« February 2007 | Main | April 2007 »
LogLogic Platform Gets Certified for NetApp's Snaplock
Today we announced that we are the LogLogic Log Management Platform is now certified for NetApp's Snaplock storage and compliance solutions. Snaplock to help customers simplify the management of immutable lhich is designed to create WORM (Write Once Read Many) data archives.
Log data is often stored in departmental silos without attention to data integrity or security, but compliance mandates and operating pressures -- such as frequent audits and increasing demands for user activity monitoring - are making Enterprises approach log data horizontally across the organization. To do this, collecting all log data all of the time is critical as is storing the log files in a completely secure and unchangeable form. For forensics, legal reasons and satisfying compliance mandates like PCI, immutability of log data is becoming necessary in today's enterprise.
Gerard M. Stegmaier of Silicon Valley law firm Wilson, Sonsini, Goodrich and Rosati talked about the implications for Logs and the Law in a podcast along with LogLogic's Andy Lark. Check it out here.
Posted March 29, 2007 in Compliance , Log Management & Intelligence , Risk Management | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
Anton Logging Tip of the Day #9: But He "Wasn't Logged!"
The idea for this tip originated when my presentation on log analysis was rejected by one of the high-profile security conferences on the grounds that "logs don't matter since advanced attackers never leave traces in logs [or erase them before anybody can get to them] ." Indeed, some of my security friends of a more "offensive orientation" have long developed this snobbish (even if woefully naive...) attitude about logs.
So, imagine a network that has fallen victim to a 0day-wielding super-hacker, who kicked the door open, grabbed the crown jewels and took off. When, much too late as usual, the "good guys" rushed in to pick up the pieces, only there was seemingly nothing much to pick: the server logs were erased and their pricey network IDS didn't make a peep. What do you do now?
So, let's list some uncommon (and some common, but often untapped for the task at hand!) sources of log data and provide a few log analysis tips:
- firewall logs: boring they might be, but it is less likely that those are erased by the attacker (even though firewall logging can sometimes be jammed). And it is hardly possible to "not be logged" by the firewall (the analyst's challenge is in analyzing the huge volume of data to find the attacker's traces and to tell them from normal traffic). What is critical in making these logs useful is logging allowed connections, not only blocked ones.
- router logs and netflow records: same as firewalls logs - they are less likely to be erased, but huge log volumes make their use problematic. And, last but not least, these types of logging are more likely to be turned off completely ("routers should route, not log," grumble many network types)
- application logs: was it a "legacy" network attack or something application-level? If the latter is true, there might be logs found in unusual places. Is there anything in the webserver logs? Websphere made a peep? MySAP recorded something? PHP app logged something interesting and helpful?
- various client logs: in one old case FTP client logs were extremely helpful, even though the entire syslog directory was blown away and no remote logging was ongoing; look for other client logs (yeah, even a web browser history is kind of a log...) to look for things missed by the attacker
- other systems' logs: was there anything that the attacker did that affected other systems? Might have they logged it? Even an attempted SSH connection or a scan from a compromised machine has a high chance of leaving traces elsewhere - cleaning all of such traces is a major challenge for an attacker (in any case, much harder than erasing logs and stopping logging on the compromised host)
- any remote or centralized logging: was any log saved from destruction by being copied to another system? This is simple but might still be forgotten sometimes. The attacker will certainly disable such logging, but there is a good chance that a few final messages will prove insightful. And we haven't even touched the issue of covert logging yet...
To conclude, while there is no search pattern for "advanced attacks," logs are still extremely useful in such circumstances if you prepare by setting up a broad scope of log collection (I suspect using a log management system will be your only choice as log volumes will be pretty bone-crashing) and then combing through the logs after the incident. And remember the less common sources of log data, such as database logs.
Posted March 29, 2007 in | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
On Photocopiers and Identity Fraud
Over at Baseline, Debbie Gage writes ...
At least 15 million Americans are now victims of identity fraud, up more than 50% since 2003 when the Federal Trade Commission released its numbers, Gartner says. Americans are also losing more money to identity fraud--$3,257 on average in 2006, compared to $1,849 in 2005--and they're recovering less, an average of 26% less.
That is alot of companies that should be listening to Avivah right now. PCI is here and getting compliant is a necessity. (And Avivah specializes in that area of course!)
But how about those devices -- you know those photocopiers are watching your data too...
"Everyone forgets that there's data in there," said Avivah Litan, an analyst at Gartner. "Copiers and other intelligent devices like multifunction printers are very exposed in the enterprise. They're open to attack via modems, and people forget about changing the default passwords."
All of your devices are harboring data. How do you deal with that? Is it secure?
Posted March 28, 2007 in Compliance , Log Management & Intelligence , Risk Management , Security | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
SANS What Works In Log Management Summit 2007
If you don't have this on your calendar it's time to make the date! SANS WhatWorks in Log Management Summit is set to kick-off April 23 to 25 here in Silicon Valley.
LogLogic will be there along with customers and partners (all of us are presenting at some point). If you are a LogLogic customer and planning on attending, let us know - we'd love to host you for dinner.
Posted March 26, 2007 in Log Management & Intelligence , LogLogic News | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
PCI Book On the Way...
Anton Chuvakin, a Loggie, has a co-authored book on the way on PCI Compliance:
I am sure that "everybody in the know" is already, well, in the know, but still - here it comes, the first book on PCI: '"PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance"by Tony Bradley (Author), Anton Chuvakin (Author), Anatoly Elberg (Author), Brian J Koerner (Author)'.
Posted March 22, 2007 in LogMatters | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
Network security market to surpass $5 B this year
A new report form CA-based Infonetics Research on the state of worldwide network security appliance and software sales says that there has been an increase of 15% to $4.5 billion between 2005 and 2006, forecasting that the network security market industry will surpass the $5 billion mark for the first time in 2007.
Jeff Wilson, principal analyst at Infonetics Research says that "the most important appliance category to watch over the next year is secure routers."
Key findings in the Network Security Appliances and Software report are:
Secure routers account for 29% of the total integrated security appliance market in 2006 and will continue to increase their share of the market through at least 2010
Worldwide SSL VPN gateway revenue jumped 40% in 2006, following a 61% increase in 2005
Worldwide IDS/IPS (intrusion detection and prevention systems) revenue grew 19% in 2006
Cisco continues to lead the overall network security market, with 38% worldwide revenue share in 2006, posting growth in all network security market segments tracked by Infonetics
Juniper and Check Point are tied for second, each with 9% worldwide revenue in 2006
More info and to preview Infonetics reserach is here.
Posted March 20, 2007 in Risk Management , Security | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
IT Security's Top 59 Influencers Includes LogLogic Vets
Our own Anton Chuvakin was named to IT Security's most influential security experts of 2007.
He is in some very good company....check the site's complete list of the most influential security experts of 2007 - from corporate tech officers and government security types, to white hat hackers and bloggers.
Joining Anton is LogLogic's CMO Andy Lark, named in IT Security's Bloggers List.
The list certainly generated a lot of buzz in the security blogosphere.....Posted March 20, 2007 in LogMatters , Security | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
On Log Database Security
A paper at CSI Alert written by LogLogic's Anton Chuvakin introducing Database Log Analysis.
Here is a peek at Part One in a series . . .
" . . . Database security have been capturing more and more attention in recent years, even though most of the security issues surrounding the databases existed since the first day commercial database systems were introduced in the market.
Nowadays, database security is often seen as containing the following principal components:
• access control to database software, structures and data
• database configuration hardening
• database data encryption
• database vulnerability scanning
It is interesting to see that logging and auditing underline all of the above domains of database security. Indeed, the only way to verify what access control decisions are being made and who views what data from the RDBMS is to look at the authentication logs. Database configuration hardening includes enabling and increasing the auditing levels. Similarly, data encryption might be verified by log and configuration review. And, vulnerability exploitation usually leaves traces in logs despite what some say (the challenge is more often with understanding what the log said and not with having the logs)
In recent years, insider attacks gathered more attention than periodic outbreaks of malware; and database logging happens to be in the forefront of this fight against insider attacks. Database systems are usually deployed deep inside the company network and thus insiders are usually has the easiest opportunity to attack and compromise them, and then steal (or "extrude" as some would say) the data . . ."
To review the complete paper (freely available to CSI members) you can get it from GOCSI.com.
Posted March 19, 2007 in Log Management & Intelligence , Security | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
The Log Data Warehouse
What are the best practices for Log Management and Intelligence? Why do you need it? Who already uses it? Senior Analyst at Enterprise Strategy Group, Jon Oltsik talks about the emergence of log management as a killer strategy for IT in a webcast event today.
Criticizing what he calls a " laissez faire" approach to Log Management, Oltsik reveals the customer's voice on log matters in a Webcast available now on demand. The event will cover the highlights of Oltsik's new report "Delivering Log-Powered Services Across the Enterprise."
Join Jon Oltsik for an overview and live Q&A session on the findings from his newly released study on "Enterprise Log Management Services." LogLogic's Anton Chuvakin joins in the talk.
Log Management is good news and bad news for security management.
Posted March 15, 2007 in Log Management & Intelligence | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
The Security Arms Race
Posted March 15, 2007 in | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
Hello Ruby Tuesday
In a move to proactively combat the risk of data theft and secure their customer's data, US-based restaurant chain Ruby Tuesday is opting out of the data retention business altogether according to an AP article, implementing a system that doesn't store credit cards locally and uses strong encryption to send data to a processing center.
The report said that the credit card data leaves the restaurant and is sent to the bank in an encrypted form to cut down on identity theft. They plan to roll out the technology across the company's 900 locations by April.
Visa International said that the new system is fully compliant with PCI DSS.
Bravo to Ruby Tuesday 's efforts to keep customers data safe. Pass the salt?
Posted March 14, 2007 in | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
LogLogic Joins PCI Security Vendor Alliance
We joined the PCI Security Vendor Alliance (PCI SVA). Founded by a group of leading data security firms, the alliance assists members of the payment card industry and the PCI Security Standards Council -- merchants, banks and point-of-sale vendors - in educating the business community on the requirements and business value of the PCI DSS.
According to a recent article in Informationweek, in the past year PCI compliance has doubled from less than 15% to about one-third among Level 1 merchants, those that process more than 6 million transactions annually.
PCI SVA members will leverage their combined knowledge to provide best-of-breed PCI DSS solutions that address the needs of any enterprise that seeks a clearly defined, highly auditable data protection framework. More info here.
Posted March 13, 2007 in | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
Drowning in Data? Grab a Log
IDC researcher John Gantz began a study on data, estimating that 161 exabytes of digital data - or about 161 billion GB - were generated in 2006 alone. Think about that. According to the USA Today that is
168 million terabytes, or roughly the equivalent of:
36 billion digital movies
43 trillion digital songs
1 million digital copies of every book in the Library of Congress
How much of the data generated inside businesses must be stored? Facing government regulations over the globe, such as the Sarbanes-Oxley Act in the US and the EU Data Retention Directive, more and more organizations are being required to save more information than ever. The impact of the regulations globally is staggering. Just this week analysts predicted the impact of the EU law on Asia could see communications providers and operators in the region to comply.
Searching on all the data is even trickier. Log Mangement and Intelligence effectively deals with the problem of continuously complying to multiple mandates simultaneously and being able to locate the data you need for compliance, forensics and to reap operational efficiencies.
Posted March 08, 2007 in Compliance , Risk Management , Security | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
Visa Takes Data Security to DC
Posted March 07, 2007 in Compliance , Log Management & Intelligence , Security | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
Leading Causes Of Data Loss
Looking at this report, an effective LMI platform is a key antidote to data loss. Sure, it won't prevent someone loosing a laptop, but it will deliver alerting and reporting on many of the other areas identified in this report.
What is interesting is the extent to which human error is the overwhelming cause of sensitive data loss, responsible for 75 percent of all occurrences. User error is directly responsible for one in every two cases (50 percent) while violations of policy - intended, accidental and inadvertent - is responsible for one in every four cases (25 percent). Your LMI patform should deliver reporting and alerts on major IT controls and standard policies.
Posted March 07, 2007 in Compliance , Risk Management , Security | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
Links & Good Reading
Jon Olstik touches on the good news and bad news for security management:
"What used to be a small, tactical security event management implementation is evolving into a much bigger opportunity. As enterprise organizations collect log and network flow data, they want to provide it to the network operations, compliance management, system administrators, lines of businesses and security for all kinds of analysis. In geeky technical terms, what was a security-focused data mart is turning into an enterprise IT data warehouse for all kinds of data analysis, event monitoring and reporting. "
Exeactly. Watch for more on Log Data Warehousing!
Posted March 07, 2007 in LogMatters | Permalink | TrackBack (0)
« February 2007 | Main | April 2007 »
Expensive Sox...
SOX spending accounts for 20% of global governance. From over at Findtechinsights:
Sarbanes-Oxley spending isn't likely to change much this year, according to AMR Research. The company's latest report predicts that, despite recent revisions to relax the corporate reform law's requirements, 2007 Sarbanes-Oxley compliance spending will stay at $6 billion and account for around 20 percent of the total governance, risk and compliance spend of $29.9 billion. The latter figure represents an 8.5 percent increase from 2006. The numbers don't change much, explains AMR Research VP John Hagerty, because some small companies will be spending on Sarbanes-Oxley compliance for the first time in 2007.
Posted March 01, 2007 in LogMatters | Permalink | TrackBack (0)
November 2007
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 |
Categories
Archives
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005