Evolving digital evidence laws, the changing IT landscape and the reliance on audit log data has the is causing financial losses and a false sense of security for organisations
[2024]Digital Global Overview Report 2024 Meltwater.pdf
Audit Log Protection: Avoiding a False Sense of Security
1. Audit Trail Protection:
Avoiding a False Sense of
Security
Nadeem Bukhari CISSP, CISM
VP of Product Strategy
Kinamik Data Integrity S.L.
Tel Mobile: +34 628 629 322
Tel Office: +34 931 835 814
Email: nbukhari@kinamik.com
Website: http://www.kinamik.com
2. - 2 -
Data Integrity
Data integrity is data that has a
complete or whole structure. All
characteristics of the data including
business rules, rules for how pieces
of data relate, dates, definitions and
lineage must be correct for data to be
complete
http://en.wikipedia.org/wiki/Data_inte
grity
integrity - the property of
safeguarding the accuracy and
completeness of assets [ISO/IEC
13335-1:2004]
Data QualityData Security
3. - 3 -
Audit Trails Evolution
Audit trail collection, preservation
and reporting regulatory and
compliance demands
e.g. PCI DSS, FISMA, FDA 21 CRF
Part 11, EU DRD, SoX, SEC 14a,
ISO27001,..
Audit logs are company records.
SIEM & Log Management Market
Worldwide revenue for SIEM was
$663.3 million in 2008 and is expected
to grow to $1.4 billion in 2013” IDC
Estimated growth of audit trails
average overall data volume growth
rate reported is just over 30% per
year. Aberdeen
Mobile market data growth
exponential
Credit for image: jscreationzs
4. - 4 -
Audit Trails Issues
Which audit trails to collect?
Over collection
Too Many Alerts
Evolving attack signatures
Inconsistent data formats
Developers need to know the
audience i.e. security, compliance,
LOB...
Differing retention requirements
Excessive storage costs
Liabilities
5. - 5 -
Audit Trails Security
Changing audit trails knowledge is in the
mainstream
Security perimeter to the data element
NOT near real-time protection false
sense of security
“system logs need to be protected, because if
the data can be modified or data in them
deleted, their existence may create a false
sense of security.” ISO27001
6. - 6 -
Audit Trails Preservation
Digital Evidence
American Express Travel Related Services Co. Inc. vs
Vee Vinhee
Lorraine v. Markel American Insurance Company
California v Khaled
BS10008 – Evidential Weight and Legal
Admissibility of Electronic Information
NIST SP 800-92 - Guide to Computer Security Log
Management
“In cases where logs may be needed as evidence,
organizations may wish to acquire copies of the original
log files”
7. - 7 -
Audit Trails and the Cloud
High value target
The service provider admins have
access?
You cannot control below the
hypervisor
Service Provider Developers
Focus on Service first
Do not know the entire audience
Access to logs contain Multi-tenant
information
Incident Response/ Forensics
Can you gather evidence?
Will the audit log data’s authenticity be
provable?
8. - 8 -
The Depth of Secure Logging
M.Bellare and B.Yee – Forward integrity for secure audit
logs (1997)
Bruce Schneier/ John Kelsey - Secure Audit Logs to
Support Computer Forensics (1999)
J.Holt – Logcrypt: Forward security and public
verification for secure audit logs (2006)
Rafael Accorsi – Safekeeping Digital Evidence with
Secure Logging Protocols: State of the Art and
Challenges (2009)
Transmission Phase - Origin authentication, message
confidentiality, message integrity, message uniqueness, reliable
delivery
Storage Phase - Entry accountability, entry integrity, entry
confidentiality
Jeff Jonas (IBM Chief Scientist) / Markle Foundation -
Implementing a Trusted Information Sharing
Environment: Using Immutable Audit Logs to Increase
Security, Trust, and Accountability (2006)
“Immutable audit logs (IALs) will be a critical component for the
information sharing environment”
#MAC
DATA + Metadata #MAC=
#MAC
DATA + Metadata #MAC=
#MAC
DATA + Metadata #MAC=
DATA + Metadata #MAC=
…
9. - 9 -
Audit Trails Integrity – Things to consider
Batching audit trails (e.g. file)
windows of opportunity for undetectable
manipulation
Single change = maximal loss
Near real-time protection
Makes undetectable tampering very difficult
Sequential (chronology) – Great for
digital evidence
Key´s protection – What if they are
compromised?
Overheads
Performance
Storage
Broken Crypto Algorithms – Tool need to be
able to change
10. - 10 -
Audit Trails Availability
Retention period by audit trail
needs to be definable
Tiered storage – Online only gets
expensive
Degradation/ de-commissioned
11. - 11 -
Audit Trails Confidentiality Issues
Access Control
Vulnerable to privileged accounts
Segregation
Collusion
Encryption
Only for confidentiality
12. - 12 -
Non-Repudation
Not possible to - deny the truth or
validity of something
“A service that provides proof of
the integrity and origin of data”
“An authentication that with high
assurance can be asserted to be
genuine.”
Identity Assurance + Assured event
End to end trust/ Chain of custody
Ethics – Non-repudation is
inevitable, use the technology to
support privacy policy
13. - 13 -
Conclusion
Audit trail evolution brings greater reliance
Digit Evidence evolution brings doubt in current authenticity controls
Granular/ real time data Integrity protection brings data centricity
Controls
Cloud computing environments thrive with data centric protection
14. - 14 -
Nadeem Bukhari CISSP, CISM
VP of Product Strategy
Kinamik Data Integrity S.L.
Tel Mobile: +34 628 629 322
Tel Office: +34 931 835 814
Email: nbukhari@kinamik.com
Website: http://www.kinamik.com