LogBlog

« December 2006 | Main | February 2007 »

The Age of CSO Pragmatism

Security Incite's Mike Rothman has released The Pragmatic CSO: 12 Steps to Being a Security Master. Written for Chief Security Officers in the corporate world today, the book looks at the business reasons and impact of securing a network.

Mike gives you a sneak peek of the book here. But we found lots of reviews out there touting the book - including Richard Bejtlich's shout out over at his TaoSecurity blog. Richard writes:

The most important feature of "P-CSO" (as it's called) is that it is a business book. P-CSO teaches readers (assumed to be techies, for the most part) how to think like a businessperson who reports and interacts with other businesspeople. I took business classes in college and graduate school, and I run my own business. Most of the time, however, I'm doing technical work. I usually stay so busy that I don't consciously consider the sorts of business issues Mike describes.

We learned that Rothman plans to launch the Pragmatic CSO community in February. We hope to learn more from Mike this Monday night!

Posted January 31, 2007 in Compliance , Innovation , Risk Management , Security | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

Celebrate with us at RSA

Are you going to the RSA Conference in San Francisco? Kick off the event with us.

Raise a glass with LogLogic on Mon Feb 5th at 6pm at TWO restaurant to celebrate a year of innovation and growth! 

Mingle with users, industry luminaries and and raise a glass with all us loggies! 

We want to thank you for your support and celebrate as we doubled our customer base and are debuting breakthrough features into the world's leading log management and intelligence platform.

We are entering 2007 with a bang and are in the mood celebrate. Cocktails and appetizers. A Nintendo Wii will be given away! Your RSA badge gets you in. Be sure to RSVP at RSVP@loglogic.com.

Posted January 30, 2007 in | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

What are the "Five Mistakes of Security Log Analysis"

Anton Chuvakin gave a talk at the DoD Cybercrime Conference 2007 in St. Louis, Missouri last week. 

In his presentation, the "Five Mistakes of Security Log Analysis," Anton talks about operational security challenges that organizations face while deploying log and alert collection and analysis infrastructure. Chuvaking highlights the top five most common mistakes organizations make in this process: not storing logs long enough to comply with gov't regulations, not preserving the forensic quality of logs, and only looking for known 'bad records.'
 
To get the complete presentation, detailing how to avoid these, and other, mistakes email us.
 
Take a peek at the presentation here.

Posted January 29, 2007 in Compliance , Log Management & Intelligence , Risk Management , Security | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

Logs Save Lives

Ok. We tend to be a bit log crazy around here and track the news of logs...we came across "Logs Save Lives."  The headline : Wife Saves Husband From Mouth of Lion With Log. When a mountain lion atttacked her husband near San Francisco, Nell Hamm fought him off with a log.

We wish the family all the best and hope for a Jim Hamm's continued recovery. 

Read the story here.

Posted January 29, 2007 in Blinks | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

Logs Are Everywhere!

Given that I am closely involved in a log management business, I sometimes have these moments that I see logs everywhere. But guess what? Logs are everywhere! From a server under your desk to satellites to shipboard systems to personal electronics to telecom equipment to building control systems - logs are indeed omnipresent.  

And, nowadays, most of these logs are almost never looked at. For example, how often does a typical computer user look at his or her Windows or Linux workstation logs?  I am guessing: when something goes wrong. It is pretty much the same for much of the above logs. And that is how it always was - from the olde times of "The Cuckoo Egg" (and probably even from  the times of the ENIAC) to today.

But - and here is the point! - it is changing now. My natural flow of log management shows us that people start looking at common firewalls and servers before they look at operational logs from, say, an elevator in their building.. However, the time when people will stop ignoring most of the above logs, even the esoteric ones  is definitely coming ...

Yes, I am being somewhat philosophical here at 21,457 ft since this post was written while flying back from  DoD Cybercrime 2007 Conference where I presented on "Six Mistakes of Log Management."

Posted January 28, 2007 in | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

Preventing data breaches is hard; detecting them later can be harder

Nice story in ComputerWorld that features LogLogic. Some quotes:

To quickly and consistently detect such intrusions, IT managers need to be able to collect and analyze literally every transaction flowing through their networks in real time, according to Maness. "You've got to know what every single packet on the network is doing, where it's coming from, where it's going and which ones are bad."

Some vendors such as LogLogic Inc. are beginning to offer more efficient ways to sift through voluminous log data and focus on the issues that matter, Maness said. Such products can complement security event management tools, he said.

LogLogic's hardware appliances are designed to automatically capture and store log data from firewalls, routers, servers, applications, operating systems and other devices, said Andy Lark, a spokesman for the San Jose-based company. The appliances can be configured to generate near-real-time alerts when the logs show violations of predefined polices, such as those associated with Payment Card Industry standards, he said.

Posted January 26, 2007 in LogMatters | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

NIST Expert Says Legacy Systems Must Be FISMA Compliant Within 1 Year

Legacy systems are expected to be in compliance with NIST within 1 year of the publication date, according to Dr. Ron Ross of NIST in his presentation today about FISMA Compliance. And that is not all! Systems under development are expected to to be in compliance immediately upon deployment.

We sponsored a Government Computer News webcast on FISMA Compliance this morning with Dr. Ross to record attendance! (Over 900 people signed up!)

Ross went through FISMA guidelines, cleared up misconceptions on FISMA Compliance, and made recommendations for sound strategies to to get compliant with FISMA in short order.

Three key takeaways:

"Successful FISMA Implementation demands that organizations adopt an "enterprise-wide" Security Strategy"

"Common controls must be continuously monitored with results shared with all information system owners"

"Continuous Monitoring; Facilitates annual FISMA reporting requirements"

Log Management and Intelligence delivers FISMA Compliance in minutes. Our just announced FISMA Compliance and Control Suite helps government agencies verify that information security policies are being followed, substantially reduce audit time and expense, and achieve FISMA compliance. Out-of-the-box reports and alerts directly map to NIST standards, including NIST 800-53 (security controls) and NIST 800-92 (log management), providing an efficient, easy-to-implement solution. Our approach is cost-effective, using all available log data to automate the process of auditing and enforcing policies - and supports 100% of all log-related IT controls as outlined by FISMA. And -- its the first FISMA compliance solution based on log management and intelligence.

Technorati : , , , ,

Posted January 24, 2007 in Compliance , Log Management & Intelligence , LogMatters , Security | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

Compliance Driving Log Management Into the DataCenter

Datacenters are increasingly turning to log management to ease compliance burdens according to Matt Stansberry at SearchDataCenter. Stansberry points to SAS 70 auditing as an example of internal controls define standards for auditors in assessing controls at a service organization and says that logs come into play as data center managers can prove controls such as proving that the business "has disabled user logins when people are terminated."


Analyst Dana Gardner weighs in:

For instance, a company can show how it is enforcing its policies. If a company doesn't want its workers sending emails to employees in a competing company, it can use log data on routers, hubs and email systems to block or record that activity.

"It can also be used for internal issues," Gardner said. "If you're a financial institution, your traders shouldn't be talking to your investment bankers. You can prove to the SEC that your traders aren't having communications with the investment bankers, at least not on your systems."

Illinois auditing consultant Russ Gates adds:

"I sat in on a Web-cast LogLogic did the other day and a lot of their points are valid," Gates said. "If somebody thinks logs are important and relevant you've got to have software to deal with it. In any big system you'd have hundreds of thousands of events being logged. Parsing out the ones that matter -- a database failure or security violation, getting those in front of somebody -- the key thing is tying those into a response you can do something with."


As Anton noted earlier this week, traffic is up on the loganalysis mailing list, and other trends are showing that log management is emerging right now! As simple Google search of "log management" drives this home with over 239 million hits -- and growing daily.

Technorati : , , , , , , ,
Del.icio.us : , , , , , , ,

Posted January 23, 2007 in Compliance , Log Management & Intelligence | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

The Demystification of Event Logs

Will Kelly writes at processor.com that "Demystifying event logs requires proactivity with an eye toward retention, review, and automated tools to ensure that your log events are presented in a usable and actionable manner to your data center team."

LMI fulfills this charter. Kelly quotes our own Anton Chuvakin:

He also advises a proactive approach to handling log management vs. opening them when a network outage or security issue occurs. "Not looking at the logs until something happens is a big mistake," according to Chuvakin, because regular viewing of your logs enables you to see early signs of problems, such as security incidents like probes, not just trends.

Read the entire article here.

Technorati : , , , , ,

Posted January 22, 2007 in Compliance , Log Management & Intelligence , LogMatters , Risk Management | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

Webcast: Log Management takes on FISMA Compliance

There is a newly added LogLogic Sponsored-Webcast with Government Computer News on FISMA Compliance this Wednesday, January 24, 2007 11 a.m. Eastern | 8 a.m. Pacific.

The online event features Dr. Ron Ross, a senior computer scientist for the National Institute of Standards and Technology (NIST) and author of several federal security publications and guidances. Host of the event is GCN assistant managing editor Jason Miller for a one-hour discussion on how agencies can use the Federal Information Security Management Act (FISMA) to improve their IT security and get compliant with FISMA.

To attend, sign up here.

Del.icio.us : , , , , , , ,

Posted January 22, 2007 in Compliance , Log Management & Intelligence | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

ROI of PCI compliance

Interesting post here on the ROI of PCI Compliance - along with a good primer on ROI. We've got a few comprehensive ROI models over at LogLogic.com. While some companies build comprehensive business cases for PCI compliance, others recognize that more than anything, an effective compliance program is about recognizing that the data customers entrust them with deserves protecting.

Mike gets at the issue more directly:

Whoever invented ROI should be beaten with a stick. Actually, it's an important concept for business management, but for security - it doesn't work so well. So I read with interest, this piece on ROI for PCI compliance. But it leaves me wanting. Wanting what? Basically, I want the discussion to just go away. The major benefit of compliance is in not getting hacked? That's ridiculous. The benefit of compliance is in making your auditors go away and ensuring you won't end up like our friends at TJX, all over the front page with your dirty laundry bared for all to see. It's not about offsetting fines, it's about protecting the contract you have with your customer to protect their data. Strong security will give you compliance. If you just try to buy compliance, you will end up with nothing but a big crisis communications bill.

There are other ways of getting a return on your PCI investment. The most recent being Visa's program, effective October 1, 2007 where merchants can qualify for lower interchange rates for being PCI compliant.

Posted January 22, 2007 in LogMatters | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

What Happens if Logs Aren't There ...

Seeing this story  where logs weren't available when sorely needed for an investigations inspired me to finish my own version of that...  First, let me quote  the conclusions from the above post.

Indeed, there is no better way to say it. But - guess what - despite us saying this (and even pointing glaring mistakes), a lot of people still choose to ignore logs. What can we use to help them, even despite themselves? Maybe a bit of FUD can help?  Yes, while many proclaim that people need to be naturally drawn towards doing "the right thing" and that scaring people into action is not that efficient (especially, if you do this one too many times...). However, this is the world we live in and in it, FUD works. FUD sells insurance as well as safety features in cars and other products, moves compliance solutions, makes people read and update their boring DR and BC plans, and causes a lot of other good overall :-)

And, indeed, one can get desensitized if you hear that "sky is falling" too often, but here is the thing: I think that one should be willing to take the risk of such "desensitization", especially given that sky is indeed "not quite static" ...

So, let's look at one such scenario in this post (which is, as they say, "inspired by a true story"). Imagine you have a Windows Active Directory (AD) server (or a domain controller) that holds all of the accounts for a good part of your organization. One notable morning you get calls from dozens of frantic users (yes, including your boss's boss :-( and maybe even his boss ... ) who are unable to login  to their Windows systems. Their computers reject their apparently valid logon credentials. You check the account settings on your AD box and your face turn pale: there aren't any user domain accounts. The term would be "mysteriously vanished" :-) Where do you go next? Windows event logs on the AD server, of course. Good thinking! However, AD servers and domain controllers (DCs) are famous for being very "chatty", often producing hundreds of event log records per second on busy networks. Thus, when you look at the logs you notice that the entries older than 8 hours (!) got rotated into oblivion. And there is nothing that points at the account disappearance within the remaining puddle of log data. Argggh!

Now, what do you do next? Do you feel at least a little fear about your job, maybe also feeling slightly uncertain of what exactly happened with your server or even doubtful that you can prevent it, if it were to happen again. Maybe your IT team has an SLA to worry about? Which has your boss's bonus dependent on it? What if it happens again tomorrow (after you painstakingly restored all the accounts based on old records, incremental backups and the info from the users)? And why can't it? - you have no idea why it happened this time... Are your servers compromised - or was it just a junior sysadmin error? Or a new Windows bug? You truly have no way of knowing, which, as we all know, doesn't help you to feel brave, certain and doubtless...

Now, if only you bought that log management solution and started collecting and analyzing logs before, and not after the incident. Imagine how the life would be different!

Posted January 21, 2007 in | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

On Natural Flow of Log Management

I just came back from visiting some of our customers and then did a bit of thinking of what logs people tend to deal with first (and why). It would sound obvious for some, but possibly insightful to others. While we often say that you need to look at all the logs, often real-life limitations interfere.

So, even a few years ago, any firewall or network admin worth his salt would look  at least at a simple summary of connections that his baby PIX or Checkpoint is logging. Indeed, firewall log analysis represented a lot of early business for log management vendors. Many firewalls log in standard syslog format and such logs are easy to collect and review.

Reviewing network IDS logs (for those companies that chose to deploy this technology), while unduly exciting in case of an incident, is often a very frustrating task since NIDSs would sometimes, you know, "lie" to you by recording "false positives." Still, NIDS log analysis, at least the post-mortem kind, often comes second after firewalls since the value of such info for security is undeniable and logs can, in most cases, be easily centralized for analysis.

Even though system administrators always knew to look at logs in case of problems, massive server operating system (both Windows and Unix/Linux flavors) log analysis didn't materialize until more recently. Collecting logs from all critical (and many non-critical) Windows servers, for example, was hindered by the lack of agentless log collection tools, such as LASSO. On the other hand, Unix server log analysis was severely undercut by a total lack of unified format for log content in syslog records.

Web server logs were long analyzed by the marketing departments to check on their online campaign successes (and most web server admins would not ignore those logs as well). However, since web servers don't have native log forwarding capabilities (most log to files stored on the server itself) consistent centralized web log analysis for both security and other IT purposes is still ramping up. There is plenty of interesting info to dig for.

Similarly, email tracking thru email server logs languishes in a somewhat similar manner: people only turn to email logs when something goes wrong (email failures) or horribly wrong (external party subpoenas your logs). Lack of native centralization and, to some extent, complicated log formats slowed down the email log analysis initiatives.

Judging by the traffic on loganalysis mailing list, database logging wasn't on the radar of most IT folks until probably last year. It is emerging now! In fact, IT folks were perfectly happy with the fact that even though RDBMS had extensive logging and data access auditing capabilities, most of them were happily never turned on. It will be all the rage in a very near future. Oracle, MS SQL, DB2, MySQL all provide excellent logging, if you know how to enable it (and know what to do with the resulting onslaught of data)

What's next? Web applications and large enterprise application frameworks largely lived in the world of their own, but now people finally starting to realize that their log data provides unique insight into insider attacks, insider data theft and other trusted access abuse. I expect to see much more of such logs flowing into log management solutions. Additionally, desktop log analysis should not be too far behind.

In a more remote future, various esoteric log sources will be added into the mix. Custom applications, physical sensors and many other uncommon devices and software want to "be heard" as well! :-)

So, from firewall logs to NIDS to servers to databases, web servers and then applications seems very common across a large number of organizations.

Just an interesting observation useful for those planning their log management strategy!

Posted January 14, 2007 in | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

HIPAA: Report Shows Most Complaints Not Investigated - IT Compliance

The motivation to get HIPAA compliant shouldn't be to avoid getting sued - it should be to protect your informaiton assets. Saying that, we do wonder how many will be motivated to comply with a mandate that isn't being enforced - according to Government Health IT "Most privacy complaints are not investigated":

"The Department of Health and Human Services investigated less than 25 percent of 22,964 privacy complaints submitted to HHS’ Office for Civil Rights (OCR) from April 2003 through September 2006"

"Melamedia found that of the 5,400 complaints investigated – all of which were filed against health care organizations covered by the Health Insurance Portability and Accountability Act (HIPAA) – OCR officials took informal action in 3,700 cases. Officials absolved the accused health care organizations in 1,700 others."

Will the new False Claims Act Guidelines coming into play with HIPAA enforcement, will enforcement activities will increase? Perhaps. As Rebecca points out:

A significant motivator for compliance is that beginning in 2007, "whistleblowers" for violators of the new guidelines will be awarded 15% - 25% of any associated fines, depending upon the situation. This could definitely motivate employees, former employees, and patients/customers to report what they believe are HIPAA violations when they may not have to date.

This could bring the Department of Justice (DOJ) into the HIPAA compliance and enforcement mix.

The real question is, "will compliance activities increase? Read more here and here...

Posted January 08, 2007 in Compliance | Permalink | TrackBack (0)

« December 2006 | Main | February 2007 »

The Future Of SIEM

THe SIEM market will begin to diverge in 2007 according to Amrit Williams - ex-Gartner analyst. His final sentence reflects what we have been seeing for the past two years:

Log management will break out as it own class of products and will see the biggest growth as folks realize that at the end of the day all they really wanted was a syslog server on steroids.

Kind of. What customers come to realize quickly is the intrinsic value log data has and the broad range of answers it can give them across IT functions. From IT Opertations through Compliance and, of course, Security. They want much more than just a "syslog server on steroids".

In looking at the business cases and RFPs what most customers are looking to address is the entire log life-cycle (collect, alert, store, report, share) against specific applications - be they compliance or controls validation - to name just two.

Either way, Amrit is right in identifying that the market is diverging.

Posted January 02, 2007 in Compliance , Log Management & Intelligence | Permalink | TrackBack (0)

Visit loglogic.com

I ♥ Logs

Subscribe to this blog’s feed RSS

November 2007
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  
Categories
Archives
Blogroll
Blogroll
Compliance
Good Reading
LogLogic
LogLogic Partners
Sites We Watch