Upload
dr-anton-chuvakin
View
219
Download
0
Embed Size (px)
Citation preview
8/14/2019 Log Management in the Age of Compliance by Dr. Anton Chuvakin
1/3
Log Management in the Age of Compliance
Dr. Anton Chuvakin
WRITTEN: 2007
DISCLAIMER:Security is a rapidly changing field of human endeavor. Threats we face literallychange every day; moreover, many security professionals consider the rate ofchange to be accelerating. On top of that, to be able to stay in touch with suchever-changing reality, one has to evolve with the space as well. Thus, eventhough I hope that this document will be useful for to my readers, please keep inmind that is was possibly written years ago. Also, keep in mind that some of theURL might have gone 404, please Google around.
With each publicized data breach (TJ Maxx, U.S. Department of Agriculture) or new regulationsecurity emphasis seems to shift away from the traditional keep bad guys out mentality and
towards the whats going on in here? layered, in-depth look at IT activity.
As such, organizations are turning to logs to provide a continuous fingerprint of everything that
happens with their IT systems and, more importantly, with their data. Logs of different types are
generated from different sources at an astounding rate, allowing for a detailed if sometimescloudy - picture of IT activity. If a disgruntled employee accesses a database containing
confidential information with the intent to steal the data, there would likely be a log of that
activity that someone could review to determine the whos, whats, and whens. Logs providethe bread crumbs that organizations can use to follow the paths of all of their users, mal-
intentioned or not.
It follows that managing these logs can benefit an organization in many ways. They offer
situational awareness, help organizations pinpoint new threats as well as allow their effective
investigation. Routine log reviews and more in-depth analysis of stored logs are beneficial foridentifying security incidents, policy violations, fraudulent activity, and operational problems
shortly after they have occurred, and for providing information useful for resolving such
problems.
Given the inherent benefits of log management, it is not surprising that log data collection and
analysis is generally considered a security industry best practice. However, a number of
regulations also explicitly call for the collection, storage, maintenance, and review of logs inorder for companies to be compliant, turning log management from a should do to a must
do. Some of these regulations rely on National Institute of Standards and Technology
Computer Security Special Publications (NIST SP) in order to delineate the detailed loggingrequirements.
In my last article (link), I described the way in which 3 regulations (FISMA, HIPAA, and PCI-DSS) affect incident response processes. This triumvirate also affects log management, as they
call for enabling logging as well as for log review.
8/14/2019 Log Management in the Age of Compliance by Dr. Anton Chuvakin
2/3
The Federal Information Security Management Act of 2002 (FISMA)
While many criticize FISMA for being all documentation and no action, the law simply
emphasizes the need for each Federal agency to develop, document, and implement an
organization-wide program to secure the information systems that support its operations andassets. NIST SP 800-53,Recommended Security Controls for Federal Information Systems,
describes log management controls including the generation, review, protection, and retention of
audit records, and steps to take in the event of audit failure. NIST 800-92, Guide to Computer
Security Log Management, also is created to simplify FISMA compliance, is fully devoted to log
management, and describes a broad the need for log management in federal agencies and ways to
establish and maintain successful and efficient log management infrastructures (including log
generation, analysis, storage, and monitoring). NIST 800-92 discusses the importance ofanalyzing different kinds of logs from different sources and of clearly defining specific roles and
responsibilities of those teams and individuals involved in log management. Importantly, section
4.2 highlights the need for organization to clearly define its policy requirements (based on theappropriate regulations) for performing logging and monitoring logs, including log generation,
transmission, storage, and disposal as well as explicit protections for these logs.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant
security standards for health information. NIST SP 800-66,An Introductory Resource Guide for
Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,
details HIPAA-related log management needs in the context of securing electronic protected
health information. Section 4.1 of NIST 800-66 describes the need for regular review of
information system activity, such as audit logs, access reports, and security incident trackingreports. Also, Section 4.22 specifies that documentation of actions and activities need to be
retained for at least six years. While the debate about whether logs can be considered documents
is not finished, some organizations did choose to store logs for as long as other businessdocuments. In addition, Appendix A of this document encourages organizations to ask a variety
of log-related questions, including whether or not system performance monitoring is used t o
analyze system performance logs in real time in order to spot availability problems like activeattacks.
PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS), which applies to organizations
that handle credit card transactions, mandates logging specific details and log review procedures
to prevent credit card fraud, hacking, and other related security issues in companies that store,
process, or transmit credit card data. Even though logging is present in all PCI requirements,PCI DSS also contains Requirement 10, which is dedicated to logging and log management.
Under this requirement, logs for all system components must be reviewed at least daily, and
these log reviews must include servers that perform security functions (e.g. intrusion detectionsystem and authentication, authorization, and accounting protocol servers. Further, PCI DSS
states that the organization must ensure the integrity of their logs by implementing file integrity
monitoring and change detection software on logs to insure that existing log data can not be
8/14/2019 Log Management in the Age of Compliance by Dr. Anton Chuvakin
3/3
changed without generating alerts. It also prescribes that logs from in-scope systems are stored
for at least one year.
There are also a variety of other regulations that call for log management capabilities, although
less explicitly than the aforementioned three. California Bill 1386 and its upcoming federalequivalent, for example, requires a state agency, person, or business that owns or licenses
computerized data that includes personal information, to disclose any breach of the security of
the data to any California resident whose unencrypted personal information was acquired by anunauthorized person. Logs, by nature of allowing for tracking IT infrastructure activity, are the
best way to assess if, how, when, and where a data breach has occurred, so management of these
logs would be the best way to assess what data has been accessed/stolen and, thus, who needs to
be notified.
The major effect the age of compliance has had on log management is to turn it into arequirement rather than just a recommendation, and this change is certainly to the advantage of
any enterprise subject to one of those regulations. It is easy to see why log collection and
management is important, and the explicit inclusion of log management activities in major
regulations like FISMA, HIPAA, and PCI DSS highlights how key it truly is to enterprisesecurity as well as broader risk management needs.
ABOUT THE AUTHOR:
This is an updated author bio, added to the paper at the time of reposting in2009.
Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert inthe field of log management and PCI DSS compliance. He is an author of books"Security Warrior" and "PCI Compliance" and a contributor to "Know Your EnemyII", "Information Security Management Handbook" and others. Anton haspublished dozens of papers on log management, correlation, data analysis, PCIDSS, security management (see list www.info-secure.org) . His bloghttp://www.securitywarrior.org is one of the most popular in the industry.
In addition, Anton teaches classes and presents at many security conferencesacross the world; he recently addressed audiences in United States, UK,Singapore, Spain, Russia and other countries. He works on emerging securitystandards and serves on the advisory boards of several security start-ups.
Currently, Anton is developing his security consulting practice, focusing onlogging and PCI DSS compliance for security vendors and Fortune 500organizations. Dr. Anton Chuvakin was formerly a Director of PCI ComplianceSolutions at Qualys. Previously, Anton worked at LogLogic as a Chief LoggingEvangelist, tasked with educating the world about the importance of logging forsecurity, compliance and operations. Before LogLogic, Anton was employed by asecurity vendor in a strategic product management role. Anton earned his Ph.D.degree from Stony Brook University.
http://www.chuvakin.org/http://www.info-secure.org/http://www.securitywarrior.org/http://www.chuvakin.org/http://www.info-secure.org/http://www.securitywarrior.org/