1
AUDIT LOGGING/LOG
/
MANAGEMENT
KATHLEEN A MULLIN, MBA, KATHLEEN A MULLIN, MBA, CIA, CISA, CISSP, ISA, CISM, CRISC, CGEIT
DIRECTOR OF IT SECURITY/CISO HEALTHPLAN SERVICES (HPS)
AHIA 31st Annual Conference – August 26-29, 2012 – Philadelphia PA
Key Points
y
When is log information important and what Audit
2
needs to focus on
Where to look for additional information to interpret
log data log data
What actions should be taken by which role within the
organization W
What are the appropriate actions based on the log
data
What is appropriate without a logging tool pp p gg g
When is log information important?
g
p
What to focus on
Information Overload
4
Business Impact Analysis Risk
Requirements
Operational Business
Appropriate deployments
pp p
p y
Project Approach 5 Platform Business Geographic Geographic Stability ResourceWhat to Log
g
Syslog Events Access Logs
6
y g
Windows Log Events
Database Logs
g
IDS / IPS Logs Firewall Logs g System Logs Error Logs g Network Flows Security Logs g Application Logs Patch Logs y g Backup Logs Anti-Malware Logs g
Policy Change Logs
g
Log Reporting – What to focus on
g
p
g
SANS Top 5 Log Reports
7
SANS Top 5 Log Reports
Attempts to Gain Access through Existing Accounts Failed File or Resource Access Attemptsp
Unauthorized Changes to Users, Groups and Services Systems Most Vulnerable to Attack
Where to look for additional
i f
ti t i t
t l d t
information to interpret log data
Where to look for additional
i f
ti t i t
t l d t
information to interpret log data
Vendors 9 Vendors Search Engines Search Engines Addi i l R Additional Resources
What actions should be taken by which
l ithi th
i ti
What actions should be taken by which
l ithi th
i ti
role within the organization
11
IT Compliance
IT
Information Security
Incident Response Team
Compliance
Audit
Finance
Incident Response Team
Business Process Owner
Ri k
Finance
Legal
H R
Risk Human Resources
What actions should be taken by which
l ithi th
i ti
What actions should be taken by which
l ithi th
i ti
role within the organization
What actions should be taken by which
l ithi th
i ti
What are the appropriate actions
b
d
th l
d t
based on the log data
15 RISK RISK Operational requirements Contractual requirements Contractual requirements Insurance requirements Change Managementg g RISK
Incident Response Planc de espo se a Disaster Recovery Plans Business Continuity Plansy
What are the appropriate actions
b
d
th l
d t
based on the log data
16 Environmental Norm Environmental Norm Critical Error Error
What to do without a logging tool and
h t t l k f i
l
i t l
what to look for in a logging tool
What to do without a logging tool
gg g
18RISK Based
RISK Based
Operational requirements Contractual requirements Insurance requirementsWhat to look for in a logging tool
gg g
Collect, Index- Scalability
19 Collect, Index Correlate Alert Scalability Tuning Analytics Alert Store Report Analytics Segregation of duties Report
What to look for in a logging tool
gg g
20
Integration with work order systems Integration with work order systems File Integrity Monitoring
Security Monitoring and Reporting Security Monitoring and Reporting Fraud Detection
D l d i
Summaryy
21
When is log information important and what Audit needs g p
to focus on
Where to look for additional information to interpret log
d t data
What actions should be taken by which role within the
organizationg
What are the appropriate actions based on the log data What is appropriate without a logging tool
what organizations should evaluate when looking for a
Additional Resources - ISACA
ISACA http://www.isaca.org/ 22 CoBIT 4.1 http://www.isaca.org/Knowledge-Center/cobit/Pages/Overview.aspx CoBIT 5.0 h // /COBIT/P / f http://www.isaca.org/COBIT/Pages/info-sec.aspx The Risk IT FrameworkAdditional Resources - NIST
NIST
23
http://csrc.nist.gov/
Guide to Computer Security Log Management
http://csrc nist gov/publications/nistpubs/800 92/SP800 92 pdf http://csrc.nist.gov/publications/nistpubs/800-92/SP800-92.pdf Recommended Security Controls for Federal Information Systems and
Organizations
http://csrc.nist.gov/publications/nistpubs/800-53-Rev3/sp800-53- http://csrc.nist.gov/publications/nistpubs/800 53 Rev3/sp800 53
Additional Resources e-discoveryy
Discovery Resources
24
y
http://www.discoveryresources.org/
State by State Summary Report of E-Discovery Efforts
http://www discoveryresources org/library/case law and
http://www.discoveryresources.org/library/case-law-and-Additional Resources - Microsoft
Microsoft 25 Microsoft http://www.ultimatewindowssecurity.com/Default.aspx http://www.eventid.net/p // / http://technet.microsoft.com/en-us/default.aspx http://support.microsoft.com/Additional Resources – Best Practices
SANS
26
SANS
Critical Control 14: Maintenance, Monitoring, and Analysis of
Security Audit Logs
http://www.sans.org/critical-security-controls/control.php?id=14
Top 5 Essential Log Reports Top 5 Essential Log Reports
http://www.sans.org/security-resources/top5-logreports.pdf
The Unified Compliance Framework (UCF)
Additional Resources
27
PCI Data Security Standards
https://www.pcisecuritystandards.org/
https://www.pcisecuritystandards.org/security standards/documentsp // p y g/ y_ /
.php
Kerberos
http://www.rfc-editor.org/rfc/rfc1510.txt
Microsoft PowerShell for Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=10EE29AF-7C3A-4057-8367-C9C1DAB6E2BF&displaylang=en
Thank-you
y
29
Save the Date: August 25-28 2013 August 25-28, 2013 32nd Annual Conference Chi IL Chicago, IL
