Title: Log management and compliance: What's the real story? by Dr. Anton Chuvakin One of the problems in making an Enterprise Content Management (ECM) strategy work with compliance initiatives is that compliance needs accountability at a very granular level. Consequently, IT shops are turning to log management as a solution, with many of those solutions being deployed for the purposes of regulatory compliance. The language however, regarding log management solutions can sometimes be vague which can lead to confusion. This session will lend some clarity to the regulations that affect log management. Topics will include: Best practices for how to best mesh compliance ECM and compliance strategies with log management Tips and suggestions for monitoring and auditing access to regulated content, with a focus on Microsoft Sharepoint logging. An examination of a handful of the regulations affecting how organizations view log management and information security including The Payment Card Industry Data Security Standard (PCI DSS), ISO 27001, The North American Electric Reliability Council (NERC), HIPAA and the HITECH Act.

1. Log Management and Compliance: What's the Real Story? Dr. Anton Chuvakin 2010

2. Outline Introduction to Logs and Log management Compliance Mandates Affecting IT Compliance and ECM = Disaster Brewing! Logging, an Ultimate Compliance Technology Logging for Compliance Practices Conclusions and Action Items

4. Routers/switches

5. Intrusion detection

6. Servers, desktops, mainframes

7. Business applications

8. Databases

9. Anti-virus

10. VPNs

11. Audit logs

12. Transaction logs

13. Intrusion logs

14. Connection logs

15. System performance records

16. User activity logs

18. Why Manage Logs? Threatprotection and discovery Incidentresponse and forensics Regulatory compliance and audit Internal policies and procedure compliance IT system and network troubleshooting System performancemanagement

19. Unfortunately … “The company’s server logs recorded only unsuccessful log-in attempts, not successful ones, frustrating a detailed analysis.”

20. Compliance – Why is it Here? 1. Corporations Stole 2. Got Caught Sarbanes Oxley 4. Bill gets passed 5. Now we have to obey them 3. Politicians wrote laws

22. GLBA

23. FISMA

24. JPA

25. PCI

26. HIPAA

27. COBIT

28. ISO

29. ITIL

30. PCI : Requirement 10 and beyond

31. Logging and user activities tracking are critical

32. Automate and secure audit trails for event reconstruction

33. Review logs daily

34. Retain audit trail history forat least one year

35. COBIT

36. Provide audit trailfor root-cause analysis

37. Use logging to detect unusual or abnormal activities

38. Regularly review access, privileges, changes

39. Verify backup completion

40. ISO27002

41. Maintain audit logs for system access and use, changes, faults, corrections, capacity demands

42. Review the results of monitoring activities regularly and ensure the accuracy of logs

43. NIST 800-53

44. Capture audit records

45. Regularly review audit records for unusual activity and violations

46. Automatically process audit records

47. Protect audit information from unauthorized deletion

48. Retain audit logs“Get fined, Get Sanctioned” “Lose Customers, Reputation, Revenue or Job” “Get fined, Go To Jail” At the Same Time…

49. More Laws! Privacy Laws Mostly in Europe Thus affect transnational companies Govern not what MUST be logged, but what MUST NOT be logged! Logging is typically mentioned as something that might help violate privacy E.g. Google query logging and retention

50. More Laws! Breach Laws Affected IR Laws that control consumer notification in case of a security breach Yesterday CA 1386 Today more than 45 US States Tomorrow the world Who to notify is key: 200,000 vs. 40,000,000 notifications? Major $$$ in play!

51. What to do?

52. Congressional Hearing: Subcommittee on Emerging Threats, Cybersecurity and Science and Technology April 2008 http://geer.tinho.net/geer.housetestimony.070423.txt “In a free country, you don't have to ask permission for much of anything, but that freedom is buttressed by the certain knowledge that if you sufficiently screw things then up you will have to pay.” Daniel Geer, Sc.D.

53. Why Logs for Accountability Everybody leaves traces in logs! Potentially, every action could be logged! Control doesn’t scale, accountability (=logs!) does! More controls -> more complexity -> less control! The only technology that makes IT users (legitimate and otherwise) accountable:logging!

54. Control vs Visibility Myth: Stringent access controls will stop all attacks! What about those that have legitimate access? What about those who “break the rules”? The only control you can get is based on visibility and accountability!

55. Corporate Accountability Accountability Accountability is answerability, enforcement, responsibility, blameworthiness, liability Log Management Log management is collecting, retaining and analyzing audit trails across the organization There is a strong link between accountability and logging Big Picture: Logs as Enabler of Corporate Accountability

56. 11% 82% 8% 14% 77% 9% 17% 74% 9% 15% 73% 12% 15% 69% 16% 19% 66% 15% 17% 66% 17% 24% 54% 22% 22% 51% 28% Security detection and remediation Security analysis and forensics Monitoring IT controls for regulatory compliance Troubleshooting IT problems Monitoring end-user behavior Service level/performance management Configuration/change management Monitoring IT administrator behavior Capacity planning Business analysis 7% 90% 2% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% (Percentage of respondants, N = 123) Yes, we use SIM technologies for this today No, we don’t use SIM technologies for this today, but plan or would like to do so in the future No, we don’t use SIM technologies for this today and have no plans to do so Source: Enterprise Strategy Group, 2007 Use Cases for Log Data Continue to Expand Does your organization use log management for any of the following?

57. Six Mistakes of Log Management 1. Not logging at all 2. Not looking at the logs 3. Storing logs for too short a time 4. Prioritizing the log records before collection 5. Ignoring the logs from applications 6. Only looking at what you know is bad

58. “Compliance+” Model At Work You bought it for PCI DSS You installed it Your boss is happy Your auditor is … gone What are you going to do next?

59. Conclusions In today’s complex IT, the only control comes from visibility and accountability Logs and log management is what enables it across all systems Start logging – then start collecting logs – then start reviewing and analyzing logs Prepare for incidents by deploying log management system!

60. Questions? Dr. Anton Chuvakin Security Warrior Consulting Log management , SIEM, PCI DSS Email:anton@chuvakin.org Site:http://www.chuvakin.org Blog:http://www.securitywarrior.org Twitter:@anton_chuvakin Consulting:http://www.securitywarriorconsulting.com

61. More on Anton Consultant: http://www.securitywarriorconsulting.com Book author: “Security Warrior”, “PCI Compliance”, “Information Security Management Handbook”, “Know Your Enemy II”, “Hacker’s Challenge 3”, etc Conference speaker: SANS, FIRST, GFIRST, ISSA, CSI, RSA, Interop, many, many others worldwide Standard developer: CEE, CVSS, OVAL, etc Community role: SANS, Honeynet Project, WASC, CSI, ISSA, OSSTMM, InfraGard, ISSA, others Past roles: Researcher, Security Analyst, Strategist, Evangelist, Product Manager

62. Want a PCI DSS Book? “PCI Compliance” by Anton Chuvakin and Branden Williams Useful reference for merchants, vendors – and everybody else