You are on page 1of 3

Log Management in the Age of Compliance

Dr. Anton Chuvakin

WRITTEN: 2007

DISCLAIMER:
Security is a rapidly changing field of human endeavor. Threats we face literally
change every day; moreover, many security professionals consider the rate of
change to be accelerating. On top of that, to be able to stay in touch with such
ever-changing reality, one has to evolve with the space as well. Thus, even
though I hope that this document will be useful for to my readers, please keep in
mind that is was possibly written years ago. Also, keep in mind that some of the
URL might have gone 404, please Google around.

With each publicized data breach (TJ Maxx, U.S. Department of Agriculture) or new regulation
security emphasis seems to shift away from the traditional “keep bad guys out” mentality and
towards the “what’s going on in here?” layered, in-depth look at IT activity.

As such, organizations are turning to logs to provide a continuous fingerprint of everything that
happens with their IT systems and, more importantly, with their data. Logs of different types are
generated from different sources at an astounding rate, allowing for a detailed –if sometimes
cloudy - picture of IT activity. If a disgruntled employee accesses a database containing
confidential information with the intent to steal the data, there would likely be a log of that
activity that someone could review to determine the who’s, what’s, and when’s. Logs provide
the bread crumbs that organizations can use to follow the paths of all of their users, mal-
intentioned or not.

It follows that managing these logs can benefit an organization in many ways. They offer
situational awareness, help organizations pinpoint new threats as well as allow their effective
investigation. Routine log reviews and more in-depth analysis of stored logs are beneficial for
identifying security incidents, policy violations, fraudulent activity, and operational problems
shortly after they have occurred, and for providing information useful for resolving such
problems.

Given the inherent benefits of log management, it is not surprising that log data collection and
analysis is generally considered a security industry “best practice.” However, a number of
regulations also explicitly call for the collection, storage, maintenance, and review of logs in
order for companies to be compliant, turning log management from a “should do” to a “must
do.” Some of these regulations rely on National Institute of Standards and Technology
Computer Security Special Publications (NIST SP) in order to delineate the detailed logging
requirements.

In my last article (link), I described the way in which 3 regulations (FISMA, HIPAA, and PCI-
DSS) affect incident response processes. This triumvirate also affects log management, as they
call for enabling logging as well as for log review.
The Federal Information Security Management Act of 2002 (FISMA)
While many criticize FISMA for being ‘all documentation and no action’, the law simply
emphasizes the need for each Federal agency to develop, document, and implement an
organization-wide program to secure the information systems that support its operations and
assets. NIST SP 800-53, Recommended Security Controls for Federal Information Systems,
describes log management controls including the generation, review, protection, and retention of
audit records, and steps to take in the event of audit failure. NIST 800-92, Guide to Computer
Security Log Management, also is created to simplify FISMA compliance, is fully devoted to log
management, and describes a broad the need for log management in federal agencies and ways to
establish and maintain successful and efficient log management infrastructures (including log
generation, analysis, storage, and monitoring). NIST 800-92 discusses the importance of
analyzing different kinds of logs from different sources and of clearly defining specific roles and
responsibilities of those teams and individuals involved in log management. Importantly, section
4.2 highlights the need for organization to clearly define its policy requirements (based on the
appropriate regulations) for performing logging and monitoring logs, including log generation,
transmission, storage, and disposal as well as explicit protections for these logs.
HIPAA
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines relevant
security standards for health information. NIST SP 800-66, An Introductory Resource Guide for
Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule,
details HIPAA-related log management needs in the context of securing electronic protected
health information. Section 4.1 of NIST 800-66 describes the need for regular review of
information system activity, such as audit logs, access reports, and security incident tracking
reports. Also, Section 4.22 specifies that documentation of actions and activities need to be
retained for at least six years. While the debate about whether logs can be considered documents
is not finished, some organizations did choose to store logs for as long as other business
documents. In addition, Appendix A of this document encourages organizations to ask a variety
of log-related questions, including whether or not system performance monitoring is used t o
analyze system performance logs in real time in order to spot availability problems like active
attacks.

PCI DSS
The Payment Card Industry Data Security Standard (PCI DSS), which applies to organizations
that handle credit card transactions, mandates logging specific details and log review procedures
to prevent credit card fraud, hacking, and other related security issues in companies that store,
process, or transmit credit card data. Even though logging is present in all PCI requirements,
PCI DSS also contains Requirement 10, which is dedicated to logging and log management.
Under this requirement, logs for all system components must be reviewed at least daily, and
these log reviews must include servers that perform security functions (e.g. intrusion detection
system and authentication, authorization, and accounting protocol servers. Further, PCI DSS
states that the organization must ensure the integrity of their logs by implementing file integrity
monitoring and change detection software on logs to insure that existing log data can not be
changed without generating alerts. It also prescribes that logs from in-scope systems are stored
for at least one year.
There are also a variety of other regulations that call for log management capabilities, although
less explicitly than the aforementioned three. California Bill 1386 and its upcoming federal
equivalent, for example, requires a state agency, person, or business that owns or licenses
computerized data that includes personal information, to disclose any breach of the security of
the data to any California resident whose unencrypted personal information was acquired by an
unauthorized person. Logs, by nature of allowing for tracking IT infrastructure activity, are the
best way to assess if, how, when, and where a data breach has occurred, so management of these
logs would be the best way to assess what data has been accessed/stolen and, thus, who needs to
be notified.
The major effect the age of compliance has had on log management is to turn it into a
requirement rather than just a recommendation, and this change is certainly to the advantage of
any enterprise subject to one of those regulations. It is easy to see why log collection and
management is important, and the explicit inclusion of log management activities in major
regulations like FISMA, HIPAA, and PCI DSS highlights how key it truly is to enterprise
security as well as broader risk management needs.
ABOUT THE AUTHOR:

This is an updated author bio, added to the paper at the time of reposting in
2009.

Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in


the field of log management and PCI DSS compliance. He is an author of books
"Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy
II", "Information Security Management Handbook" and others. Anton has
published dozens of papers on log management, correlation, data analysis, PCI
DSS, security management (see list www.info-secure.org) . His blog
http://www.securitywarrior.org is one of the most popular in the industry.

In addition, Anton teaches classes and presents at many security conferences


across the world; he recently addressed audiences in United States, UK,
Singapore, Spain, Russia and other countries. He works on emerging security
standards and serves on the advisory boards of several security start-ups.

Currently, Anton is developing his security consulting practice, focusing on


logging and PCI DSS compliance for security vendors and Fortune 500
organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance
Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging
Evangelist, tasked with educating the world about the importance of logging for
security, compliance and operations. Before LogLogic, Anton was employed by a
security vendor in a strategic product management role. Anton earned his Ph.D.
degree from Stony Brook University.

You might also like