LogManagementforCompliance - cdn.ttgtmedia.com · When logs are tied to user ... The IP address or possibly host- ... ArcSight Logger provides a comprehensive monitoring platform

A SEARCHCOMPLIANCE.COM/SEARCHSECURITY.COM E-BOOK

Alert!

Feb 25 02:55:19 [16934] ALERT - confiable name length limit exceeded

'___df9d5760ba1af926bed589c89//module_php?basepath' (attacker

college/public_html/new/CS423/[16934] ALERT - configured request variablet exceeded - dropped variablef926bed589c89//modules/My_eGallery/index_phacker '10.12.82.4', file '/srv/www/live/tml/new/CS423/grades/display.php'

LogManagement for ComplianceLogs are your golden record for compliance,

but they don’t give up their story easily.

’’//‘CHAPTER 1:Tying LogManagement and User Identity

Without a log management system, you won’t be ableto make the crucial connection between events,

the people or programs who create them, and therelation of those events to others in your many logs.

‘‘‘‘>..CHAPTER 2:No LogManagement, No Regulatory Compliance

That’s why log management is crucial to achievingregulatory compliance, and why you may need to

modify your selection criteria when choosing tools.

Tying LogManagementand User IdentityCompliance and security are about using

sharp minds and tools to track, analyze and reporton suspicious human activity.

BY STEPHEN NORTHCUTT

INCIDENT RESPONSE was tough enoughwhen the challenge was getting tothe bottom of what happened. Formost organizations, when an incidentis detected or suspected, gatheringenough data to surmise what hap-pened requires several hours of workpiecing the logs together. The reasonfor this is simple: The majority ofsecurity appliances report what hap-pened, but not who was behind theactivity, historical information aboutthat system or similar events.

But today, regulatory compliancerequirements are built on a strongsecurity rationale for tying identity toactivity. And the reality is complianceis driving organizations to log man-agement, and tying identity to activi-ty helps you get a budget. The Sar-banes-Oxley Act, for example, callsfor strict controls over access tofinancial records and that means it’scritical to spot unauthorized activityby human beings.

“Organizations that perform loganalysis are constantly reacting toevents on the network while still try-ing to be proactive. When logs aretied to user identities, if there is acritical event, the user (or likely user)of the event can be quickly identi-fied,” says Ron Gula, chief technologyofficer at Tenable Network SecurityInc. The user identity is a criticalpiece of information that shortensthe analysis decision cycle and canhelp eliminate unimportant issues oroffer a high confidence for eventsmarked as actionable priorities. Forexample, he says, “you may have noidea how many login failures consti-tutes a probe, but if you were tograph all of the login failures by user,you may be able to spot patterns youdidn’t know you had to look for in thefirst place.”

Knowing the “who” as well as the“what” is more than a benefit forinvestigators—it is absolutely essen-

CHAPTER 1 > TYING LOG MANAGEMENT AND USER IDENTITY

2 LOG MANAGEMENT FOR COMPLIANCE

aTYING LOG

MANAGEMENTAND USERIDENTITY

aNO LOG

MANAGEMENT,NO REGULATORY

COMPLIANCE



tial to an organization’s security/compliance program. Who madeunauthorized access to customers’information databases? Whoattempted to get root privilegeson the domain server? Who cookedthe financial records?

A classic compliance-related caseof tying activity to identity comesfrom improper access of medicalrecords. Some of these cases get a lotof press, such as when 13 UCLA Med-ical Center employees viewed BritneySpears’ medical records in March2008, but professionals in the fieldreport that this is fairly common. Thestolen information can be sold, notonly to sensationalist tabloids—as inthe case of celebrities such as Spears,Maria Shriver and George Clooney—but also to insurance firms. Needlessto say, this has the potential to putmedical institutions at risk for bothlawsuits for breach of privacy or emo-tional distress and sanctions as aresult of Health Insurance Portabilityand Accountability Act (HIPAA) vio-lations. The Department of Healthand Human Services has not done agood job of enforcing HIPAA compli-ance to date, but that’s changing withthe recent $2 million CVS CaremarkCorp. fine and the Obama administra-tion’s emphasis on strong enforce-ment.

Tying user identity to activity isno easy task, but we’re finally seeingthe tools and developing the tech-niques that make it easier to track

down the inadvertent or maliciousoffender.

TRACKING HUMAN EVENTSWhy is tying identity to activity sodifficult? At the heart of the problemis the “skinny” or “thin” event report(the term was coined by Eric Fitzger-ald of Microsoft). A computer, serveror security appliance kicks out areport to syslog with the informationit has at hand. It can’t gather anyother information about the event,state of the information, the personlogged in and so forth. This results inlogs that typically give:

� Time and date of the event.� The IP address or possibly host-

name(s) involved.� The program reporting the event.� Severity. Common values are

fatal, severe, warning, info anddebug. They’re decided by theapplication and may or may notbe accurate or useful.

� What happened from the report-ing program’s point of view.

Let’s look at an example fromSuhosin, a hardened version of theHypertext Preprocessor (PHP):

Feb 24 09:56:43 [31321] ALERT -tried to register forbidden variable'GLOBALS' through GET variables(attacker '41.204.211.204', file'/srv/www/live/sans/public_html/ne

aTYING LOG


aNO LOG


COMPLIANCE

wsletters/risk/index.php')

Each of those fields is useful, nec-essary, but not sufficient. What ismissing? To do a complete analysis,we generally need “fat” data. That is,additional information that may notbe available to the reporting program.Additional fields that are commonlyneeded to create actionable informa-tion from event data include:

� When the event happened:Feb 24 09:56:43 East Coast Time.

� Who initiated the activity:41.204.211.204, according tonslookup, was assigned to web-host3.shadowrain.co.za at thattime.

� Whether this is a stimulusor a response: It is a stimulusin this case, because webhost3is initiating connections withwww.sans.org.

If the event we have collected is aresponse, have we identified the stim-ulus—or, in this case, since it was astimulus, did we respond?

What individuals and programswere involved? Ah, there is the rub;we know the IP address, we know themachine name, but we have no ideawho in South Africa is behind thisactivity.

Did each event in the chain succeedor fail? This log entry is one of aseries; webhost3 is probably runninga scanner on www.sans.org. Hope-

fully, each probe fails.Is this over, or is it ongoing? This

probe has a start time and end time,so the event is over. We can surmisethat only by looking at all the log

entries from this IP address.For years, putting the data together

has been the responsibility of thesecurity analyst. We flag an event insyslog because it has a keyword weknow indicates suspicious activity,such as rejected, dropped or denied.Then we take the information that wehave from the syslog entry and beginto work both backward and forwardto find other, related log events. Per-haps we have the IP address and needto consult the Dynamic Host Configu-ration Protocol table to determine thehostname and MAC address.

Next, we might go to the system ordomain controller event logs to deter-mine who was logged on. Did the per-son log on the first time he tried, orwere there multiple attempts? Wheredid he log on from: Was it local, or



aTYING LOG


aNO LOG


COMPLIANCE

To do a completeanalysis, we generallyneed ‘fat’ data. That is,additional informationthat may not beavailable to thereporting program.

We don’t have to tell you that enterprises face very real security risks. Or that the cost of regulatory compliance is a growing burden. Now, more than ever, IT security and operations teams must protect digital assets and ensure their availability with greater efficiency and smaller budgets.

ArcSight Logger provides a comprehensive monitoring platform for visibility into security risk, automation of audits,and operational service level agreements. With ArcSight, you’ll get the big picture so you can avoid the big problem. After all, keeping a business running is the only way to run a business and log data is now a critical business asset.

Visit us at www.arcsight.com.ArcSight Headquarters: 1-888-415-ARST © 2009 ArcSight. All rights reserved.

Protection and Visibility 1.0


was it a remote logon? This type ofnetwork forensic analysis is doable,but it takes a long time and a com-plete knowledge of where to get theinformation.

Each event may take between30 minutes and several hours to runto ground, and the work is somewhattedious—especially when we haveto work with data on different timezones. The high cost of manual cor-relation means many potential inci-dents are never investigated, and that

means we fail to detect some eventssometimes leading to devastatingconsequences, such as the spectac-ular Barings Bank and SociétéGénérale frauds (see “CompanyKillers,” below).

On the other hand, if we can usesoftware to collect this informationand display it in a meaningful way, ananalyst can make a pretty good deci-sion as to the severity of a log eventin a matter of seconds, and our abilityto detect and respond to potentially


aTYING LOG


aNO LOG


COMPLIANCE

FAILURE TO DETECT and monitor new accounts or use of excessive privilege is acritical example of the need to tie activities to users and their roles. Considerthese spectacular examples:One such failure led to the 1995 demise of the venerable Barings Bank, the

oldest merchant bank in the U.K. Account 8888 had been set up to cover up amistake made by another teammember, which led to a loss of $20,000. Thatis bad, but it gets worse. Nick Leeson then used this account to cover his ownmounting losses as a day trader. When the smoke cleared, Leeson had lost $1.3billion and ultimately destroyed the 233-year-old bank. All of Leeson’s supervi-sors resigned (under pressure) or were terminated.Jerome Kerviel, a trader with the French Société Générale bank, had access

that allowed him to far exceed his authority in European stock index trades. Hewas able to make unauthorized transactions that led to a loss of somewhere inthe neighborhood of ¤4.9 billion Euros (more than $7 billion).In 2006, Kerviel began a series of “fake” trades mixed with large real trades,

some of which actually exceeded the bank's capitalization. Somehow, he avoid-ed normal controls based on timing and kept winning and losing trades in bal-ance to give the appearance of insignificant impact to the bank’s bottom line.A number of DLP-friendly tools as well as simple scripts can help detect newaccounts. —S.N.

COMPANY KILLERS



harmful events improves dramatically.The keys will lie in our analysts’

ability to look for changes in userbehavior or attitude; report on segre-gation of duties, dual controls andaccess violations; and monitor activi-ty and report on it. The good news iswe’re getting the tools that are begin-ning to make this practical.

TOOLS TRACK USERSSince the stakes are so high and theneed is so great to tie identity toactivity, vendors are starting to deliv-er security solutions that can help. Forinstance, Sourcefire Real-time UserAwareness (RUA) can be configuredto send an alert any time a new useridentity is detected, and this identitycan be checked to see if it matchesspecific values. RUA does not have afeature to support pattern matchingon new user identities.

Take the “Zippy” example. (Thisreally happened. Though famousbank disasters are among the mostserious account-related breaches,most security professionals with acouple of years of operational securi-ty experience have a security storyinvolving a new or modified account.)The company was a lab in whichusernames were all created from thefirst letter of the first name and thefirst six letters of the last name. Anew account log entry for “zippy”caught our attention immediately.Either we had an employee named

Zeke Ippy, or we had a problem.If we had a list of all users, we could

examine Zippy to see if a user had afirst name starting with Z and a lastname with the string Ippy. This can bedone with a homegrown script usingregular expressions, but over timewe’re seeing vendors deliver moreregular expression capability so toolscan be configured to support busi-ness logic.

Security architects can now dependon one or more of the logging andanalysis industry categories of toolsthat can deliver “fat” data that tiesuser ID and other related informationto event logs. These tools include:

� Security information eventmanagers (SIEMs).

� Log management devices,which are primarily collectorsof log files.

� The central console of a securityproducts company that offers anumber of additional capabilities,not just logging and analysis.For instance, both Tenable andSourcefire Inc. have several secu-rity products and they report in tocentral consoles that strive todeliver fat data.

These products receive the thinevents and create fat data for analy-sis. As the vendors continue to addfunctionality, these product cate-gories tend to overlap and are lessdefined than they were a couple of

aTYING LOG


aNO LOG


COMPLIANCE

years ago. SIEMs, for example arenow emphasizing their log manage-ment capabilities (or spinning offseparate products) to capitalize oncompliance-driven market demand.

And some log management prod-ucts are developing more SIEM-likecapabilities.

The flow goes like this: An eventoccurs, and a thin log file describingthat event is created and sent toa collector. (A site may have oneor more collectors.) The collectormay store it as a raw, unaltered, pre-normalization event. The log eventmay also be stored with a matchingcryptographic hash to prove it hasnot been tampered with.

If the site wants to do more thansimply store the log, a copy of the logevent is sent to an analysis engine.The log event can be evaluated byrules that are designed to either con-firm and record a normal event hasoccurred, or to detect abnormal orbad events.

The rules may be based on regularexpression technology to parse rawevents, but sophisticated productsnormalize the logs, meaning raw datais broken down into component stan-dardized fields and stored in a data-base where we may be able to corre-late it with other information.Examples of the types of fields wemight see in an event databaseinclude:

� Day of week� Hour of day� ID� UTC time� Local time� Time zone� PID� OS name� OS version� Application version� Hostname� Host IP� Host domain name� MAC address� Application reason� Severity type

Once the data is normalized andin a database, our tools create a fatevent by adding other referentialdata such as the history of that IPaddress/MAC address/system name;related vulnerability scan information;the history of similar events and login,identity or access data. This level ofinformation can help an analyst makean informed decision much faster.



aTYING LOG


aNO LOG


COMPLIANCE

One warning note:Information isn’talways what it seems,so don’t leap to obviousconclusions aboutwhat the data appearsto be telling you.

SecureVue® EnsuresNO DATA Is Left BehindSecureVue is a security and compliance management platform built to collect and correlate ALL DATA from hosts and devices on your network, providing the situational awareness that helps you understand what you need to focus on RIGHT NOW.

For more information visit: www.eIQnetworks.com or www.logdataisnotenough.com.

LogConfigurationAssetPerformanceVulnerabilityNetwork Flow

www.eIQnetworks.com

www.logdataisnotenough.com

One warning note: Information isn’talways what it seems, so don’t leap toobvious conclusions about what thedata appears to be telling you (see“Caveat Analyst,” below).

Since referential data is important,organizations that take log analysis

seriously want as much data as theycan get. One useful tool is the passivesniffer. It’s typically placed nearaggregation points such as the fire-wall to listen to and analyze trafficpassing by. Passive sniffers are ableto determine which operating sys-



aTYING LOG


aNO LOG


COMPLIANCE

ANY DATA MODELING professional will quickly warn you that referential data ispowerful and helpful to analyze and classify an event, if and only if that informa-tion is correct and is correlated correctly. If you visualize yourself as the analystmaking a decision on how to classify an event, then you can clearly see that ifthese types of fields are misleading or wrong, you could easily arrive at thewrong conclusion.As an example, if you were an analyst for a university investigating a log

event:

Feb 25 02:55:19 [16934] ALERT - configured request variable name length limitexceeded - dropped variable '___df9d5760ba1af926bed589c89//modules/My_eGallery/index_php?basepath' (attacker '10.12.82.4', file '/srv/www/live/college/public_html/new/CS423/grades/display.php'

The login information for IP address 10.12.82.4 yielded a student name ofJohn Brown, and the event history showed past warnings for hacking-typebehavior. One might immediately leap to a conclusion that the event was hack-ing-related and John Brown was at it again.However, if any of that information was wrong, or correlated incorrectly, we

might accuse John unfairly. What if John had plugged a wireless access point tothe network connector in his dorm room and another student was using it whileattempting to access the grades for his class? In fact, still another piece of ref-erential data pointed out that John Brown was not even enrolled in CS 423.Why would you hack the grade server to change your grade for a class youaren’t taking? —S.N.

CAVEAT ANALYST

tems are associated with particularaddresses. They can also determinethe version of software that’s running.This is a huge step up from the basicfirewall log of port and IP address. Inaddition, they can pinpoint the exis-tence of vulnerabilities. Because theyare creating their referential statetables by listening to traffic, passivesniffers are more current than staticnetwork inventory tables that aremanually updated.

There is an open source exampleof a passive sniffer called pof, andSourcefire and Tenable have commer-cial products—Sourcefire Real-timeNetwork Awareness and Tenable Pas-sive Vulnerability Scanner. Both com-panies offer a central console, sort ofa mini-SIEM, to collect and managethe event data their various productscreate. It is still a manual step to iden-tify the event in syslog and then querythese vendor consoles, but it’s a hugestep up from everything being a man-ual task.

With sophisticated SIEMs, it isbecoming increasingly possible totie thin events to an identity in usefulways. It’s been hard to do previouslybecause the average person has mul-tiple accounts—email, windows, vir-tual private network, intranet, app-specific IDs, instant messenger, etc.

While a SIEM can collect activityacross these accounts, for the datato be actionable we must associate allof these accounts to a single person.Using ArcSight ESM, for example, an

analyst selects one account ID as theuser’s unique ID. Then it is possible tomap all the other accounts for thatuser to the unique ID. SIEMs such asESM use several methods to connectlog activity to identity, including uti-

lizing agents and sending native oper-ating system credentials.

The only way to detect changes inbehavior with technical controls is totie identity to activity over a longenough period of time to establish abaseline. What if the amount of Webconnection time to social media sitessuch as Twitter and Facebook sud-denly increases? It might indicatethat a user is less motivated to do hiswork assignments. Or a majorincrease in time on LinkedIn mightindicate an employee establishingconnections in advance of leaving thecurrent organization. However, thereis no way to detect an increase if we



aTYING LOG


aNO LOG


COMPLIANCE

With sophisticatedSIEMs, it is becomingincreasingly possibleto tie thin events to anidentity in useful ways.It’s been hard to dopreviously becausethe average personhas multiple accounts.

do not have a baseline.You can expect a SIEM that sup-

ports identity to activity mapping tobe able to integrate with ActiveDirectory or Network Directory. Thismeans in addition to the accounts,you also get group or role informa-tion. Even though organizations havebeen slow to implement networkaccess control at the enterprise level,the capability is built in to more andmore software and appliances and itis starting to happen.

One exciting capability of tyingidentity to activity is to use historicalactivity data into ArcSight’s activityprofiling technology to generate sta-tistical patterns and create new rules.For example, you might run the activi-ty of the last 50 people who quit, tosee what activities they did that thosewho are still there didn’t do. Then ifyou see that activity, you canautoescalate a watch list and makesure the person doesn’t leave withdata, files, etc.

Or, in a down economy, if youhave to announce that your organ-ization can’t issue bonuses one year,you might profile the activity of usersbefore the announcement comparedwith after the announcement. Arecent study by Ponemon InstituteLLC (sponsored by Symantec Corp.)interviewed 945 adults in the U.S.who had been laid off, fired orchanged jobs within the past yearand found that more than half tookcompany information with them

when they left their former positions.The rationales for taking the dataincluded help getting another job orstarting their own business, or simplerevenge. All of the participants in

the survey had access to proprietaryinformation, including customer data,employee information, financialreports, software tools and confiden-tial business documents. The surveyalso found that just 15 percent of thecompanies examined the paperand/or electronic documents theirformer employees took when theyleft.

THE PAYOFFEvery organization struggles with theamount of effort it takes to get realbenefit from log file analysis. Obvi-ously, one big win is compliance.Most regulation bodies either requireor strongly suggest log monitoring.The latest, the Consensus Audit



aTYING LOG


aNO LOG


COMPLIANCE

Every organizationstruggles ... to get realbenefit from log analysis.Obviously, one big winis compliance. Mostregulation bodies eitherrequire or stronglysuggest log monitoring.

Guidelines, specifically refer to theimportance of tying identity to activi-ty. Two examples are enforcing con-trols on dormant accounts and con-tinuously evaluating the need toknow. In both cases, you have to

know who the user is and what hisrole should be.

With log monitoring, nothing suc-ceeds like success. If a suspiciousevent occurs and an analyst takes thetime to run it to ground and findssomething significant, such as anemployee collecting a list of customerpersonally identifiable informationand sending it to a Hotmail account,people get excited. The damage can

be minimized by rapid detection andresponse. Logging, which is usuallyconsidered dull and boring work,becomes exciting.

That is really one of the biggestbenefits of tying identity to activity.Hits on the firewall, dropped spammessages, error conditions in a pro-gram and the amount of free diskspace are all important, of course.Humans, though, do the craziestthings, and when you add the humanpart of the equation to log events, it isa whole new ballgame. It wouldn’t besurprising if the next few years yield anumber of exciting security detectiontechniques as we correlate identityand get better at creating fat eventsfor analysts to review. �

Stephen Northcutt founded the GIAC certificationand currently serves as president of the SANS Tech-nology Institute, a postgraduate-level IT securitycollege. He is author/co-author of Computer SecurityIncident Handling: Step-by-Step, Intrusion Signaturesand Analysis, Inside Network Perimeter Security (2ndEdition), IT Ethics Handbook: Right and Wrong for ITProfessionals, SANS Security Essentials, SANS SecurityLeadership Essentials and Network Intrusion Detection(3rd Edition).



aTYING LOG


aNO LOG


COMPLIANCE

Nothing succeedslike success. …Logging, which isusually considereddull and boring work,becomes exciting.

http://www.sans.org/cag/

AUTOMATE COMPLIANCE • SIMPLIFY SECURITY • UNIFY DATABASE SECURITY

LogLogic offers log-powered applications in compliance management,database activity monitoring and security event management that seamlessly integrate with our Open Log Management Platformand work together – delivering the industry’s only one-stop shop for corporate security, IT efficiency and compliance management.

UNLEASHLOG POWER

COMPLY, PROTECT & SAVE

FOR MORE INFORMATION

www.loglogic.comREAD OUR LATEST REPORT FROM BLOOR

www.loglogic.com/bloor

www.loglogic.com

www.loglogic.com

http://loglogic.com/resources/analyst-reports/bloor-indetail-research-report/

LOG MANAGEMENT WAS rarely a topic ofconversation among senior IT man-agers until recently. What’s elevatedit from an obscure task practiced byadmins to a strategic concern is regu-latory compliance. Suddenly, enter-prises need to demonstrate that theyexamine logs, not only in response toknown incidents, but also as a matterof course—even daily review. In short,if you’re not doing log management,you will not be compliant with a num-ber of regulations, including the PCIDSS standard for payment card trans-actions.

In addition to their newfoundimportance, logs pose a strategicpuzzle for IT. Logs have a long historyof being used by systems and net-work admins for troubleshooting.More recently, they’ve become theevidence trail for security incidents.Add regulatory compliance in itsmany and varied forms to that

requirements list, and selecting toolsthat meet your shop’s mix of needs inall three arenas becomes a thoughtfulexercise in balancing different con-stituencies. Fortunately, there aresome basic needs that most shopswill have with which you can start.

Take the case of Alliant EnergyCorp. in Madison, Wis. About a yearago, Joe Kubesheski, who overseesstrategy, security and records atAlliant, was looking for a log manage-ment tool to make sense of the volu-minous data generated by the utilitycompany’s computer logs. The aimwas not only to enhance the firm’slayered security systems, but also tocomply with log review requirementsfor the Sarbanes-Oxley Act and thecybersecurity standards recentlymandated by the North AmericanElectric Reliability Corp., the regulato-ry body for bulk electric systems.Until then, “everything was home-

CHAPTER 2 > NO LOG MANAGEMENT, NO REGULATORY COMPLIANCE


aTYING LOG


aNO LOG


COMPLIANCE

No LogManagement,No Regulatory Compliance

Regulatory compliance demands that you save,analyze and report on log data from key systems.

Without automation, the operational burdenwill overwhelm you.

BY LINDA TUCCI

grown,” Kubesheski says.Kubesheski, like IT pros at most

shops, needed log management toolsthat would do three things:

� Provide protection on the securityfront;

� Remove the manual work of exam-ining multiple logs on multipledevices; and

� Generate audit reports attestingthat the company was doing theright things to meet its regulatoryrequirements.

Kubesheski’s situation is one thatmany IT departments are wrestlingwith at the moment. Servers, routers,gateways, firewalls, databases, oper-ating systems, applications—virtuallyanything worth noting in the comput-ing environment—generate logs thatconstitute the golden record of accessand action, if you can collect theirdata and verify that it has not beentampered with. That makes suchtools important for compliance.

The profusion of security devicesused to protect corporate networks(firewalls, intrusion protectiondevices, content-filtering devices)alone can create millions of recordsper day, says Trent Henry, an analystwho covers security and risk manage-ment at Midvale, Utah-based BurtonGroup Inc.

Manually monitoring, aggregatingand correlating log information fromacross the infrastructure is time con-

suming, exacerbated by disparatelogging standards and formats.

Senior IT mangers trying to eitherbring log management for complianceinto their shops for the first time orbuild on existing troubleshooting orforensics use have several options:

� Look at standalone log manage-ment packages. These tend toemphasize very broad and diverselog aggregation capabilities andextensive reporting. Some are deliv-ered as appliances, some as soft-ware that runs on generic servers.

� Consider SIEM systems. Securityinformation and event management(SIEM) systems combine near-realtime alerting of security incidentswith longer time-frame log analysiscapabilities.

� Use larger security suites.Many ofthe household-name large securitysoftware vendors have log manage-ment modules in their suites.

� Narrow your log managementrequirements.

Whichever way you wind up going,the most basic requirement isstraightforward: You’ll need a toolthat can aggregate all the relevant logformats in your shop.

TAKE YOUR TIMEHowever, from a project perspective,you may not want to tackle every-thing at once.



aTYING LOG


aNO LOG


COMPLIANCE

Steve Eaton, information securitymanager for the city of OklahomaCity, strongly advises organizations toknow their criteria for selection and“start small”—advice echoed byevery user we interviewed. OklahomaCity started on its server farm, and“that’s all we concentrated on, noth-ing else,” Eaton says. Then came net-work devices and now he’s addingclients.

“The thing is, you have got to keep

your scope exactly to the criteria youwant,” Eaton says. “You can make ittoo big, and you’ll always fail.”

The same can be said for the sec-ond major selection point: reporting.While security pros and systemadmins may have some flex in whatthey need on the reporting front, vari-ous compliance standards mandatespecific information. If you’re not get-ting reports on those specifics, you’renot getting the full benefit.



aTYING LOG


aNO LOG


COMPLIANCE

PASSING THE PCI DSS log management audits will help your organization by miti-gating insider threats, identifying attacks from outside the enterprise andaddressing application vulnerabilities, according to compliance expert RebeccaHerold.The operative word ismeeting. Logs require an organization to really under-

stand its infrastructure.In her report “PCI Compliance,” Herold interviews auditor Ben Rothke on

common problems qualified security assessors often find when performingPCI DSS reviews concerning insider threats. Among them are:

� Completely misconfigured logs.� Default log settings left unchanged.� Wrong items being logged.� No one reads the logs.� No one follows up on log issues.� Logs not correlated to any threats or vulnerabilities.

Some of the logs organizations need in order to identify insider threats andbe in compliance with PCI DSS include remote access logs, RADIUS authentica-tion logs, file access logs, database logs, application logs, email logs, IP addresslogs, authentication logs and FTP server logs. —L.T.

DOES LOGMANAGEMENT EQUAL PCI COMPLIANCE?

Eaton, for example, went with PrismMicrosystems Inc.’s EventTracker, asoftware-only, agent-optional frame-work that comes with around 100preconfigured compliance reports.He says the package cost the city$93,000.

The shift from incident analysis tocompliance, even just the securityaspects of compliance, can be subtle.For example, LogLogic Inc. touts acompliance report it has for PaymentCard Industry (PCI) standards thatgoes the extra step. Many log man-agement systems generate daily fire-wall reports, but LogLogic’s PCI Com-pliance Suite also generates reportson whether the firewall reports areactually being read by the appointedindividuals daily, a requirement ofPCI.

On the other hand, some shopshave found that there’s more to logmanagement life than reports.

Kubesheski says he learned that thehard way, when Alliant initially chosea tool with good analyst recommen-dations and customer references thatgushed about the appliance’s niftydashboard and its templates fornumerous compliance standards.

“It had a lot of graphical reportingand, ’Oh look at that presentation!’but when it came right down to it,it couldn’t deliver,” Kubesheski says.His team worked with the vendor forseveral weeks to get a single systemlogging. A second system required asimilar effort.

“It became apparent to us that itwas going to take years to get thelogging implemented, and we just did-n’t have that time,” says Kubesheski,who declined to name the vendor.

The second time around, Kubesh-eski bypassed the analyst rankingsand “did more bottom-up research,”conferring with security peers in theUniversity of Wisconsin E-BusinessConsortium, a local business group.The vendor name that kept coming upwas San Francisco-based Splunk Inc.The solution “didn’t have the prettycharts and graphs, but it has a verycustomizable interface. And it justworked!” Kubesheski says.

“We had systems logging the weekwe installed and it, and nobody wascomplaining about calling the vendora bunch of times,” he says.

In addition to automation, size mat-ters. Large, geographically distributedorganizations should look for flexible



aTYING LOG


aNO LOG


COMPLIANCE

While security prosand system adminsmay have some flex inwhat they need on thereporting front, variouscompliance standardsmandate specificinformation.

www.logrhythm.com

solutions with distributed collectorsthat can accommodate high datarates and large storage repositories,says Burton’s Henry. Small organiza-tions will want simple appliance-based solutions that can be deployedquickly and do not require sophisti-cated security skills.

For large companies, the task ofmanaging logs to meet complianceobjectives is compounded by thescale and complexity of IT infrastruc-tures that span multiple locations andutilize numerous control productsfrom many different vendors.

“Scalability and integration are key,”says Bilhar (Bill) Mann, senior vicepresident, security management atCA Inc., whose CA Audit manage-ment solution is pitched to the enter-prise market.

Mann says vendor offerings for logmanagement and SIEM have evolvedduring the past five years, as thefocus of SIEM tools has shifted fromguarding against external threats—e.g., intercepting a virus and stoppingits spread—to internal threats, suchas an employee who might be inad-vertently or maliciously accessingdata he shouldn’t. As the use caseshave changed, so have the vendorofferings.

A TASK FOR SHOPS OF ALL SIZESMany companies will find themselveswith aspects of both large, enterpriseshops and midmarket, or even small,

shops. That was the case for retailerWilsons Leather, which was driven bythe need to meet PCI Data SecurityStandard (DSS).

“We needed to implement a sys-tem that would monitor and analyzelog activity at both the store and cor-porate-office level and did not breakour IT budget,” says Frank Carrigan,manager of production control at theMinneapolis-based retailer, in anemail. Wilsons operates 120 storesacross 30 states.

“In the past, we relied on manuallyresearching logs when we needed to,which was incredibly time-consum-ing, expensive and didn’t necessarilygive us the accuracy we needed tocapture and correlate activities thatwere taking place on our network,”Carrigan says.

The company looked at enterprisesolutions such as Cisco Systems Inc.’sSecurity Monitoring, Analysis andResponse System (MARS) and Arc-Sight, Carrigan says, but liked TriGeoNetwork Security Inc.’s productbecause the technology was designedfor midmarket networks.

“The enterprise SIEM solutionswere very cumbersome, expensiveand required a significant time com-mitment. TriGeo’s SIM was signifi-cantly less than the competition andwas a very hands-off solution, mean-ing that we could dedicate IT resourcesto other projects while SIM kept aneye on our network activity,” he says.

Wilsons Leather is still in the early



aTYING LOG


aNO LOG


COMPLIANCE

stages of using the TriGeo solution,Carrigan says, but the company likesits ability to generate compliance-specific reports—in particular theauditor-ready packaged PCI reportsthat detail what is happening on theWilsons Leather network and whatsteps the retailer is taking to secureits business from internal and exter-nal threats. (TriGeo has a log archive

and reporting function that is based onembedded technology from Splunk.)Wilsons handles Section 11.5 of PCIDSS, which requires the monitoringof critical file and applications forchanges, with a homegrown tool.

Meanwhile, some large vendors areresponding to the charge that theirofferings are cumbersome and expen-sive. CA, whose SIEM offerings got



aTYING LOG


aNO LOG


COMPLIANCE

IT MANAGERS TRYING to pick tools for log management will quickly discover thatmany such tools have emerged from the security arena. If you’re not familiarwith that particular world, here’s a primer:

� Security event management (SEM) tools pick up data from across the organ-ization and use rule-based and algorithmic correlation to detect probablethreats and policy violations (unauthorized access) that demand attention andmight require immediate remediation. Sophisticated alarm bells, SEM toolsalert operators in near-real time. The cherry-picked event data is typicallystored for no more than 90 days, and sometimes for much less time.“SEM emerged to help correlate activities on firewalls and other traffic pat-

terns on hosts, giving us much better intelligence about whether alerts werereal, or not,” says Trent Henry, an analyst at Burton Group Inc.

� Security information management (SIM), the quiet twin, is the keeper ofsecurity data for forensic purposes. SIM tools collect, store and protect ever-larger volumes of raw security information of hosts systems and applicationsfor long periods of time, as increasingly is required by many compliance man-dates.Slicing and dicing data is critical for real-time alerts, but normalized data can

also gloss over details that might prove important in retrospect. Hence, therehas been a shift to raw log storage, Henry says. (Indeed, vendor SenSage Inc.has developed proprietary storage capabilities in response to the demand.) —L.T.

SEM, SIM AND SIEM: DECODING THE TOOLS

rapped by consultancy Gartner Inc.for being hard to implement and notdoing enough to support log manage-ment use cases, is addressing thoseissues with next month’s launch ofa new log management applianceengineered for ease of deployment,Mann says.

PCI DRIVINGPRODUCT DEVELOPMENTIT managers who go shopping forlog management will discover thatfor vendors, regulatory compliance isthe primary driver of the North Amer-ican security and event managementmarket, according to Gartner. Andwithin the overall compliance field,PCI DSS is the regulation with proba-bly the most explicit log monitoringrequirements.

Vendors have realized that foren-sics and reporting requirements differfrom real-time event management,and that many enterprises need bothfor compliance, according to Henry.PCI DSS, in particular, has fueled theamalgam of security informationmanagement (SIM) and securityevent management (SEM) (see “SEM,SIM and SIEM: Decoding the Tools,”p. 17), by requiring near-real timeevent management and daily moni-toring of logs (SEM) as well as thedetailed periodic summary reports(SIM’s province).

Vendors now sell both SIM andSEM offerings, under the rubric SIEM,

loaded with packaged templates forcompliance and regulatory mandates.But there are cautions: Many vendorstend to be weaker in the category thatwas not their specialty. Customersneed to pay attention to whether thevendor meets both SIM and SEM

requirements, Henry adds, andindeed might be better off choosingone vendor for SEM functions andone for SIM. On the flip side, bewareof vendor claims that compliancerequires, for example, collection of100% events from 100% sources, oralerting on all events from all sources.

Stamford, Conn.-based Gartneralso makes this point in its May 2008Magic Quadrant for security andevent management technology, not-ing that the SIEM market comprisesvendors with products that are “opti-mized for a specific use case, providea mix of ’good enough’ functions forthe most common use cases, or are



aTYING LOG


aNO LOG


COMPLIANCE

Vendors have realizedthat forensics andreporting requirementsdiffer from real-timeevent management,and that manyenterprises needboth for compliance.

Log and change management are recognized as critical strategies for

improving overall security, increasing operational efficiency and, of

course, meeting compliance requirements. Customers today are

demanding not only full featured enterprise solutions, but ones that

deliver a quick return on investment and a low total cost of ownership

as well.

EventTracker is a market leading Security Information and Event

Management solution that offers unique and powerful integrated log

and change management functionality. With this unique combination

EventTracker enables an organization to substantially increase security

through a more robust and active defense in depth, achieve confident

compliance with the latest regulatory requirements, and to increase

the overall effectiveness of IT service delivery by reducing system and

network downtime.

EventTracker is quick to implement, and easy to use and maintain. It

represents the most solid choice for a log management solution for

enterprises of all sizes.

HIPAA, PCI, SOX 404, NISPOM, FFIEC, GLBA, FISMA, FDCC, and more…

Meet the broadest set of compliance requirements

Reduce the cost of preparing for audits and remaining in compliance. Event Tracker provides:

» Over 500 predefined auditor-ready reports

» Automated compliance with built-in workflows

» Efficient and secure event storage sealed with SHA-1

» Integrated change management

www.prismmicrosys.com/comply

www.prismmicrosys.com

broad and flexible but complex.”Gartner points to the example of

Cisco and its MARS appliance, whichCisco markets as a component of itsself-defending network strategy.

Indeed, the vendor has cornered theSIEM market by selling to network-focused buyers, the consultancyadds, wielding considerable influenceon other SIEM vendors because of itslarge installed base. The MARS appli-ance, touted for its ease of deploy-ment, delivers a potent combinationof SEM, SIM and network behavioranalysis capabilities.

The MARS appliance, priced on aper-unit-plus-annual-support basis,supports compliance monitoring forservers. But Gartner cautions that it“is not optimal” for companies, big orsmall, requiring highly customizedaudit/reporting functions, a point thatRand Wacker, senior product manag-er for Cisco’s security products group,does not dispute.

SIM and SEM aren’t the only soft-

ware tools newly recast as logmanagement.

“It’s become very fashionableto say you’re doing log management,because that is what is selling in themarket, but a lot of these vendorscome from different spaces,” saysA.N. Ananth, CEO of Prism Microsys-tems Inc., a log management soft-ware vendor that focuses heavily onthe small and medium-sized businessmarket. Vulnerability scanners, net-work anomaly detectors, correlationengines all go by the name of logmanagement tools these days.

THE POLITICS OF LOG MANAGEMENTSIM and SEM solutions don’t workin a vacuum. Burton’s analysts recom-mend that you get all players involvedearly on. The event streams comefrom security and network devicesand applications. Reports get fun-neled to not only security admins,but also to the C-suite, auditors, legalcounsel and even external partiessuch as regulators and judges. TheSIEM technologies must meet theneeds of all constituencies. And if youdo business in Europe, you will needto educate yourself about privacylaws regarding what data you can andcannot collect before deploying SIEMtools there.

While compliance is the big driverfor SIEM in the United States, about40% of SIEM customers buy thetechnology for threat detection, says



aTYING LOG


aNO LOG


COMPLIANCE

“It’s become veryfashionable to say you’redoing log management,because that is what isselling in the market.”—A.N. ANANTH, CEOPrismMicrosystems Inc.

Cisco’s Wacker, citing Gartner.That means “the compliance guys

are writing the checks,” he says, andsecurity professionals are tasked withlooking for a solution to meet thecompliance need. “The security guysare looking to see what they can getout of this technology.”

Don’t discount the politics ofautomating log management, saysAlliant’s Kubesheski: “Any changerepresents risk. If I own an applica-tion or a server and you come to meand want to put something on it, oryou want to access it, that representsa risk and the tendency will be toresist.”

In many shops, the next log man-agement tools installed will be thefirst. That was the case in OklahomaCity.

“What were we doing before that?Nothing—that was the problem,”Eaton says. The logs were there, ofcourse. Someone had to go fromserver to server and look at the logfiles, which could be stored for any-where from a half day to two weeks,depending on the activity on thatserver.

Kubesheski agrees that if yourcolleagues are already implementingmanual workarounds for logging,“you and your automation tool canbe a blessing, and it’s welcome tothe neighborhood.” �

Linda Tucci is a senior news writer for SearchCIO.com.Write to her at [email protected].



aTYING LOG


aNO LOG


COMPLIANCE

Log Management for Complianceis produced by CIO/IT Strategy Media

and Security Media, © 2009by TechTarget.

MANAGING EDITORCIO/IT STRATEGYMEDIA GROUP

Jacqueline Biscobing

ART DIRECTOR

Linda Koury

CONTRIBUTINGWRITER

Stephen Northcutt

SENIOR NEWSWRITERCIO/IT STRATEGYMEDIA GROUP

Linda Tucci

VICE PRESIDENT, EDITORIAL

Mark Schlack

EDITORIAL DIRECTORSECURITYMEDIA GROUP

Kelley Damore

SENIOR TECHNOLOGY EDITORSECURITYMEDIA GROUP

Neil Roiter

SENIOR VICE PRESIDENT AND GROUP PUBLISHER

Andrew Briney

PUBLISHER, SALES

Jillian Coffin

For sales inquiries, please contact:Stephanie Corby,

Senior Director of Product Management,[email protected]

(781) 657-1589.

mailto:[email protected]

qAlert Logic LogManager Demo

q Satisfy LogManagement Requirementson a Shoestring Budget

q Is LogManagement the Killer App for Cloud Computing?

qArcSight Helps Healthcare Company BecomeHIPAA Compliant

qHIPAA Compliance Achieved for Major Medical Center

qHealthcare Security Oversight for HIPAA Auditand Compliance

qGoing Beyond Traditional Security Information and EventManagement (SIEM) Solutions

q Bridging the Gap: Security, Operations & Compliance

q 10 Reasons Your Existing Security Information and EventManagement Isn’t Good Enough

q LogLogic Corporate Brochure

q Buy vs. Build vs. Outsource:What’s the best log management strategy?

q LogRhythm Product Demo

q LogRhythm Product Review

q LogRhythm Product Review

qMeet the Broadest Set of Compliance Requirementswith Integrated LogManagement and ChangeManagement

RESOURCES FROM OUR SPONSORS


www.prismmicrosys.com

http://www.logrhythm.com/

http://loglogic.com/

http://www.eiqnetworks.com

http://www.arcsight.com

http://www.alertlogic.com

http://www.prismmicrosys.com/comply



http://forms.logrhythm.com/MTC_Common/mtcURLSrv.aspx?ID=5490&Key=4DFA13AA-E60D-4572-9F07-9FD379D4F895&URLID=851

http://forms.logrhythm.com/MTC_Common/mtcURLSrv.aspx?ID=5490&Key=4DFA13AA-E60D-4572-9F07-9FD379D4F895&URLID=689

http://logrhythm.com/Resources/QuickProductTour.aspx

http://www.loglogic.com/documents/white-papers/best-log-management-strategy.pdf

http://www.loglogic.com/documents/white-papers/best-log-management-strategy.pdf

http://www.loglogic.com/resources/media/index.php

http://searchsecurity.bitpipe.com/detail/RES/1233609798_447.html





http://www.bitpipe.com/detail/RES/1237213893_23.html





http://www.alertlogic.com/register/event.php?cid=Edwm&origin=LMeBook

http://www.alertlogic.com/register/event.php?cid=EKPZ&origin=LMeBook

http://www.alertlogic.com/register/event.php?cid=EKPZ&origin=LMeBook

http://www.alertlogic.com/register/demo.php?cid=EFRZ&origin=LMeBook

Documents

LogManagementforCompliance - cdn.ttgtmedia.com · When logs are tied to user ... The IP address or possibly host- ... ArcSight Logger provides a comprehensive monitoring platform