Title: Enterprise Logging and Log Management: Hot TopicsDate & Time: Thursday, April 1, 2010, 11:00am Eastern Capturing log information is critical to IT organizations for many reasons, including for security incident detection and response, and for compliance with numerous regulations and standards. Join one of the foremost experts on log management, Dr. Anton Chuvakin, as we discuss enterprise logging challenges and issues.

1. Enterprise Logging and Log Management: Hot Topics Dr. Anton Chuvakin Security Warrior Consulting www.securitywarriorconsulting.com April 2010

2. Note Full recording with voice and Q&A session at the end can be found here. Q&A can also be found on my blog: http://chuvakin.blogspot.com (search for “open group log hot topics”)

3. Outline Logs and Logging Intro Log Management Intro Logging Questions – and Answers Log Management Mistakes Conclusions Quick Look at the Future of Logging!

5. No standard schema, no agreed level of details

6. No standard meaning

7. No taxonomy

8. No standard transport

9. No shared knowledge on what to log and how

10. No logging guidance for developers…but you MUST do it!

11. Log Chaos - Login? <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User netscreen has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53) <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS:LoginSuccess [user:anton] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <122> Mar 4 09:23:15 localhostsshd[27577]: Accepted password for anton from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Failure Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: POWERUSER

13. Routers/switches

14. Intrusion detection

15. Servers, desktops, mainframes

16. Business applications

17. Databases

18. Anti-virus

19. VPNs

20. Audit logs

21. Transaction logs

22. Intrusion logs

23. Connection logs

24. System performance records

25. User activity logs

27. Cloud to the Rescue? Question: do you think “cloud” will make logging better due to APIs, XML, structured data, etc? Answer: "If your security and trust models suck now, you'll be pleasantly surprised by the lack of change when you move to cloud“ Chris Hoff @ Cisco

28. Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and Science and Technology April 2008 http://geer.tinho.net/geer.housetestimony.070423.txt “In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you will have to pay.” Daniel Geer, Sc.D.

29. Logs = Accountability Accountability Accountability is answerability, enforcement, responsibility, blameworthiness, liability Log Management Log management is collecting, retaining and analyzing audit trails across the organization There is a strong link between accountability and logging B-I-G Picture: Logs as Enabler of Corporate Accountability

30. Why Log Management? Threat protection and discovery Incident response Forensics, e-discovery and litigation Regulatory compliance Internal policies and procedure compliance Internal and external audit support IT system and network troubleshooting IT performance management

31. Comp-what?-liance? 70-80% of SIEM/log management projects are funded by compliance budgets today PCI DSS tops the charts! (see Requirement 10) “Buy for compliance, use for security + operations” is very common Logging is present in MOST, and are implied by ALL regulations – perfect compliance technology

32. 11% 82% 8% 14% 77% 9% 17% 74% 9% 15% 73% 12% 15% 69% 16% 19% 66% 15% 17% 66% 17% 24% 54% 22% 22% 51% 28% Use Cases for Log Data Continue to Expand Security detection and remediation Security analysis and forensics Monitoring IT controls for regulatory compliance Troubleshooting IT problems Monitoring end-user behavior Service level/performance management Configuration/change management Monitoring IT administrator behavior Capacity planning Business analysis 7% 90% 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% (Percentage of respondants, N = 123) Yes, we use SIM technologies for this today No, we don’t use SIM technologies for this today, but plan or would like to do so in the future No, we don’t use SIM technologies for this today and have no plans to do so Source: Enterprise Strategy Group, 2007

33. However… “The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.”

34. Journey to Log Management What to log – and why? Logging policy Note: BOTH operations + development! Note: sometimes based on ‘what to review?’ What to centralize? Log collection What to save? Log retention What to look at? Periodic log review procedures Ad hoc log review happens first What to alert on? Log monitoring

35. Log Management Maturity Curve

37. Scope and Phases

38. Politics and Legal: Unavoidable

40. Logging Questions: How to Do Log Management and Review? What are your use cases for log management? What motivated you to review logs? What logs are looked at periodically? What logs are looked at only after an incident? What is automated? What tools used for log review? Log management or SIEM? How are they architected? Who reviews logs?

41. Top Log Management Mistakes Not logging at all. Approaching logs in silo’ed fashion Storing logs for too short a time Prioritizing the log records before collection Ignoring the logs from applications Not looking at the logs Only looking at what youknow is bad Thinking that compliance=log storage

42. Conclusions Today: The importance of logging will ONLY GROW Start logging – then start collecting logs – then start reviewing and analyzing logs Software architects and developers need to “get” logging; security team will have to guide them Cloud won’t save us: application logging needs to be dealt with, here or in the cloud! Quick Look at the Future: Logging standards are a MUST – and they will happen Pending a global standard - use your own, but standard across your application infrastructure

43. Questions? Dr. Anton Chuvakin Email:anton@chuvakin.org Google Voice: +1-510-771-7106 Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org LinkedIn:http://www.linkedin.com/in/chuvakin Consulting: www.securitywarriorconsulting.com Twitter:@anton_chuvakin

44. More on Anton Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager, etc Now: Consultant http://www.securitywarriorconsulting.com

45. Security Warrior Consulting Services Logging and log management policy Develop logging policies and processes, log review procedures, workflows and periodic tasks as well as help architect those to solve organization problems Plan and implement log management architecture to support your business cases; develop specific components such as log data collection, filtering, aggregation, retention, log source configuration as well as reporting, review and validation Customize industry “best practices” related to logging and log review to fit your environment, help link these practices to business services and regulations Help integrate SIEM and logging tools and processes into IT and business operations Content development Develop of correlation rules, reports and other content to make your SIEM and log management product more useful more applicable to your risk profile and compliance needs Create and refine policies, procedures and operational practices for logging and log management to satisfy requirements of PCI DSS, HIPAA, NERC, FISMA and other regulations More at www.SecurityWarriorConsulting.com