log ManagementLog Management Business Objectives
A it Can legallyAre security policies being
followed?
Can legally admissible
proof be shown?
Compliance IT Operations
Can compliance be substantiated
Can IT operations bebe substantiated
and gaps identified?
operations be improved?Security
OperationsForensics
Current IT Infrastructure
Average Environment:
X 176
Current IT Infrastructure
Average Environment:
Server
Server
Server
Server
Server
Server
Server
S
Server
Server
Server
S
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
S
Server
Server
Server
Server
ServerServer
S
X 176
Server
Server
Server
Server
Server
Server
S
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
S
Server
Server
Server
Server
Server
Server
S
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
S
Server
Server
Server
Server
Server
Server
S
Server
Server
Server
Server
Server
Server
Server
Server
S
Server
Server
Server
Server
Server
Server
ServerServer
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
ServerServer
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Se e
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
x 17 Client
EnvironmentsServer
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Server
Current IT Infrastructure
Average Environment:
ServerServer
DomainServer
ServerPolicy
Logging
Single Logging Domain
Point
g gg g
“Bottom Line: Log analysis is increasing in importance for regulatory compliance and overall enterprise monitoring and security” – Paul Proctor, META Group
Future IT Infrastructure
Analysis
ServerServer
ServerPolicy
ReportingCentralizedLogging
Alertinggg g
Individual environments become part of a larger, enterprise wide system, with central analysis alerting and reportinganalysis, alerting and reporting.
Solutions – Software Agent
A t PAgent Process
Reports &Alerts
Reports &Alerts
ServerPrim
ary
Site
S
LassoSnareServer
Server
Solutions – Appliance
Appliance P
Event 560
ProcessServer
ServerEvent 680Server
Event 681Appliance
Server
Research - Centralized LoggingResearch - Centralized Logging
Research: Reviewed over fifteen products from open source to enterprise Participated in vendor
C i ti
to enterprise. Participated in vendor demonstrations. Research paper on portal.
Participated in security consortiums initiated withCommunications: Participated in security consortiums, initiated with Common Tools Team, interviewed NSS Security, and discussed with NOC.
Potential Solutions: Currently working to narrow solutions, and scope potential options based on Unisys requirements.
Goal: Implement a centralized logging solutions to allow policy compliance, and prevent security violations by having higher visibility into security events.
Extended H@(|<5@(|
“hackers managed to steal data gfrom transactions that occurred between November 2003 and April 2004 “April 2004.
“…install programs that gathered enormous quantities of personal q pfinancial data”
"I suspect that a lot of people are p p punaware that their identifying information has been compromised," U.S. Attorney Michael Sullivan
Questions?
References
• Kevin Mandia – President & CEO, Mandiant• Michael Suby – Director, Stratecast• Microsoft Security Intelligence Report (July –
December 2007)• LogLogic – Best Practices for Log
M tManagement.