-
8/14/2019 Log Management in the Age of Compliance by Dr. Anton
Chuvakin
1/3
Log Management in the Age of Compliance
Dr. Anton Chuvakin
WRITTEN: 2007
DISCLAIMER:Security is a rapidly changing field of human
endeavor. Threats we face literallychange every day; moreover, many
security professionals consider the rate ofchange to be
accelerating. On top of that, to be able to stay in touch with
suchever-changing reality, one has to evolve with the space as
well. Thus, eventhough I hope that this document will be useful for
to my readers, please keep inmind that is was possibly written
years ago. Also, keep in mind that some of theURL might have gone
404, please Google around.
With each publicized data breach (TJ Maxx, U.S. Department of
Agriculture) or new regulationsecurity emphasis seems to shift away
from the traditional keep bad guys out mentality and
towards the whats going on in here? layered, in-depth look at IT
activity.
As such, organizations are turning to logs to provide a
continuous fingerprint of everything that
happens with their IT systems and, more importantly, with their
data. Logs of different types are
generated from different sources at an astounding rate, allowing
for a detailed if sometimescloudy - picture of IT activity. If a
disgruntled employee accesses a database containing
confidential information with the intent to steal the data,
there would likely be a log of that
activity that someone could review to determine the whos, whats,
and whens. Logs providethe bread crumbs that organizations can use
to follow the paths of all of their users, mal-
intentioned or not.
It follows that managing these logs can benefit an organization
in many ways. They offer
situational awareness, help organizations pinpoint new threats
as well as allow their effective
investigation. Routine log reviews and more in-depth analysis of
stored logs are beneficial foridentifying security incidents,
policy violations, fraudulent activity, and operational
problems
shortly after they have occurred, and for providing information
useful for resolving such
problems.
Given the inherent benefits of log management, it is not
surprising that log data collection and
analysis is generally considered a security industry best
practice. However, a number of
regulations also explicitly call for the collection, storage,
maintenance, and review of logs inorder for companies to be
compliant, turning log management from a should do to a must
do. Some of these regulations rely on National Institute of
Standards and Technology
Computer Security Special Publications (NIST SP) in order to
delineate the detailed loggingrequirements.
In my last article (link), I described the way in which 3
regulations (FISMA, HIPAA, and PCI-DSS) affect incident response
processes. This triumvirate also affects log management, as
they
call for enabling logging as well as for log review.
-
8/14/2019 Log Management in the Age of Compliance by Dr. Anton
Chuvakin
2/3
The Federal Information Security Management Act of 2002
(FISMA)
While many criticize FISMA for being all documentation and no
action, the law simply
emphasizes the need for each Federal agency to develop,
document, and implement an
organization-wide program to secure the information systems that
support its operations andassets. NIST SP 800-53,Recommended
Security Controls for Federal Information Systems,
describes log management controls including the generation,
review, protection, and retention of
audit records, and steps to take in the event of audit failure.
NIST 800-92, Guide to Computer
Security Log Management, also is created to simplify FISMA
compliance, is fully devoted to log
management, and describes a broad the need for log management in
federal agencies and ways to
establish and maintain successful and efficient log management
infrastructures (including log
generation, analysis, storage, and monitoring). NIST 800-92
discusses the importance ofanalyzing different kinds of logs from
different sources and of clearly defining specific roles and
responsibilities of those teams and individuals involved in log
management. Importantly, section
4.2 highlights the need for organization to clearly define its
policy requirements (based on theappropriate regulations) for
performing logging and monitoring logs, including log
generation,
transmission, storage, and disposal as well as explicit
protections for these logs.
HIPAA
The Health Insurance Portability and Accountability Act of 1996
(HIPAA) outlines relevant
security standards for health information. NIST SP 800-66,An
Introductory Resource Guide for
Implementing the Health Insurance Portability and Accountability
Act (HIPAA) Security Rule,
details HIPAA-related log management needs in the context of
securing electronic protected
health information. Section 4.1 of NIST 800-66 describes the
need for regular review of
information system activity, such as audit logs, access reports,
and security incident trackingreports. Also, Section 4.22 specifies
that documentation of actions and activities need to be
retained for at least six years. While the debate about whether
logs can be considered documents
is not finished, some organizations did choose to store logs for
as long as other businessdocuments. In addition, Appendix A of this
document encourages organizations to ask a variety
of log-related questions, including whether or not system
performance monitoring is used t o
analyze system performance logs in real time in order to spot
availability problems like activeattacks.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS),
which applies to organizations
that handle credit card transactions, mandates logging specific
details and log review procedures
to prevent credit card fraud, hacking, and other related
security issues in companies that store,
process, or transmit credit card data. Even though logging is
present in all PCI requirements,PCI DSS also contains Requirement
10, which is dedicated to logging and log management.
Under this requirement, logs for all system components must be
reviewed at least daily, and
these log reviews must include servers that perform security
functions (e.g. intrusion detectionsystem and authentication,
authorization, and accounting protocol servers. Further, PCI
DSS
states that the organization must ensure the integrity of their
logs by implementing file integrity
monitoring and change detection software on logs to insure that
existing log data can not be
-
8/14/2019 Log Management in the Age of Compliance by Dr. Anton
Chuvakin
3/3
changed without generating alerts. It also prescribes that logs
from in-scope systems are stored
for at least one year.
There are also a variety of other regulations that call for log
management capabilities, although
less explicitly than the aforementioned three. California Bill
1386 and its upcoming federalequivalent, for example, requires a
state agency, person, or business that owns or licenses
computerized data that includes personal information, to
disclose any breach of the security of
the data to any California resident whose unencrypted personal
information was acquired by anunauthorized person. Logs, by nature
of allowing for tracking IT infrastructure activity, are the
best way to assess if, how, when, and where a data breach has
occurred, so management of these
logs would be the best way to assess what data has been
accessed/stolen and, thus, who needs to
be notified.
The major effect the age of compliance has had on log management
is to turn it into arequirement rather than just a recommendation,
and this change is certainly to the advantage of
any enterprise subject to one of those regulations. It is easy
to see why log collection and
management is important, and the explicit inclusion of log
management activities in major
regulations like FISMA, HIPAA, and PCI DSS highlights how key it
truly is to enterprisesecurity as well as broader risk management
needs.
ABOUT THE AUTHOR:
This is an updated author bio, added to the paper at the time of
reposting in2009.
Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized
security expert inthe field of log management and PCI DSS
compliance. He is an author of books"Security Warrior" and "PCI
Compliance" and a contributor to "Know Your EnemyII", "Information
Security Management Handbook" and others. Anton haspublished dozens
of papers on log management, correlation, data analysis, PCIDSS,
security management (see list www.info-secure.org) . His
bloghttp://www.securitywarrior.org is one of the most popular in
the industry.
In addition, Anton teaches classes and presents at many security
conferencesacross the world; he recently addressed audiences in
United States, UK,Singapore, Spain, Russia and other countries. He
works on emerging securitystandards and serves on the advisory
boards of several security start-ups.
Currently, Anton is developing his security consulting practice,
focusing onlogging and PCI DSS compliance for security vendors and
Fortune 500organizations. Dr. Anton Chuvakin was formerly a
Director of PCI ComplianceSolutions at Qualys. Previously, Anton
worked at LogLogic as a Chief LoggingEvangelist, tasked with
educating the world about the importance of logging forsecurity,
compliance and operations. Before LogLogic, Anton was employed by
asecurity vendor in a strategic product management role. Anton
earned his Ph.D.degree from Stony Brook University.
http://www.chuvakin.org/http://www.info-secure.org/http://www.securitywarrior.org/http://www.chuvakin.org/http://www.info-secure.org/http://www.securitywarrior.org/
