Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Six Mistakes of Security Log Management  Dr Anton Chuvakin, GCIA, GCIH, GCFA Chief Logging Evangelist LogLogic, Inc
Summary <ul><li>System, Network and Security Logs </li></ul><ul><li>Why Look at Logs? </li></ul><ul><li>Brief Log Analysis...
Log Data Overview <ul><li>Audit logs </li></ul><ul><li>Transaction logs </li></ul><ul><li>Intrusion logs </li></ul><ul><li...
Login? Logon? Log in? <122> Mar  4 09:23:15 localhost sshd[27577]:  Accepted password  for kyle from ::ffff:192.168.138.35...
<ul><li>“ Arrgh! Why Don’t We Just Ignore’Em?” </li></ul>
Log Management Mandate and Regulations Regulations Require LMI <ul><li>SOX </li></ul><ul><li>GLBA </li></ul><ul><li>FISMA ...
Also: NIST 800-92 <ul><li>“This publication seeks to assist organizations in understanding the need for sound computer sec...
<ul><li>So, How Do People Do It? </li></ul>
Log Analysis Basics <ul><li>Manual </li></ul><ul><ul><li>‘ Tail’, ‘more’, ‘grep’, ‘notepad’, etc </li></ul></ul><ul><li>Fi...
From Log Analysis to Log Management <ul><li>Threat  protection and discovery </li></ul><ul><li>Incident  response </li></u...
Log Management Lifecycle Files, syslog, other Immutable Logs Secure Share Collect SNMP, Email, etc Alert Search, Report an...
<ul><li>Looks Complicated?! No Wonder People Make Mistakes … </li></ul>
Seven  Mistakes of Log Analysis and Management <ul><li>0.  Not logging  at all. </li></ul><ul><li>1.  Not looking  at the ...
Mistake 0:  Not Logging AT ALL …   <ul><li>…  and its  aggravated  version : “… and not knowing that you don’t” </li></ul>...
Example: Oracle <ul><li>Defaults :  </li></ul><ul><ul><li>minimum system logging </li></ul></ul><ul><ul><li>minimum databa...
Mistake 1:  Not looking at logs   <ul><li>Collection  of logs has value! </li></ul><ul><li>But  review  boosts the value 1...
Example Log Review Priorities <ul><li>DMZ NIDS </li></ul><ul><li>DMZ firewall </li></ul><ul><li>DMZ servers with applicati...
Mistake 2:  Storing logs for too short a time   <ul><li>You are saying you  HAD  logs? And how is it useful? </li></ul><ul...
Also A Mistake: Storing Logs for  TOO LONG?! <ul><li>Retention  =  storage  +  destruction </li></ul><ul><li>Why  DESTROY ...
Example Retention Strategy <ul><li>Type + network + storage tier </li></ul><ul><li>IDS + DMZ + online = 90 days </li></ul>...
Quiz:  Name Which Are  Security Relevant ? <ul><li>System or software  startup, shutdown, restart, and abnormal terminatio...
Mistake 3:  Deciding What’s Relevant Before Collection   <ul><li>How would you know what is … </li></ul><ul><ul><li>…  Sec...
Example Common Logging Order    <ul><li>Log  everything </li></ul><ul><li>Retain  most everything </li></ul><ul><li>Analyz...
Mistake 4:  Ignoring Logs from Applications  <ul><li>Firewall –  Yes , Linux –  Yes , Windows –  Yes . NIDS –  Yes </li></...
Example: Jumbled Mess of SAP Logs <ul><li>|22:01:40|BTC| 7|000|DDIC  |  |LC2|Systemerror when executing external command D...
Mistake 5:  Siloed Approach to Log Management  <ul><li>Imagine… </li></ul><ul><ul><li>Database logs -> database monitoring...
Network Servers Databases Homegrown Applications Example Platform vs Siloes Log Silo ?????? ????? ???? ??? ?? ? ? ? ? ? ? ...
Conclusions <ul><li>Now you know: </li></ul><ul><ul><li>What are the logs? </li></ul></ul><ul><ul><li>Where they come from...
Seven  Mistakes of Log Analysis and Management <ul><li>0.  Not logging  at all. </li></ul><ul><li>1.  Not looking  at the ...
Thanks for Attending the Presentation <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangeli...
Further Reading <ul><li>Check out my longer paper “ Mistakes of Log Management ”, published at  http://www. infosecwriters...
Nächste SlideShare
Wird geladen in …5
×

Six Mistakes of Log Management 2008

5.622 Aufrufe

Veröffentlicht am

This is a full Six Mistakes of Log Management presentation.

Veröffentlicht in: Technologie, Business
  • Als Erste(r) kommentieren

Six Mistakes of Log Management 2008

  1. 1. Six Mistakes of Security Log Management Dr Anton Chuvakin, GCIA, GCIH, GCFA Chief Logging Evangelist LogLogic, Inc
  2. 2. Summary <ul><li>System, Network and Security Logs </li></ul><ul><li>Why Look at Logs? </li></ul><ul><li>Brief Log Analysis Overview </li></ul><ul><li>From Log Analysis to Log Management </li></ul><ul><li>Log Mistakes: from 0 to 6 </li></ul>
  3. 3. Log Data Overview <ul><li>Audit logs </li></ul><ul><li>Transaction logs </li></ul><ul><li>Intrusion logs </li></ul><ul><li>Connection logs </li></ul><ul><li>System performance records </li></ul><ul><li>User activity logs </li></ul><ul><li>Various alerts and other messages </li></ul><ul><li>Firewalls/intrusion prevention </li></ul><ul><li>Routers/switches </li></ul><ul><li>Intrusion detection </li></ul><ul><li>Servers, desktops, mainframes </li></ul><ul><li>Business applications </li></ul><ul><li>Databases </li></ul><ul><li>Anti-virus </li></ul><ul><li>VPNs </li></ul>What logs? From Where?
  4. 4. Login? Logon? Log in? <122> Mar 4 09:23:15 localhost sshd[27577]: Accepted password for kyle from ::ffff:192.168.138.35 port 2895 ssh2 <13> Fri Mar 17 14:29:38 2006 680 Security SYSTEM User Success Audit ENTERPRISE Account Logon Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0    Logon account:  POWERUSER    Source Workstation: ENTERPRISE    Error Code: 0xC000006A     4574 <57> Dec 25 00:04:32:%SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user:yellowdog] [Source:10.4.2.11] [localport:23] at 20:55:40 UTC Fri Feb 28 2006 <18> Dec 17 15:45:57 10.14.93.7 ns5xp: NetScreen device_id=ns5xp system-warning-00515: Admin User netscreen has logged on via Telnet from 10.14.98.55:39073 (2002-12-17 15:50:53)
  5. 5. <ul><li>“ Arrgh! Why Don’t We Just Ignore’Em?” </li></ul>
  6. 6. Log Management Mandate and Regulations Regulations Require LMI <ul><li>SOX </li></ul><ul><li>GLBA </li></ul><ul><li>FISMA </li></ul><ul><li>JPA </li></ul><ul><li>NIST 800-53 </li></ul><ul><ul><li>Capture audit records </li></ul></ul><ul><ul><li>Regularly review audit records for unusual activity and violations </li></ul></ul><ul><ul><li>Automatically process audit records </li></ul></ul><ul><ul><li>Protect audit information from unauthorized deletion </li></ul></ul><ul><ul><li>Retain audit logs </li></ul></ul><ul><li>PCI </li></ul><ul><li>HIPAA </li></ul><ul><li>SLAs </li></ul>Mandates Demand It <ul><li>PCI : Requirement 10 and beyond </li></ul><ul><ul><li>Logging and user activities tracking are critical </li></ul></ul><ul><ul><li>Automate and secure audit trails for event reconstruction </li></ul></ul><ul><ul><li>Review logs daily </li></ul></ul><ul><ul><li>Retain audit trail history for at least one year </li></ul></ul><ul><li>COBIT </li></ul><ul><li>ISO </li></ul><ul><li>ITIL </li></ul><ul><li>COBIT 4 </li></ul><ul><ul><li>Provide audit trail for root-cause analysis </li></ul></ul><ul><ul><li>Use logging to detect unusual or abnormal activities </li></ul></ul><ul><ul><li>Regularly review access, privileges, changes </li></ul></ul><ul><ul><li>Verify backup completion </li></ul></ul><ul><li>ISO17799 </li></ul><ul><ul><li>Maintain audit logs for system access and use, changes, faults, corrections, capacity demands </li></ul></ul><ul><ul><li>Review the results of monitoring activities regularly and ensure the accuracy of logs </li></ul></ul>Controls Require it “ Get fined, Get Sanctioned” “ Lose Customers, Reputation, Revenue or Job” “ Get fined, Go To Jail”
  7. 7. Also: NIST 800-92 <ul><li>“This publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. “ </li></ul>
  8. 8. <ul><li>So, How Do People Do It? </li></ul>
  9. 9. Log Analysis Basics <ul><li>Manual </li></ul><ul><ul><li>‘ Tail’, ‘more’, ‘grep’, ‘notepad’, etc </li></ul></ul><ul><li>Filtering </li></ul><ul><ul><li>Positive and negative (“Artificial ignorance”) </li></ul></ul><ul><li>Summarization and reports </li></ul><ul><ul><li>“ Top X of Y” </li></ul></ul><ul><li>Visualization </li></ul><ul><li>Log indexing and searching </li></ul><ul><li>Correlation </li></ul><ul><ul><li>Rule-based and other </li></ul></ul><ul><li>Log data mining </li></ul>
  10. 10. From Log Analysis to Log Management <ul><li>Threat protection and discovery </li></ul><ul><li>Incident response </li></ul><ul><li>Forensics , “e-discovery” and litigation support </li></ul><ul><li>Regulatory compliance </li></ul><ul><li>Internal policies and procedure compliance </li></ul><ul><li>Internal and external audit support </li></ul><ul><li>IT system and network troubleshooting </li></ul><ul><li>IT performance management </li></ul>
  11. 11. Log Management Lifecycle Files, syslog, other Immutable Logs Secure Share Collect SNMP, Email, etc Alert Search, Report and Analytics Store Search Report Make Conclusions “ As needed “ basis
  12. 12. <ul><li>Looks Complicated?! No Wonder People Make Mistakes … </li></ul>
  13. 13. Seven Mistakes of Log Analysis and Management <ul><li>0. Not logging at all. </li></ul><ul><li>1. Not looking at the logs </li></ul><ul><li>2. Storing logs for too short a time </li></ul><ul><li>3. Prioritizing the log records before collection </li></ul><ul><li>4. Ignoring the logs from applications </li></ul><ul><li>5. Approaching logs in a siloed fashion </li></ul>
  14. 14. Mistake 0: Not Logging AT ALL … <ul><li>… and its aggravated version : “… and not knowing that you don’t” </li></ul><ul><li>No logging? -> well , no logs for incident response, audits, compliance </li></ul><ul><li>Got logs? </li></ul><ul><li>If your answer is ‘NO”, don’t listen further: run and enable logging right now ! </li></ul>
  15. 15. Example: Oracle <ul><li>Defaults : </li></ul><ul><ul><li>minimum system logging </li></ul></ul><ul><ul><li>minimum database server access </li></ul></ul><ul><ul><li>no data access logging </li></ul></ul><ul><li>So, where is … </li></ul><ul><ul><li>data access audit </li></ul></ul><ul><ul><li>schema and data change audit </li></ul></ul><ul><ul><li>configuration change audit </li></ul></ul>
  16. 16. Mistake 1: Not looking at logs <ul><li>Collection of logs has value! </li></ul><ul><li>But review boosts the value 10-fold ( numbers are estimates  ) </li></ul><ul><li>More in-depth analysis boosts it a lot more! </li></ul><ul><li>Two choices here … </li></ul><ul><ul><li>Review after an incident </li></ul></ul><ul><ul><li>Ongoing review </li></ul></ul>
  17. 17. Example Log Review Priorities <ul><li>DMZ NIDS </li></ul><ul><li>DMZ firewall </li></ul><ul><li>DMZ servers with applications </li></ul><ul><li>Critical internal servers </li></ul><ul><li>Other servers </li></ul><ul><li>Select critical application </li></ul><ul><li>Desktops </li></ul><ul><li>Other applications </li></ul>
  18. 18. Mistake 2: Storing logs for too short a time <ul><li>You are saying you HAD logs? And how is it useful? </li></ul><ul><li>Retention question is a hard one. Truly, nobody has the answer! </li></ul><ul><ul><li>Seven years? A year? 90 days? A week? Until the disk runs out? </li></ul></ul><ul><li>Common : 90 days online and up to 1-3 years “nearline” or offline </li></ul>
  19. 19. Also A Mistake: Storing Logs for TOO LONG?! <ul><li>Retention = storage + destruction </li></ul><ul><li>Why DESTROY LOGS ? </li></ul><ul><ul><li>Privacy regulations </li></ul></ul><ul><ul><li>Litigation risk management </li></ul></ul><ul><ul><li>Due diligence and security policy </li></ul></ul><ul><ul><li>System resource utilization </li></ul></ul>
  20. 20. Example Retention Strategy <ul><li>Type + network + storage tier </li></ul><ul><li>IDS + DMZ + online = 90 days </li></ul><ul><li>Firewall + DMZ + online = 30 days </li></ul><ul><li>Servers + internal + online = 90 days </li></ul><ul><li>ALL + DMZ + archive = 3 years </li></ul><ul><li>Critical + internal + archive = 5 years </li></ul><ul><li>OTHER + internal + archive = 1 year </li></ul>
  21. 21. Quiz: Name Which Are Security Relevant ? <ul><li>System or software startup, shutdown, restart, and abnormal termination (crash) </li></ul><ul><li>Various thresholds being exceeded or reaching dangerous levels such as disk space full, memory exhausted, or processor load too high </li></ul><ul><li>Hardware health messages that the system can troubleshoot or at least detect and log </li></ul><ul><li>User access to the system such as remote (telnet, ssh, etc.) and local login, network access (FTP) initiated to and from the system, failed and successful </li></ul><ul><li>User access privilege changes such as the su command—both failed and successful </li></ul><ul><li>User credentials and access right changes , such as account updates, creation, and deletion—both failed and successful </li></ul><ul><li>System configuration changes and software updates—both failed and successful </li></ul>
  22. 22. Mistake 3: Deciding What’s Relevant Before Collection <ul><li>How would you know what is … </li></ul><ul><ul><li>… Security-relevant </li></ul></ul><ul><ul><li>… Compliance-relevant </li></ul></ul><ul><ul><li>… or will solve the problem you’d have TOMORROW !? </li></ul></ul><ul><li>Also affects “ forensic quality” of logs </li></ul><ul><li>Prioritization Challenge – Got ESP?  </li></ul><ul><li>Simple – just grab everything! </li></ul>
  23. 23. Example Common Logging Order <ul><li>Log everything </li></ul><ul><li>Retain most everything </li></ul><ul><li>Analyze enough </li></ul><ul><li>Summarize and report on a subset </li></ul><ul><li>Look at some </li></ul><ul><li>Act in real-time on a few </li></ul>
  24. 24. Mistake 4: Ignoring Logs from Applications <ul><li>Firewall – Yes , Linux – Yes , Windows – Yes . NIDS – Yes </li></ul><ul><li>but … </li></ul><ul><li>Oracle - ? </li></ul><ul><li>SAP - ? </li></ul><ul><li>Your Application X – No? </li></ul><ul><li>Log standards are coming: MITRE CEE! </li></ul>
  25. 25. Example: Jumbled Mess of SAP Logs <ul><li>|22:01:40|BTC| 7|000|DDIC | |LC2|Systemerror when executing external command DB6_DATA_COLLECTOR on gneisenau () </li></ul><ul><li>|22:02:32|BTC| 7|000|DDIC | |R49|Communication error, CPIC return code 020, SAP return code 456 </li></ul><ul><li>|22:02:32|BTC| 7|000|DDIC | |R5A|> Conversation ID: 38910614 </li></ul><ul><li>|22:02:32|BTC| 7|000|DDIC | |R64|> CPI-C function: CMSEND(SAP) </li></ul><ul><li>|22:02:32|BTC| 7|000|DDIC | |LC2|Systemerror when executing external command DB6_DATA_COLLECTOR on gneisenau () </li></ul>
  26. 26. Mistake 5: Siloed Approach to Log Management <ul><li>Imagine… </li></ul><ul><ul><li>Database logs -> database monitoring system </li></ul></ul><ul><ul><li>Syslog -> syslog server </li></ul></ul><ul><ul><li>Windows log -> stay where they are </li></ul></ul><ul><ul><li>Firewall logs -> PIX logger </li></ul></ul><ul><ul><li>Application logs -> don’t exist  </li></ul></ul><ul><li>What about forensics, incident response, audit? </li></ul><ul><li>How do you analyze the activities across systems? </li></ul>
  27. 27. Network Servers Databases Homegrown Applications Example Platform vs Siloes Log Silo ?????? ????? ???? ??? ?? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? LOGS ? ? ? ? ? ? ? ? ? ? ? ? Identity Management IT & Network Operations Operational Security Governance & Compliance Log Tool Log Jam Log platform Network Servers Databases Homegrown Applications Identity Management IT & Network Operations Operational Security Governance & Compliance
  28. 28. Conclusions <ul><li>Now you know: </li></ul><ul><ul><li>What are the logs? </li></ul></ul><ul><ul><li>Where they come from? </li></ul></ul><ul><ul><li>Why look at them? </li></ul></ul><ul><ul><li>How people do it? </li></ul></ul><ul><ul><li>What are some of the relevant regulations? </li></ul></ul><ul><ul><li>How to deal with them? </li></ul></ul><ul><li>And how to AVOID MISTAKES in dealing with logs! </li></ul>
  29. 29. Seven Mistakes of Log Analysis and Management <ul><li>0. Not logging at all. </li></ul><ul><li>1. Not looking at the logs </li></ul><ul><li>2. Storing logs for too short a time </li></ul><ul><li>3. Prioritizing the log records before collection </li></ul><ul><li>4. Ignoring the logs from applications </li></ul><ul><li>5. Only looking at what you know is bad </li></ul><ul><li>6. Approaching logs in a siloed fashion </li></ul>
  30. 30. Thanks for Attending the Presentation <ul><li>Dr Anton Chuvakin, GCIA, GCIH, GCFA </li></ul><ul><li>Chief Logging Evangelist </li></ul><ul><li>http://www.chuvakin.org </li></ul><ul><li>Coauthor of “Security Warrior” (O’Reilly, 2004) and “PCI Compliance” (Syngress, 2007) </li></ul><ul><li>See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs. Book on logs is coming soon! Also see http://chuvakin.blogspot.com </li></ul>
  31. 31. Further Reading <ul><li>Check out my longer paper “ Mistakes of Log Management ”, published at http://www. infosecwriters.org </li></ul><ul><li>Other fun reading – section on log management on my blog http://chuvakin.blogspot.com/search/label/log%20management/ </li></ul><ul><li>My chapter on logging for PCI from “PCI Compliance” book (posted on Syngress web site) </li></ul>

×