LogBlog

« June 2007 | Main | August 2007 »

Security Trends

Today, Accenture and Information Week released the results of a joint 2007 survey (which has been offered annually for the past 10 years) about security challenges faced by organizations in a variety of industries. The survey seeks responses from almost 3,000 IT professionals from the U.S. and China.

Some points of concern for both countries:

IT professionals in China feel more vulnerable to breaches than those in the U.S.  58% of respondents in China feel their organization is more vulnerable now to malicious code attacks and security breaches than in 2006, versus 16 % of U.S. respondents.

Chinese companies have fallen victim to public data breaches five times more often than U.S. companies. 32% of Chinese companies suffered from a publicized data breach or data loss over the past year, compared with only 6% of U.S. companies (although, as we have noted time and time again in this blog, some of the publicized data breaches in the US were enormous).

More than 20% of U.S. companies and nearly 25% of Chinese companies do not even regularly assess security risk and threats.  Assessing security risk and subsequently tweaking plans and budgets accordingly is also problematic. Only 34% of U.S. companies and 39% of Chinese companies that do examine security risks use the information gleaned to strategically create budgets and plans.

The survey indicates it is also difficult to measure the corporate value of security. 43% of U.S. companies measure value in terms of fewer worker hours spent on security-related issues and 24% of total respondents do not even attempt to measure the value of security investments.

The results of the survey indicate that there will be a major increase in security spending compared to 2006, with 39% of the respondents in the U.S. and 55% of the respondents in China expecting this increase.

Posted July 25, 2007 in | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

PCI Progress

39% of 327 Level 1 merchants are compliant while last year 18% of 230 Level 1 merchants were compliant.

Level 2 merchants, those generating 1 million to 6 million annual Visa transactions, aren’t as far along, though they have a later compliance deadline, Dec. 31. According to Perez, 33% are complaint while an additional percentage in the “high 20s” is in remediation. PCI compliance is at 52% for Level 3 merchants—those generating 20,000 to 1 million Visa e-commerce transactions annually. This group currently does not have an explicit compliance deadline. 

Posted July 25, 2007 in | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

Musings on 100% Log Collection

One of the most exciting, complicated and, at the same time, very common questions from the field of log management is the "what logs to collect?" question. This comes up during compliance-driven log management projects (in the form of "what to collect for PCI DSS compliance?") as well as operationally-driven (in the form of "what logs from this application do I need to detect faults and errors?") or security-driven log management projects (in the form of "which logs will help me during the incident response?")

What are the answers that one sometimes hear? Otherwise awesome log management guidance NIST 800-92 "Guide to Computer Security Log Management" confuses the reader with this fascinating blurb: "generally, organizations should only require logging and analyzing the data that is of greatest importance." And how do people to know which logs are of importance? (I did have a bit of a debate with NIST folks on that...)

Other answers are situation-specific and thus limited in their usefulness ("need IDS alerts + server logs to detect intrusions via correlation", "need all logs that show access to PHI").  I spoke about the pitfalls of "prioritizing before collection" in my presentation "Six Mistakes of Log Management" and its companion paper.  In some cases, such as the incident response scenario, you might be naturally leaning towards grabbing as much as possible, since you never know which bit will help you answer that dreaded "WHAT happened?!" question ...

On the other hand, there is a simple answer that doesn't suffer from the above issues: collect everything. However, many folks go into a state of shock upon hearing it :-) "Everything!?! HOW can you collect 'everything''? What about storage, bandwidth, hardware, etc?"

But you know what? It really isn't as bad as you think! Just think that:

  1. Logs compress really well (1:10 to 1:15 compression ratios are not unheard of), so bandwidth and storage are less of an issue that initially estimated
  2. Disk storage is cheap (and tape is cheaper still); holding a billion of log records might well cost  under $200 (!) in disk drive cost
  3. Figuring out what you need, might need, can be "told to need", will need, etc is genuinely hard. You will never get it right!
  4. Many logs don't need to get collected the next second after generation, thus allowing you to save some bandwidth by moving them when network is less busy.
  5. Technologies exist to make sense of "everything", not just "hand-picked" and parsed logs. More on the "making sense" part later

Convinced yet? So, if you are pondering "what logs to collect?", try to switch your mindset into thinking "what will it take for me to collect everything?" You probably won't regret this decision!  At the same time, one can try to reverse this question and ask "why collect everything?" - in this case, the answer will be "because any other collection strategy is worse."

Related posts:

Technorati tags: ,

Posted July 19, 2007 in Compliance , Log Management & Intelligence , LogEd , Security | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

Log management in the age of compliance

ComputerWorld features a story by Anton on Log management in the age of compliance. Here are a few highlights:

There are a variety of other regulations that call for log management capabilities, although less explicitly than the aforementioned three. California Bill 1386 and its upcoming federal equivalent, for example, require a state agency, person or business that owns or licenses computerized data that includes personal information to disclose any breach of the security of the data to any California resident whose unencrypted personal information was acquired by an unauthorized person.

Logs, which by nature allow for tracking IT infrastructure activity, are the best way to assess if, how, when and where a data breach has occurred. Management of these logs is therefore the best way to assess what data has been accessed or stolen and, thus, who needs to be notified.

The major effect the age of compliance has had on log management is to turn it into a requirement rather than just a recommendation, and this change is certainly to the advantage of any organization subject to these regulations. It is easy to see why log collection and management is important, and the explicit inclusion of log management activities in major regulations like FISMA, HIPAA and PCI-DSS highlights how key it truly is to enterprise security as well as broader risk management needs.

Posted July 18, 2007 in Compliance | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

NetBoundary Introduces LogLogic Technology For Mid-Sized Businesses

NetBoundary standardizes it's log management service on the LogLogic platform

Dallas TX., May 1, 2007 - NetBoundary, a provider of managed security services to the mid market, today announced the availability of a hosted log management service delivered on Loglogic's industry leading log management platform. Loglogic, according to the Gartner Group, helps address the complexities associated with monitoring, analyzing, retaining, and storing logs from across the entire IT infrastructure from databases to applications.

Monitoring log data is critical for any company that falls under regulatory requirements. NetBoundary's log management service provides it's customers with the ability to log, track, and analyze user and system activity, helping them to more rapidly prevent, detect and respond to security breaches as well as to quickly comply with mandates such as SOX, HIPAA, PCI, FISMA as well as a variety of IT frameworks such as ITIL and ISO/ITSM.

"NetBoundary has a long history of monitoring network and operating systems log data. With the addition of this service we are now extending our managed security services all the way to the application level to give our customer's even greater insight into their IT operations and business simultaneously," said Trevor Jennings, vice president and co-founder.

NetBoundary's log management service offers broad support for log data sources including operating systems, databases, and applications. The log management service also provides a service-based approach to monitoring custom applications and other log data sources that are not pre-defined or typical of suspicious events.

"Today, centralized logging and monitoring of application-level events are being driven by increased regulatory compliance, highly publicized data theft incidents, the changing nature of vulnerabilities and the increase in targeted application-level attacks," continued Jennings. "Log management helps minimize the risks."

The NetBoundary hosted log management service is based on technology from LogLogic, the proven market leader in Log Management & Intelligence. The service through NetBoundary includes an optional on-premise solution that stores and processes raw logs at the customer's site, with alerts sent to NetBoundary's centralized Security Operation Center (SOC) for ticketing, analysis, and response. In addition, NetBoundary offers a hosted solution where all log data is stored by NetBoundary. Reporting will be available through the NetBoundary Enterprise Security Portal, allowing customers to see events that have been captured and assign reports to users who sign-off once they have completed their review process, helping to expedite audit activities.

"Increasingly we are seeing IT take security to the next level by turning to managed services implementations that include log intelligence," said Robert Yusin, Vice President of Field Operations, LogLogic. "Log Management takes security beyond just protecting customer data and ensuring the integrity of corporate assets, delivering a comprehensive view of all system and user activity, policies and business impacts. With a log service, enterprises can easily address the complexities associated with monitoring, analyzing, retaining, and storing logs from databases and across other critical infrastructure."

According to Forrester Research, "Most security professionals still spend a good deal of their time analyzing technical threats, and how to use technology to counter them. Security folks still need to make sure logs are examined, vulnerabilities are identified, and systems are protected." ("Bridging the Security Divide" Forrester Research, January 2006).

Posted July 18, 2007 in LogLogic News | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

Logging Glossary: Log Header

As I mentioned here,  I started publishing the LogLogic Logging Glossary. So, here is the tenth term (first second third fourth fifth sixth seventh eighth ninth):

Log Header

A set of information at the beginning of a log file or the start of a log message.

The information usually consists of context information, or meta data.

It may have a fixed or variable format. Fixed formats and some variable formats are usually well defined in vendor documentation. Some variable formats, such as with Syslog are subject to vendor discretion.

Posted July 17, 2007 in Log Management & Intelligence , LogEd | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

Recent Data Breaches

Against a backdrop of Enterprises calling foul over an ever intensifying regulatory climate comes this story from IT Business Edge reported on a few of the major recent data breaches:

A Michigan business consultant and former employee of Sentry Insurance Company received five years in prison for stealing personal identification information of more than 110,000 customers of Sentry.  At least he was brought to justice, but wouldn't it have been better to prevent the breach from happening?

Britain's Information Commissioner's Office (an independent public authority designed to protect personal and official data by enforcing and overseeing the Data protection Act, among other regulations) noted that it found an astoundingly high number of security breaches by both retailers and banks.  Exactly how high?  They report that they have received 24,000 complaints, questions, and concerns about the security of their personal information in the hands of a variety of industries, with Internet firms at the top of the list.

And clearly we can not forget TJ Maxx, which has been grabbing headlines for the better part of the last seven months.  The number of credit and debit cards potentially exposed to fraud has climbed to nearly 46 million as of early April.

There is a reason that PCI DSS, HIPAA, FISMA, and other regulations (not to mention common sense) require that you store and review logs periodically.

Posted July 13, 2007 in | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

Compliance, security take managing log data to next level

Pete Bogerman and Alan Paller provide plenty of insights into Log Management in this piece in  Techtarget...

Prior to the PCI auditors' questions, log data in Boergermann's organization was self-contained on individual devices. There was no central repository.

"You basically had to log into each one of those devices yourself and look at the information stored there," Boergermann said. "It would take hours to gather the data. And the quality -- it was in raw format. We got a ridiculous amount of paper. Who has time to look at this stuff? It wasn't getting reviewed as well as it should have."

The SANS Institute study found that 63% of those polled who said they used log data-tracking technology were dissatisfied with it.

"For the most part, there are three things that seem to drive people crazy," said Alan Paller, director of research at The SANS Institute. "One is speed: It takes too long. Two is getting data into the system when it is not standard, and the conflicts that generates with system administrators. And three is the reporting."

It's also a question of support -- who will do it?

"It's time-consuming," Boergermann said. "And reviewing logs is something you can't turn over to a PC technician or help desk person. You need someone at the engineering level, so now you're tying someone up at a higher pay grade. And the sheer volume of information is overwhelming."

Posted July 10, 2007 in | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

Writing the Book On PCI Compliance

The Book on PCI Compliance, co-authored by Anton and others (Tony Bradley) is now out. Order your copy at Amazon and watch for the LogLogic Webcast later this month.

PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance

Posted July 10, 2007 in | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

A 'Syslog Server' for $X0,000? No!

I hate it when people call what we provide (i.e. log management) a "syslog server." I really do. Why will someone pay $X0,000 for just a box to "collect syslog?" No, really, why? I won't! It does indeed sound silly and wasteful.
By now, many people understand that log management is not about collecting syslog in one big trash can. You can do that much easier and cheaper if that is indeed your goal. Why would someone collect syslog in a trash can is a separate story :-), even though collecting logs is pretty useful at times. But using the collected log data is much more valuable!
So, please get it! Log management is about scalable (meaning you can deal with a lot of data) collection (yes, collection too) + retention (meaning storage and then destruction) + analysis (real-time and historical methods of making sense of data) of all types of log data (not just syslog!!!), and about making such data available for all organizational needs (security, compliance, operations, fun bed-time reading :-), etc).

Technorati tags: , ,

Posted July 09, 2007 in Log Management & Intelligence , LogMatters | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

Search & Alert On Logs From Any Source

WindowsITPro says: LogLogic's open log management and intelligence platform, LogLogic 4.0, now uses a service-oriented architecture and open API to let users create their own portals for compliance, risk mitigation, and forensics.

The integrated Log Data Warehouse helps eliminate log silos by collecting and storing logs just once while allowing them to be shared many times. A Google-like multidimensional search on data helps accelerate IT forensics and improve compliance insight, and the Universal Log Processing feature extends reporting, search, and alerting capability to logs from any source—including homegrown and business applications— without requiring custom development.

Posted July 06, 2007 in | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

On Project Lasso

Jon Walker chats to Anton on Project Lasso and includes an overview of log management and intelligence:

Log Management and Intelligence is an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event logs, etc.), which consists of log collection, centralized aggregation, long-term retention, log analysis (in real-time and in bulk after storage) as well as sharing the information with the relevant parties across the organization. Such analysis is usually done for security, operational (such as system or network administration), or regulatory compliance.

Posted July 06, 2007 in | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

Top 11 Reasons to Look at Your Logs

As promised, I am following my Top 11 Reasons to Collect and Preserve Computer Logs with just as humorous and hopefully no less insightful "Top 11 Reasons to Look at Your Logs." 

  1. The first reason is again disarmingly simple (is it, really? :-)). Read PCI DSS lately? Glanced at HIPAA? Suffer under FISMA? Yes, all of the above regulations say that you must not only have, but also review logs periodically.
  2. Are your servers compromised now? How do you know if all your logs are stashed on a tape in a closet? Look at them! Now!
  3. An incident happens. Really, who needs extra motivation to look at logs in such case? Using logs for incident response is a true "no-brainer" (however, you need to be pretty "brainy" to actually analyze them in case of an incident)
  4. Users - from a CEO to a janitor. You do have to know what they do on your IT systems! How? Read the logs! Everybody leaves tracks.
  5. Systems log plenty of errors. Sometimes they are silly, sometimes - benign. However, often they mean that "stuff" is about to hit the fan. Periodic review of logs reveals them and saves the day.
  6. Network slowed to a crawl?  Applications are slooow? Server is not ... well, serving? :-) Where is the answer? In the logs, but you need to read them and understand them.
  7. That policy you wrote a few months ago. Anybody following that? Anybody remembers that? Halloooo! Check the logs and you'd know.
  8. By now you know that your auditor might ask for your logs. But do you know they might also check whether you looked at them? Do you? Review the logs and leave the record of this activity in the logs.
  9. Change can be good. But then again, it may be the sign that your controls are lacking. Who changes what and when? From what and to what? Just review the logs.
  10. Now, you hate looking at logs. You have too many (as if everybody else doesn't...)! In this case, look at a specific subset of logs that you never saw before- NBS. Or just deploy log management that can do it for you.
  11. Logs can help you predict the future (if you review, know and love them :-)). Don't believe it? If you read them for long enough, you develop an ability to predict the future, albeit mostly future problems :-)

See also: Top 11 Reasons to Collect and Preserve Computer Logs

Coming soon: "Top 11 Reasons to Secure and Protect Your Logs"!

Technorati tags: , ,

Posted July 06, 2007 in Log Management & Intelligence , LogMatters , Security | Permalink | TrackBack (0)

« June 2007 | Main | August 2007 »

Anton Logging Tip of the Day #11: But These Are OUR Logs!

Following the new "tradition" of posting tips of the day (mentioned here, here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it "pay it forward" to the community.

So, Anton Logging Tip of the Day #11: But These Are OUR Logs!

A common and unfortunate situation that occurs when dealing with logs is not technical, but political: not being able to get the logs you need due to political, cultural, egotistic, or other "corporate" reasons. In this tip we will try to present a few situations and solutions for those trying to wrangle logs from whatever hostile (or ambivalent - sometimes worse!) entity at your organization and thus to break the siloed approach to log management.

So, here is the situation: a desktop system starts "behaving strangely" (as evidenced by network IDS or IPS logs, which are controlled by the security team) and security wants to take a peek at the system logs to determine how it was compromised or infected. At the same time, no centralized log collection takes place.  The security team does not have administrator-level (or, sometimes, any) access to all desktops needed to grab security logs from Windows PCs: only the desktop division of IT department does. And they refuse! Why?

What can you - the security analyst or manager - do?

As a side note, database administrators (DBAs) are even more famously resistant to providing log data.

Overall, while the tips above might help, the only way to truly to resolve such control issues is to deploy log management tools across the entire organization and then provide limited access to the logs to all the stakeholders on the "as needed" basis ...

BTW, I am tagging all the tips on my del.icio.us feed. Here is the link: All Tips of the Day.

Technorati tags: , , ,

Posted July 02, 2007 in | Permalink | TrackBack (0)

Visit loglogic.com

I ♥ Logs

Subscribe to this blog’s feed RSS

November 2007
Sun Mon Tue Wed Thu Fri Sat
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  
Categories
Archives
Blogroll
Blogroll
Compliance
Good Reading
LogLogic
LogLogic Partners
Sites We Watch