• Embed Doc
  • Copy Link
  • Readcast
  • Collections
  • CommentGo Back
Download
 
Audit logs for security and compliance
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
WRITTEN: 2004DISCLAIMER
:Security is a rapidly changing field of human endeavor. Threats we face literallychange every day; moreover, many security professionals consider the rate of change to be accelerating. On top of that, to be able to stay in touch with suchever-changing reality, one has to evolve with the space as well. Thus, eventhough I hope that this document will be useful for to my readers, please keep inmind that is was possibly written years ago. Also, keep in mind that some of theURL might have gone 404, please Google around.A beaten maxim proclaims that “knowledge is power”, but where do we get our knowledge about IT resources? The richest source of such information is logsand audit trails. Through logs and alerts (which we treat similarly to logs andaudit trails), information systems often give signs that something is amiss or evenwill be amiss soon.What are some examples of log files and audit trails? We can classify the logfiles by the source that produced them, since it usually determines the type of information contained in the files. For example, host log files, produced by UNIX,Linux and Windows, are different from network device logs, produced by Cisco,Nortel, and Lucent routers, switches, and other network gear. Similarly, securityappliance logs, produced by firewalls, intrusion detection system, intrusion“prevention” systems, are very different from both host and network logs. In fact,the security devices display a wide diversity in what they log and the format inwhich they do it. Ranging in function from simply recording suspicious IPaddresses all the way to full network traffic capture, security devices produce anamazing wealth of information, both relevant and totally irrelevant to the situationat hand.Thus, logs present unique challenges. Some of the questions that we ask are:
How do we find what is relevant for the situation at hand?
How can we learn about intrusions—past, present and maybe even future—from the logs?
Is it easy to expect to surf through gigabytes of log files in search of evidence that might not even be there, since the hacker was careful to notleave any traces?
How do we use logs to come up with high-level metrics, indicating thehealth of our enterprise?
Can compliance auditors use the logs to prove or disprove regulator compliance in the organization?
 
Let us briefly demonstrate some common log example. UNIX and Linuxinstallations produce a flood of messages via a syslog or “system logger”daemon, in plain text. Such message can indicate:• There is a problem with a secondary DNS server.• A user has logged in to the machine.• A forbidden DNS access has occurred.• A user has provided a password to the Secure Shell daemon for remote loginSimilarly, newer Window versions also provide extensive system logging. It usesa proprietary binary format to record three types of log files: system, application,and security. For example, the system log contains various records related to thenormal - and not so normal - operation of the computer  In many cases, the log files don’t just give the clear answers that need to beextracted – sometimes forcefully - from them. This is accomplished by performing“log analysis”. Log analysis is the science and art of extracting answers fromcomputer-generated audit records. Often, even seemingly straightforward logsneed analysis and correlation with other information sources. Correlation meansthe manual or automated process of establishing relationships betweenseemingly unrelated events happening on the network. Events that happen ondifferent machines at different times could have some sort of relationship,relevant to the situation. Such relationships need to be discovered and disclosed.Why analyze the logs? The answer is different for different environment. For example, for a home or small office (SoHo) computer system logs are only usefulin the case of major system trouble (such as hardware or operating systemfailures) or security breaches which are easier to prevent since you only have towatch a single system or a small number of systems. Often, your time is better being spent reinstalling your Windows operating system and keeping up withpatches and updates. Poring over logs for signs of potential intrusions is notadvisable for most users, with the possible exception of hard core log analysisaddicts. Only the minimum amount of logging should thus be enabled and theanalysis boils down to firing up Windows event logger after something wrongoccurs.Next, let us consider a small to medium business with no full-time security staff.In this sense, it is similar to a home system, with a few important differences.This environment often has people who astonish security professionals withcomments such as "Why would somebody want to hack us, we have nothing thatthey need?" Now more and more people understand that disk storage, processor cycles, and high-speed network connections have a lot of value for attackers.Log analysis for such an organization focuses on discovering, detecting anddealing with high-severity threats. While it is well known that many low-severitythreats reflected in logs might be precursors for a more serious attack, a smallcompany rarely has the resource to investigate them.
 
A large corporation is regulated by more administrative requirements than the lifeof an individual. Among these are the responsibility to shareholders, fear of litigation and other liability. Due to the above, the level of security andaccountability is higher. Most organizations connected to the Internet now haveat least a firewall and some sort of a dedicated network for public serversexposed to the Internet. Many also have deployed spam filters, intrusiondetection systems (IDS), intrusion prevention systems (IPS) and Virtual PrivateNetworks (VPNs) and are looking at more novel solutions such as anti-spyware.All these technologies raise concerns about what to do with logs coming fromthem, as companies rarely hire new security staff just to handle the logs. In suchan environment, log analysis is of crucial importance. The logs present one of thebest ways of detecting the threats flowing from the hostile Internet as well asfrom the inside of their networks.Overall, do you have to do log analysis? The answer to this question ranges froma “not likely” for a small business to an unquestionable “Yes!!!” for a larger organization.By now, we convinced you that the information in logs can be tremendouslyimportant; we also stated that such information will often be extremelyvoluminous. However, such log analysis and review program needs to beconsistent.Imagine you work for one of those companies where information security is takenseriously, senior management support is for granted, the appropriate IT defensesare deployed and users are educated on the security policy. Firewalls arehumming along, intrusion detection systems are installed and incident responseteam is ready for action. This will probably go a long way towards creating amore secure enterprise computing environment. Lets look at it from theprevention- detection- response model. The above solutions provide thetechnical side of the prevention, detection and response. The complex interplaybetween prevention detection and response is further complicated by thecontinuous decision making process: 'what to respond to?', 'how to prevent anevent?', etc. Such decisions are based on the information provided by thesecurity infrastructure components. Paradoxically, the more security devices onedeploys, the more firewalls are blocking messages and generating logs, the moredetection systems are sending alerts, the more messages the servers spew, theharder it is to make the right decisions about how to react. Logs from all of theabove devices need to be consistently and diligently analyzed to arrive at theright security decisions.What are the common options for optimizing the security decisions made by thecompany executives? The security information flow need to be converted fromlogs and alerts into a decision. The attempts to create a fully automated solutionfor making such a decision, some even based on artificial intelligence, have not
of 00

Leave a Comment

You must be to leave a comment.
Submit
Characters: ...
You must be to leave a comment.
Submit
Characters: ...