« eWeek on LogLogic 3 - "Divine" | Main | Improving Logs for Evidence »

Don't Ever Find Yourself In This Position!

Next generation log management systems will enable you to avoid many of the issues outlined in this recent article in InformationWeek.

First, in creating immutable logs ensure that you keep a secure back-up that is tamperproof. You'll avoid responses like this: "''I couldn't look at all the data; said Faulkner, when defense attorney Chris Adams questioned him about having backup tapes instead of forensic mirror images to analyze in the case. ''They were just the active data. When I ran it, it asked for Tape 2 but there was no Tape 2 The information for the [central server] wasn't a forensic image. To preserve digital evidence, a forensic image is best practice.''

Creating a forensic image of log data is critical. Erin Kenneally said it well in FSA Times:

"With forensically sounds logs, companies can reduce the potential of loosing a lawsuit, diminish the costs associated with discovery and defense, increase the likelihood of forcing an opponent into settlement, and be a resource to define against actions related to corporate governance."

Second, log everything. Distributed log management systems enable 100% logging, and next generation log management solutions provide you with assurance that no log was left behind.

Third, your log management system should provide complete chain of custody over your log data. You will know who accessed what, when and what they did. Your log data can be trusted as a form of evidence because with a next generation log management solution as you will know if they were edited by a root user.

Whether prosecuting or defending cases, or just executing best practices, immutable logs can play a critical role in attesting to controls, compliance and the quality of evidence. Here is another great quote:

"When audited logs are immutable and cannot be altered, there are additional advantages for deterrence and proof of policy or legal violations With immutability, deterrence may be improved for all users of the system." Marble Foundation. Implementing a Trusted Information Sharing Environment. February, 2006

Posted July 18, 2006 in LogMatters | Permalink

---

Visit loglogic.com

Subscribe to this blog’s feed

• November 2007
• October 2007
• September 2007
• August 2007
• July 2007
• June 2007
• May 2007
• April 2007
• March 2007
• February 2007
• January 2007
• December 2006
• November 2006
• October 2006
• September 2006
• August 2006
• July 2006
• June 2006
• May 2006
• April 2006
• March 2006
• February 2006
• January 2006
• December 2005
• November 2005
• October 2005
• September 2005

Blogroll

• CynergisTek
• Bruce Schneier
• InfoSecDaily

Compliance

• Continuity Central
• Compliance Pipeline
• SOX Compliance Journal
• Sarbanes-Oxley 101

Good Reading

• Log Management ROI
• Log Management Best Practices
• SANS Institute Log Management White Paper

LogLogic

• O’Reilly
• Anton Chuvakin
• LogLogic.Com
• Jian Zhen

LogLogic Partners

• Juniper Networks
• ONStor
• Counterpane
• Bluecoat

Sites We Watch

• The Merc
• CRN
• IT Architect
• The Reg
• Security Focus
• Slashdot
• TechWeb
• SANS
• C/Net
• CIO Insight
• InformationWeek
• Jamie Lewis - Burton Group
• eWeek
• IT Manager's Journal
• MIT Magazine
• VNU