Embed Size (px)
Citation preview
white paper
Consul risk management, Inc Suite 250 2121 Cooperative Way Herndon, VA 20171 USA Tel: +1 703 547 3577 Fax: +1 703 547 3587 Consul risk management Olof Palmestraat 10 2616 LR Delft The Netherlands Tel: +31 15 251 3333 Fax: +31 15 262 8070 Consul risk management Deutschland GmbH Stadttor 1 40219 Düsseldorf Germany Tel: +49 211 3003 330 Fax: +49 211 3003 130 [email protected] www.consul.com
Log Management: The Security Audit and Compliance Foundation
white paper
1. Introduction............................................................................................3
2. Why Log Management...........................................................................5 2.1. What Are the Security Risks? ..................................................................5 2.2. Why Automate Compliance? ...................................................................6
3. Characteristics of an Effective Log Management System.................8 3.1. Automated Log Management ..................................................................8 3.2. Configurable Audit Settings .....................................................................8 3.3. Reliable and Verifiable Process...............................................................9 3.4. InSight’s Log Management Dashboard .................................................10 3.5. Original Log Storage..............................................................................10 3.6. Efficient Query and Retrieval .................................................................11
4. Beyond Basic Log Management ........................................................11 4.1. Normalization and Consolidation ...........................................................11 4.2. Security Policy .......................................................................................12 4.3. Behavioral Alerts....................................................................................13 4.4. Key Reports ...........................................................................................13 4.5. Sample Reports .....................................................................................14
5. Summary ..............................................................................................17
2
white paper
1.
Introduction
Many regulations require that you have a way to review the effectiveness of your organization’s information system security controls. Security officers need to investigate suspicious incidents, meaning you need access to collected event data on both a real-time and historical bases. And best practices call for enforcing accountability for behavior throughout the organization – impossible to achieve if you don’t know what is happening on your systems and data. To meet this diverse set of demands, system and device logs have become the standard - supporting and enabling “documentation” for actions on systems and data assets. You can’t know what you don’t know – and without the right log management tool to collect, store, investigate, and report, it is difficult to ensure the complete, accurate and valid collection of logs to meet regulatory and business requirements. While enabling logging on most systems and devices is fairly straightforward and well-covered by the native platform vendors (although caveats apply for what to collect), there are a number of issues involved in actually managing and making use of the data effectively, including: • Reliably collecting large volumes of log data • Ensuring varied formats and log types are collectable • Enabling query and incident investigation • Streamlining administration of the log management process • Providing evidence to meet the needs of auditors and regulators. A robust log management system can lead the business to higher levels of compliance, helping to reduce operational and regulatory risk exposures and improving overall system reliability and availability. Without an automated, reliable log collection mechanism, compliance with current data security and privacy regulations is practically impossible. It is important to note that collecting the right events is as important as enabling audit logging – recent guidance from NIST recommends that organizations “define…requirements and goals for performing logging and monitoring logs to include applicable laws, regulations, and existing organizational policies.“1 Not all log content is of the same value in detecting potential security breaches, supporting demonstration of strong security controls or enabling operational
1 National Institute of Standards Special Publication 800-92 (Draft), “Guide to Security Log Management” available at http://www.csrc.nist.gov/publications/nistpubs/index.html
3
white paper
issue analysis, so planning what logs you need to collect and retain is a key first step. Along with defining the requirements to ensure appropriate logs are included as part of your log management process, the process you employ should be capable of supporting the full set of operational and compliance needs of the organization. The selected solution must be able to collect (and make sense of) many different log formats – most of which are cryptic, detailed and platform specific. Do you have the capacity and/or capability within the department to manually parse and review the varying log formats your systems and devices generate? Even if you are fortunate enough to have this level of resources, such activity is not viewed as a high value activity by security or system administrators, and so automation of routine tasks should a strong consideration. With most organizations comprised of widely, often globally, distributed systems and devices, with different owners and administrators, reliability and speed are paramount to a successful log management effort. But administrators usually can’t afford the time to perform multiple daily actions to initiate log collection from these numerous sources. And there needs to be a way to easily determine when potential problems have occurred to reduce the risk of uncollected, permanently lost logs due to recycling. Finally, the organization must be able to provide evidence to auditors and regulators that the process employed is reliable and verifiable, providing a complete, continuous set of logs. But it usually can’t become someone’s full time job to provide the reports and evidentiary proof in response to auditors’ requests. Consul risk management is an authority in security audit and compliance, and we leverage our 20 years of experience in this whitepaper to help you understand what components a log management solution should contain to help you meet your auditors and regulators requirements – without negatively impacting the business. Moreover, we’ll help you understand the benefits of a complete, log-based audit and compliance solution and introduce you to our flagship solution, Consul InSight™ Security Manager (InSight). Insight is an automated solution that provides: reliable, verifiable log management; streamlines your compliance efforts; and provides extensive reporting for you and for your auditors.
4
white paper
2.
•
•
2.1.
• • •
•
•
Why Log Management
There are two primary calls to action in today’s information technology environment:
The first is operationally driven – organizations need to audit, monitor, and alert appropriate personnel to address and reduce fundamental security risks.
The second is regulatory compliance – in the face of a landslide of commercial and regulatory dictates, organizations are striving to reduce the pain and expense of their compliance efforts through automation of log collection, monitoring, and reporting.
NIST SP 800-92 (Draft) describes the inherent value of log management to organizations in supporting diverse requirements, including “identifying security incidents, policy violations, fraudulent activity, and operational problems. Logs are also useful in performing auditing and forensic analysis, supporting internal investigations, establishing baselines, and identifying operational trends and long-term problems. Organizations also may store and analyze certain logs to comply with Federal legislation and regulations…”
What Are the Security Risks?
Recent studies confirm that 87% of internal security incidents are perpetrated by a company’s most privileged users, namely: administrators, outsourcers, third party consultants, and other power users. Today these internal incidents cost the average business almost 6% of its gross annual revenue. The short list of potential incidents perpetrated by this group includes:
Sabotage of information by privileged users Theft of information assets such as credit card information, customer lists etc. Installation of unauthorized software or hardware that may lead to time bombs, logic bombs, Trojans or back doors Manipulation of weaknesses in protocols like TCP/IP with techniques such as DNS spoofing and TCP_SYN flooding Manipulation of design flaws in applications
Today, companies protect themselves against these risks using a delicate balance of policy, process, authentication and access control technology. The first two in the list – policy and process, defining how data and systems should be managed and used – are effective to the extent that one can monitor and
5
white paper
enforce them. The last two, authentication and access control technology, are effective in controlling those employees who have limited access to critical assets, but largely ineffective when it comes to the privileged user, the more threatening group. Practically, privileged users (administrators, IT outsourcers, power users, etc…) need full and unfettered access to do their jobs. Too much logical or physical control will result in reduced performance. The Consul InSight™ Suite (Insight) was purpose-built to address the market need for a solution which reduces the security risks posed by administrators, outsourcers, consultants, and other powerful users – without impeding the free flow of business. Through Consul InSight, your organization can achieve the following goals: •
•
•
2.2.
Audit and monitor changes made to information and systems and assure that these changes are made according to your official change process. Monitor access to and modification of sensitive information assets, and ensure their use is consistent with your acceptable use policy. Assure that privileged users are given the ability to do their jobs efficiently and effectively, while at the same time assuring that you have absolute accountability and visibility into their actions.
This results in continuous, non-intrusive assurance, and documentary evidence, that your data and systems are being managed in line with company and regulatory policies. More importantly, confidence that you won’t incur costly damages due to the inadvertent mistakes or malicious actions of your most powerful users.
Why Automate Compliance?
Today, federal regulations such as the Sarbanes Oxley Act, Health Insurance Portability Accountability Act (HIPAA), and Gramm-Leach-Bliliey Act (GLBA) drive corporations to assess their internal control architecture on a more frequent basis. This in turn forces auditors and IT administrators to turn to log data as the primary vehicle through which assessors gain information, determine alignment, and identify deficiencies within the audit context. From a technical perspective, every network device, operating system, and application records activity into one or multiple log files, known as security event logs. These logs are different for every device, operating system and application and they can reside throughout the network. The logs are cryptic and specialized and require great expertise to understand. The other challenge is the volume of log data. These two things together make the job of the system administrator examining these logs very difficult,
6
white paper
ineffective and error prone. And of course this doesn’t deal with reporting, log analysis, correlation across logs, etc. A log management system needs to be automated – the management of the system is other wise an impossible task. Automating the collection and storage process improves the overall reliability and continuity of logs, reduces the cost of ownership and, provides you with proof of controls over the process, helping improve your ability to meet the requirements of auditors and regulators. Today, basic “log management” refers to the capability to collect, store, and query the multiple security event logs generated within a heterogeneous infrastructure. More sophisticated security information management (SIM) solutions – like Consul’s InSight -- further the capability to consolidate, normalize, investigate, report, and alert on policy exceptions, identified through advanced correlation and analysis on a wide variety of operating systems, applications, databases, security devices and network devices. In addition to InSight’s sophisticated log management, and audit and compliance capabilities – plug-in compliance modules help you continuously monitor and report alignment of the business against the requirements of the following dictates or best practices: • Sarbanes Oxley • Basel II • HIPAA • GLBA • PCI DSS • SAS70 • NISPOM • FISMA • DCID • ISO17799 • Common Criteria With InSight, you have assurance that use of regulated information and systems is in alignment with internal policies or externally mandated requirements. Just as importantly, you have confidence that you won’t incur audit deficiencies because your outsourcers, administrators, consultants, or trusted employees have failed to adhere to your internal change management processes or acceptable use policies.
7
white paper
3.
• • • • • •
3.1.
3.2.
Characteristics of an Effective Log Management System
An effective Log Management system provides the following key features:
Automation Configurable audit settings Reliable, verifiable log collection and reporting Dashboard views for rapid response and directed inquiry Original log storage Rapid query and retrieval
Automated Log Management
Automating the log management process, specifically collection and reporting, is the only way to deal with the significant volumes of logs generated in our IT-centric world. Regulations all require log collection to varying degrees, and InSight provides automation of the collect and reporting processes so that up-to-date reports are available to security personnel for analysis and action, the organization can build a continuous, sustainable process, and less effort needs to be expended by the security organization to support audit and forensic evidence requests.
Configurable Audit Settings
Audit settings control what is written into the logs, and setting these correctly ultimately determines what incidents can be investigated, now and in the future. Collected logs are also the fuel for reports, and you can’t report on what you haven’t captured. With mandates like HIPAA asking that you collect all relevant logs and maintain the data for up to seven years, you must be able to collect from almost any source. InSight provides wide support for operating systems, applications, databases, security devices and network devices – pretty much any source- with documented audit settings and high caliber support personnel to ensure you collect what you need to protect information assets and the confidentiality of regulated stakeholder data. Consul also provides implementation services to tailor audit settings to meet your exact collection and reporting requirements.
8
white paper
3.3.
•
•
Reliable and Verifiable Process
As the goal of log management is to collect all log data, reliability and evidentiary proof of that reliability are key concerns. Automation takes us close but without a way to actually prove that all log data is collected, you cannot actually meet the audit and compliance requirements for effective control over the log management process. A reliable, verifiable process has the following characteristics:
A monitored, automated collect process with proactive reporting of any issues that might impede or interfere with the collection process; and Integrity controls that ensure all collected log data is complete and safeguards that help ensure that any potential missing data can be collected before logs recycle.
InSight provides an automated collect process providing scheduled collects of the important original log data from your devices and applications. Proactive alerting is provided if there are any issues detected with the collect process so that the systems administrator can take action to prevent the loss of important log data and improve the overall reliability of the system. InSight has a built in self-audit subsystem so that the system itself can report on any issues with the integrity of the collected data or the collection process. For example, if some one should disable the collection of log data from a specific device to perform some dubious activity, InSight’s self-audit subsystem will provide reporting, up to the point of connecting the perpetrator of the event to the data source. To actually support completeness assertions, you need evidentiary proof for the auditor. InSight comes with three key log management reports so you can provide this evidentiary proof to the auditors at the push of a button.
9
white paper
InSight’s Key Log Management Reports
3.4.
3.5.
InSight’s Log Management Dashboard
InSight’s intuitive Log Management Dashboard provides a high level view of the collection process and the effectiveness of that process to provide continuous collections of logs from your monitored universe of operating systems, devices, databases, and applications. Drill down can be initiated from the dashboard all the way through to an original collected log.
Original Log Storage
For forensic and legal reasons, an effective log management system needs to store the original log data securely and provide proof of the data’s integrity. Some solutions decompose the data and store it in that form in a relational database. This means that unless you take other measures to store the original, unaltered log data, you have lost it and therefore lost the opportunity to use that data for presentation in legal cases. InSight stores the original log data in its secure data repository and permits only suitably authorized personnel to retrieve and view that log data. The data can then be used for further analysis by subject matter experts.
10
white paper
3.6.
4.
4.1.
Efficient Query and Retrieval
Some log management solutions are designed to act like a storage box, rapidly collecting the log data but not providing fast, intuitive interfaces for later query and retrieval. Consul’s extensive experience in the security audit industry and our study of customer usage patterns helped us instrument InSight with one of the most useful query and investigation available today. With its “Google-like” search capabilities, InSight’s log management layer doesn’t require SQL queries or Perl scripts to investigate our optimized Log Depot. A snippet of a keyword and some selected fields are all InSight needs to get started, and ranked queries allow you to refine your investigation without wasted time or effort.
Beyond Basic Log Management
In the evolving world of automated log management and SIM solutions, vendors offer different levels of capabilities. Many of the log management solutions in the market today are very technical, requiring organizations to employ expensive subject matter experts to translate the contents of original log data and increasing their audit costs as auditors must also rely on expensive technical expertise (and chargeback the customer) when examining evidence. More advanced functionality is provided by SIM solutions, employing normalization (defined by NIST in SP 800-92 as “the conversion of event data values to a standardized format with consistent labels.” In other words, normalized log data is converted into a language that security officers and auditors can understand without expert advice. InSight offers such normalization, and additional capabilities discussed below.
Normalization and Consolidation
Compliance and audit reporting across all your logs is an onerous task that InSight is purpose-built to help you with. Earlier we discussed InSight’s automated collection and reporting processes that simplify the task of creating reports for log management purposes. But actually reducing security and compliance risks takes more than just native log data. Because InSight uses a normalized and correlated model know as the W7 model, it supports a wide range of easy to understand reports that do not require the assistance of a subject matter expert (SME) to comprehend. This reporting can help you with cross–platform investigations; reduce the need of your auditor to employ their own SMEs during the audit; the end result is lowered time commitments and lowered costs with more effective security management results.
11
white paper
InSight: How it Works
4.2. Security Policy
Detecting anomalous behavior is crucial if you are to detect abuse of systems and resources both by privileged users and non-privileged users. Putting a security policy in place and monitoring against that policy enables anomalous behavior to be spotted without hindering business operations. You can watch the privileged users, measure them against the acceptable use policy and report (or alert) on behavior that falls outside of this policy. InSight’s reporting provides extensive capabilities and reports to measure use against the policy and exceptional behavior. More importantly, and often overlooked, is that the use of an automated log-based SIM solution such as InSight will allow your organization to close the compliance gap – defined as the difference between what should occur and what does occur on information assets.
12
white paper
4.3.
4.4.
• • • •
• • •
• •
Behavioral Alerts
The beauty of employing a policy-based approach to anomaly detection is two-fold:
1. When any behavior is outside of allowable bounds, alerts can be triggered. And unlike rules-based systems, the security officer does not have to define all potential “bad” behavior in advance, which is actually an impossible task. An example is helpful – if the policy states that User Class A can access Information Asset Type X, the moment that someone in User Class A touches Information Asset Type Y, an exception is triggered and an alert (based on severity) can be executed.
2. Privileged user activity can be successfully monitored. In rules-based systems (as described above), the security officer needs to define “bad” behavior. But privileged users’ activities often are not “bad”; in fact, they are required to provide access to users, change permissions, etc. A policy-based solution such as InSight can still trigger an alarm if the privileged user performs any action of specific interest.
Key Reports
InSight was designed to jump start your compliance efforts by providing pre-defined reports to measure key activities and usage scenarios, not forcing you to build your own set of reports from scratch. In addition, Consul understands the variability that exists in different organization so InSight provides a powerful custom report writer right out of box. And a key part in each InSight deployment is working with the customer to ensure there is a strong correlation between desired output and the defined event sources implemented, ensuring you can close that compliance gap and meet your regulatory and operational reporting requirements. InSight comes with many pre-defined reports that allow drill down to triggering specific event, including the customer favorites listed below for Privileged User Monitoring and Audit (PUMA™):
Enterprise Dashboard Users by Event Type Overview of Select All Activity by Type
Detailed Incident Investigation User Investigation
Events by Rule Sensitive Data Access
Operational Change Management* * - Requires Sarbanes Oxley Compliance Module
13
white paper
4.5.
4.5.1.
Sample Reports
Enterprise Compliance Dashboard
InSight’s Enterprise Compliance Dashboard
From a single Enterprise Compliance Dashboard you can view all activities on the system. The size of each circle indicates the amount of activity (logged events) and color indicates levels of compliance.
14
white paper
4.5.2. User Audit Report
User Audit Report supports broad or narrow investigation
In the report above, you can hone in on all activities users have performed or specify even a single activity of interest. The results are displayed and can be drilled through to the individual event level
15
white paper
4.5.3. Event Detail Report
Expand investigations of an incident across platforms and time-frames
When an incident occurs, you often need zoom in on every dimension: Person, Activity and Object. You also want to know much more, such as time and origin and associated events. The Event Detail report provides all the detail: at a field level and applies policy groupings and exceptions. It lets you escalate an incident to a workflow system through incident tracking, and continue your investigation along any dimension.
16
white paper
5.
• •
•
•
•
Summary
Consul InSight improves your ability to close the compliance gap, reducing the risks and costs associated with non-compliance with regulations and reputational and operational risks associated with security breaches and failures. By continuous, automated monitoring of users and privileged users, Consul InSight improves your overall business continuity by monitoring system changes and privileged user behaviors. Consul InSight can instrument your business with:
Automated monitoring, collection and storage of all log data Reliable, verifiable log management capabilities supported by specific reports for evidence that you have an effective process in place for audit purposes Strong correlation and normalization to foster non-technical understanding of the organizations security posture Specific compliance monitoring reports to help you close the gap and alert you to areas of concern •A suite of audit focused reports to help maintain the overall availability and integrity of your systems
The Consul InSight Suite has already helped numerous organizations meet a multitude of regulatory and contractual reporting requirements, including Sarbanes-Oxley, PCI DSS, HIPAA, GLBA, and Basel II through its ability to collect and centralize security log data from heterogeneous sources, filter collected information against security policy, automatically trigger appropriate actions and alerts upon detecting suspicious activities, archive normalized log data for forensic review, and provide consolidated viewing and reporting.
17
18
white paper
Further information about Consul InSight is also available. Consul InSight™ is developed, sold and supported by: Sales and support in the USA: Consul risk management, Inc Suite 250 2121 Cooperative Way Herndon, VA 20171 USA +1 800 258 5077 Sales and support Europe, Middle East, and Asia: Consul risk management Olof Palmestraat 10 2616 LR Delft The Netherlands +31 15 251 3333 [email protected] www.consul.com Published June 2006 Published by Consul risk management, Inc 2121 Cooperative Way, Suite 250, Herndon, VA 20171, USA Phone: +1.800.258.5077 E-mail: [email protected] Website: www.consul.com © 2006 Consul risk management All rights reserved No part of the content of this product overview shall be reproduced or transmitted in any form, or by any means, without the written permission of Consul risk management. The examples in this product overview are not meant to be representative or particularly applicable to another situation. Features and facilities described in this product overview may change without notice. Other product or company names mentioned are trademarks, registered trademarks, or service marks of their respective owners.
