« Just What is Enterprise Class? Part II | Main | Breaches Rise - PCI DSS Enforcement Lags »
Log Trustworthiness Hierarchy
This post is inspired by the old TaoSecurity post Enterprise Trust Pyramid where he explains that he trusts some security, system and network evidence data more than other. For example, dedicated NSM sensor records are trusted more than vanilla server logs. With this post, I am looking to establish a log trustworthiness hierarchy so that people start thinking about trusting log data as a kind of a spectrum, from "probably trash" to "guaranteed to be an accurate record of activities."
So, do you trust your logs to accurately depict what happened on the system or network? Which logs do you trust the most? How do we increase this trust?
My first draft of such trust hierarchy follows below (from low trust to high trust):
- Compromised system logs (mostly trash, but might contain bits that attacker missed/ignored)
- Desktop / laptop OS and application logs (possibly changed by users, legitimate systems owners, etc)
- All logs from others systems where 'root'/Administrator access is not controlled (e.g. test servers, etc)
- Unix application logs (file-based)
- Local Windows application logs
- Local Unix OS syslogs
- Unix kernel audit logs, process accounting records
- Local Windows server OS (a little harder to change)
- Database logs (more trusted since DBA cannot touch them, while 'root' can)
- Other security appliance logs (located on security appliances)
- Various systems logs centralized to a syslog server
- Network device and firewall logs (centralized to syslog server)
- Logs centralized to a log management system via a real-time feed (obviously, transport encryption adds even more trust)
Admittedly, the differences between some of them are minor or even non-existent ...
To conclude, some logs DO in fact provide reliable evidence in case of an incident; you just need to know which ones to trust and which ones to only consider to be "hints" (or possibly even a misdirection). But of course, you need to first have logs and then look at them.
Posted September 27, 2007 in Log Management & Intelligence , LogEd , LogMatters , Security | Permalink
TrackBack
TrackBack URL for this entry:
http://www.loglogic.com/mt/mt-tb.cgi/257
November 2007
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | 2 | 3 | ||||
| 4 | 5 | 6 | 7 | 8 | 9 | 10 |
| 11 | 12 | 13 | 14 | 15 | 16 | 17 |
| 18 | 19 | 20 | 21 | 22 | 23 | 24 |
| 25 | 26 | 27 | 28 | 29 | 30 |
Categories
Archives
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005