5. Q
Quiz – Question 3
Q
What do these things have in common?
Geiger Counter Seismograph
g p
Answer: Used to detect and identify
events,
events so that an action plan can be
followed to lower risk.
6. Evolution of IT Attacks
•Technical Issue
•Unix
> 1998
•Servers
•Attacks were Nuisance
•Technical/Business Issue
•Windows Systems
1998 - 2002
•Servers
Servers
•Attacks were Nuisance
•Technical/Business/Legal
•Applications
2002 -Now
•Windows
•Attacks for Money
7. MSRT disinfections by category, 2H05 – 2H07
y g y,
PW S
/ K eyl
ogg e
rs
2H07
Root
k its 2H06
Vir us 1H07
e s
1H06
T roja
ns
2H05
Worm
s
Back
door
s
Dow
nloa
d ers/
Drop
pe rs
millions 0 5 10 15 20
9. Compliance Requirements & Penalties
Regulation Data Retention Penalties
Requirements
Sarbanes-Oxley 5 years Fines to $5M
PCI Corporate Policy
p y Fines / Loss of CC
GLBA 6 years Fines
FISMA 3 years Fines
HIPAA 6 years
y $25,000
NERC 3 years TBD
10. Compliance Requirements 10.10.1 Audit Logging: “Audit logs recording user
activities, exceptions
activities exceptions, and information security
& Penalties events shall be produces and kept...”
10.10.2 Monitoring System Use: “Procedures for
monitoring use of i f
it i f information processing
ti i
facilities shall be established and results
reviewed.”
10.10.3
10 10 3 Protection of log information: “Logging
Logging
10.10.1-5 facilities and log information shall be protected
against tampering and unauthorized access.”
Section 10
10.10.4
10 10 4 Administrator and operator logs: “System
ISO 27001 administrator and system operator activities
shall be logged.”
Compliance 10.10.5 Fault Logging: “Faults shall be logged,
Faults
analyzed, and appropriate action taken.
11. Log Management
Business Objectives
Are
A securityit Can legally
Compliance policies IT admissible
being Operations proof be
followed? shown?
Can compliance Can IT
be substantiated operations be
Security Forensics
and gaps improved?
identified? Operations
13. Current IT Infrastructure
Average Environment:
X 176
Server Server
Server Server Server
Server Server Server
Server Server Server
Server Server Server
Server Server Server
Server
Server Server Server
Server
S Server
S Server
SS
Server
Server Server Server
Server Server Server
Server
Server Server Server
Server Server Server
Server
Server Server Server Server
Server Server Server Server
Server
Server Server Server Server
Server Server Server Server
Server
Server Server Server Server
Server Server Server Server
Server
Server Server Server Server
Server Server Server Server
Server
Server
S Server
S Server
S Server
S
Server Server Server Server
Server
Server Server Server Server
Server Server Server Server
Server
Server Server Server Server
Server Server Server Server
Server
Server Server Server Server
Server Server Server Server Server
Server Server
Server Server Server Server Server
Server
Server Server Server Server
Se e
Server
Server Server Server Server
Server
x 17 Client Server
Server
Server
Server
Server
Server
Server
Server
Server
Server Server Server
Server
Environments Server
Server
Server
Server
Server
Server
Server
Server
Server Server Server
Server
Server Server Server
Server
Server Server Server
Server
Server Server
Server
14. Current IT Infrastructure
Average Environment:
Domain
Server Policy
Server
Server
Server
Logging
Point
Single Logging Domain
g gg g
“Bottom Line: Log analysis is increasing
in importance for regulatory compliance
and overall enterprise monitoring and
security” – Paul Proctor, META Group
15. Future IT Infrastructure
Server
Server
Server
Policy
Analysis
Alerting
Centralized Reporting
Logging
gg g
Individual environments become part of a
larger, enterprise wide system, with central
analysis,
analysis alerting and reporting.
reporting
16. Solutions – Software Agent
Agent P
A t Process
Server
Pr
ary
im e
S it
Reports &
Alerts
Server
S
Snare Lasso
Server
17. Solutions – Appliance
Appliance
Server
Process
P
Event 560
Server
Event 680
Appliance
Event 681
Server
18. Research - Centralized Logging
Research: Reviewed over fifteen products from open source
to enterprise Participated in vendor
enterprise.
demonstrations. Research paper on portal.
Communications:
C i ti Participated in security consortiums initiated with
consortiums,
Common Tools Team, interviewed NSS Security,
and discussed with NOC.
Potential Solutions: Currently working to narrow solutions, and scope
potential options based on Unisys requirements.
Goal: Implement a centralized logging solutions to allow policy
compliance, and prevent security violations by having
higher visibility into security events.
19. Extended H@(|<5
@(|
“hackers managed to steal data
g
from transactions that occurred
between November 2003 and
April 2004 “
2004.
“…install programs that gathered
enormous quantities of p
q personal
financial data”
"I suspect that a lot of p p are
p people
unaware that their identifying
information has been compromised,"
U.S. Attorney Michael Sullivan
21. References
• Kevin Mandia – President & CEO, Mandiant
• Michael Suby – Director, Stratecast
• Microsoft Security Intelligence Report (July –
December 2007)
• LogLogic – Best Practices for Log
Management.
M t