About KRISS
About KRISS
Founded early 2008, by former Indian Naval Officers and Veterans with decades of experience in Information Security, Information Warfare & Network Security.
An ISO/IEC 27001:2005 certified and CERT-In empanelled IT Security Auditing Organisation.
Highly motivated & experienced management and consulting team with an impressive record of providing security services to major brands across globe including FMCG, Fortune 500, CMM Level 5 companies to name a few.
Agenda
Agenda
Current Cybercrime Scenario Introduction to Logs
Benefits of Logging and Challenges Log Management Architecture
Policies, Roles, Operational Process, Security Issues, Log Analysis and Long Term Storage
Regulations, Mandates and Controls
Real-Time Collection and Consolidation of Logs Log Monitoring, Review, Compliance and Auditing
Typical Organisation Logging Scenario and Problems Faced SIEM Benefits and Features
Current
Current C
Cybercrime Scenario
ybercrime Scenario
The 21
The 21
ststCentury
Century –
– the age of
the age of
cybercrime
cybercrime
“Year 2010 was the year of cybercrime and cyberwars. Year of Wikileaks”
“The New York Times”, “Guardian”, “Der Spiegel”, “El Pais”, “Le Monde”, “CNN”,
“BBC” and more. 2010, 2011..
FBI warns Congress that cybercriminals can hack any internet-linked system
Every technology is vulnerable
Every technology is vulnerable
New threats
New threats –
–
targeted, professional, silent
targeted, professional, silent
There are Internet shops full of credit card, bank account, privacy, business and other confidential data. Also there are available services to rent a botnet, malicious code and attack anyone.
“Black Community” where
cybercriminals are organized better than hi level military organizations
Video trainings and eLearning available in social media, such as YouTube
New threats
New threats –
–
targeted, professional, silent
targeted, professional, silent
Logs are like fingerprints
Logs are like fingerprints
Introduction to Logs
Introduction to Logs
What is Log?
What is Log?
Log is a record of the events occurring within and organisation’s systems and networks, used to provide data useful for troubleshooting problems, optimising performance, maintaining security compliance and investigating malicious activities.
Examples:
Security Software Log Operating System Log Application Log
Common
Common Types
Types of
of Logs
Logs
Operating System Log
System events (startup, shutdown, failure, success, error).
Audit records (successful and failed authentication attempts, file accesses, security policy changes, account changes, and use of privileges).
Application Log
Events logged by the applications.
Some applications generate their own log files, while others use the logging capabilities of the OS.
Common
Common Types
Types of
of Logs
Logs
Security Software Log
Log generated by network-based and host-based security software to detect malicious activity, protect systems and data, and support incident response efforts.
Standard log formats
Standard log formats
Syslog SNMP XML CSV Binary
Human Readable Text Files
There is no consensus in the security community as to the standard terms to be used to describe the composition of log entries and files. Binary files often use proprietary formats that are software-specific (e.g., event logs on Windows systems).
Preparedness is the
Preparedness is the
Best
Best Defense
Defense
“
Unfortunately, that [no log data being available] happens moreoften than I would like… If your home had been robbed, you would have to tell the police officer what was stolen and how the burglar got in. The same is also true for the network. If you simply tell us you have been broken into, and have no evidence to support it, we may be empathetic, but we can’t open a case”
Shelagh Sayers Special Agent, FBI, San Francisco
Where to start from?
Where to start from?
Most organizations need a central solution for gathering logs and correlating them for real time intelligent visibility.
Appropriate strategic policy changes need to be made for shifting organisation’s focus on monitoring business processes instead of network.
Organisations need to monitor identities, applications, information and their context instead of just IP addresses, OS’s and devices.
16
If you are not already doing this – You are vulnerable!!!
Logs = Activity Tracking
Logs = Activity Tracking
Logs = Accountability
Logs = Accountability
Log Data Overview
Log Data Overview
What Logs? Audit Logs Transaction Logs Intrusion Logs Connection Logs System Performance Records
User Activity Logs
From Where? Firewalls/IPS/IDS Routers/Switches Servers/Desktops Applications Databases Anti-virus VPNs
Log Management
Log Management Process
Process
Log Management comprises an approach to dealing with large volumes of log messages and covers log collection, centralized aggregation, long-term retention, log analysis as well as log co-relation, searching and reporting.
Benefits of Logging
Benefits of Logging
and
and
Challenges
Challenges
Benefits
Benefits
Identification of security incidents and incident response Identification of policy violations and fraudulent activities Threat protection and discovery
Forensics, e-discovery and litigation support Regulatory compliance
Internal policies and procedure compliance Internal and external audit support
IT system and network troubleshooting IT performance management
Challenges
Challenges
Several potential problems with the initial log generation because of their variety and prevalence.
Multiple log sources
Inconsistent log content (i.e Protocol name variations (80, HTTP, WWW), Date format variations (MM-DD-YY or MMDDYY))
Inconsistent time-stamps
Inconsistent log formats (i.e Human readable, XML, Binary etc.)
The Confidentiality, Integrity and Availability of generated logs could be breached inadvertently or intentionally.
People responsible for performing analysis are often inadequately prepared and supported.
Meeting Challenges
Meeting Challenges
Prioritize log management appropriately throughout the organization
Establish policies and procedures for log management
Create and maintain a secure log management infrastructure Provide proper training for all staff with log management
responsibilities
Log
Log Management Architecture
Log Management Architecture
Three Tiers of Log ManagementLog Generation
Hosts that generate log data. Log Analysis and Storage
One or more log servers which receive log data from the hosts. Log Monitoring
Consoles that may be used to monitor and review log data and the results of automated analysis.
Log Management Architecture
Log Management Architecture
Stages and Functions
Stages and Functions
General Log Parsing Event Filtering Event Aggregation Storage Log Rotation Log Archival Log Compression Log Reduction Log Conversion Log Normalization Integrity Checking Analysis Correlation Viewing Reporting Disposal Log Clearing 28
Types of Tools Used
Types of Tools Used
Syslog based tools SNMP based tools SIEM / SIM / SEM
Tea Break
Tea Break
Policies, Roles, Operational
Policies, Roles, Operational
Process, Security Issues, Log
Process, Security Issues, Log
Analysis and Log Term Storage
Analysis and Log Term Storage
Things to Consider: Policies
Things to Consider: Policies
Things to consider:
Log Generation: Hosts, services, type of data and frequency. Log Transmission: How the log data should be transferred,
how frequently and measures to protect CIA of log data during transit.
Log Storage and Disposal: Log rotation, CIA protection, duration, resource allocation and log disposal.
Log Analysis: Frequency, roles, access details, incident identification and response and handling information disclosure through logs.
Policy Example
Policy Example
Things to Consider: Roles
Things to Consider: Roles
System and Network Admin Security Admin
Incident Response Team Application Developers CSO
CIO
Auditors