Log Management as an Early Warning System

Transcription

1 Log Management as an Early Warning System The Edge for Compliance Presented by: Nancy Wilson, CISA, CRISC, CISSP, C CISO Vice President, Compliance and Security Cautela Labs, Inc. Agenda What is log management The four components of IT system log management Compliance and Log Management How to take advantage of the compliance information that is already in your system logs Q&A 1

2 What is a System Log Cryptic Text Messages generated by every system, device and application on and off a network. Laptops, desktops, servers, firewalls, IDS, switches, routers, badge readers, phone systems, systems, claims systems, pharmacy applications, online web servers.. Logs are The Digital Fingerprints of all electronic activity Using System Logs Logs communicate what s happening in the system What happened, where it happened, when it happened, what type of activity it is, who did it.. Information from multiple system logs must be correlated Was data traveling into or out of the company, what other systems were impacted, where did the activity originate.. 2

3 The Challenge: Collect, Organize & Analyze Millions of these :12: id=firewall sn=0006b11f3b34 time=" :14:08" fw= pri=6 c=1024 m=537 msg="connection Closed" n= src= :138:lan dst= proto=udp/netbios-dgm sent=229 rcvd=0 PER DAY Management Turns Random Information... Venus is the only planet that rotates clockwise. 3

4 Into a Library... Of Usable Information 4

5 Log Management Transforms THIS. Nov 27 18:35:19 HelmsDeep sshd[12767]: Failed password for root from port 1298 ssh :12: id=firewall sn=0006b11f3b34 time=" :14:08" fw= pri=6 c=1024 m=537 msg="connection Closed" n= src= :138:lan dst= proto=udp/netbios-dgm sent=229 rcvd= [28/Nov/2005:14:48: ] "GET / HTTP/1.1" " "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0;.NET CLR )" 11/28/2005 7:05 AM TYPE=Error USER= COMP=ELVIS SORC=Application Hang CATG=(0) EVID=1002 MESG=Hanging application notepad.exe, version , hang module hungapp, version , hang address 0x /28/ :56 AM TYPE=Information USER=SECIOUS\andy.grolnick COMP=DELL600SC SORC=Print CATG=(0) EVID=10 MESG=Document 203, PODNOTICE (TA ) PDF owned by andy.grolnick was printed on Brother HL-1250 series via port LPT1:. Size in bytes: ; pages printed: 1 Into THIS Useful & Actionable Information 5

6 Four Components of Log Management Log Collection From end user systems, data center servers, network devices, and security tools Log Correlation Sequences or patterns in multiple log sources Log Monitoring Ongoing analysis of system activity Log Retention Available for retrospective analysis HIPAA/HITECH Log Requirements (a)(1)(ii)(D) Information System Activity Review Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports (a)(5)(ii)(C) Log In Monitoring Procedures for monitoring log in attempts and reporting discrepancies. 6

7 HIPAA/HITECH Log Requirements (a)(6)(ii) (Security Incident) Response and Reporting Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes (b) Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. PCI DSS Log Requirements Requirement 10 Track and monitor all access to network resources and cardholder data. Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs. 7

8 Log Management Supports Compliance Regular reports can give you important information about who is accessing the data in your critical systems unexpected changes to your systems when data is leaving your systems Log reports allow for independent review Assist in identifying normal vs anomalous activity Assist in meeting compliance reporting requirements Would You Like to Know? When a user has been granted access to systems containing PHI? Not every user should have access to every system. Access to systems containing PHI should be also be restricted based on the minimum necessary information required to perform their job. If terminated users have had their access revoked promptly? Users who continue to have access to sensitive systems for days or weeks after leaving the company create a significant security concern. 8

9 Would You Like to Know? Which users have attempted to log into systems with incorrect credentials? Everyone mistypes a password on occasion, but an account that consistently reports login errors should be checked to be sure it is not being misused. If any users have logged in after normal business hours? Users working at unusual times, such as late in the evening, on weekends, or holidays, may signal activity the user does not want known. Would You Like to Know? If system configurations been changed without your knowledge? Users may install remote access applications or data sharing applications without change control or proper approvals. Often these users are just trying to make their work lives easier and do not realize the security holes they open. Who has saved information to a DVD or flash drive? The 2014 Verizon Data Breach Investigation Report found 45 percent of healthcare related breaches involved the loss or theft of laptops, USB drives, printed papers and other information assets. 9

10 Compliance Event Alerting Evidence of malicious activity can be anywhere Firewalls, remote access systems, servers, databases, PCs Unsuccessful intrusion or exploitation attempts Malware infections on PC s Including Trojans from phishing activity Anti virus software alerts Evidence of insider activity Abnormal login attempts or login at abnormal hours Saving data to removable media outside of job functions Other Types of Event Alerting System capacity and performance System changes or restarts Software or patch installation Capacity alerts Data backup systems Backup job failures File Integrity Monitoring Security log changes Event log changes 10

11 Manual Log Reviews Manual log reviews are insufficient Looking for only a few specific events Difficult to correlate activity from different logs Reviews are often cursory and ad hoc Overwhelmed by the sheer number of logs It s like looking for a needle in a haystack A Needle in a Haystack Log correlation and monitoring can drastically reduce log reviews and escalate just those events that should be investigated 11

12 Security Information and Event Manager Correlation and analysis of security alerts generated by log collection Provides automated reports for compliance activity Holistic view of the organizations information security posture Viewing disparate data from a single point of view allows the organization to spot trends and unusual activity Centralized log storage Near real time analysis allows for prompt response SIEM s Make Log Data Useful Servers Mainframe Routers Switches Firewalls IDS VPN Applications Workstations Badge Readers Custom Apps Any Log Source! SNMP Syslog Windows Event Log Netflow ODBC Checkpoint LEA Flat File Cisco SDEE 12

13 Enterprise Owned SIEM Onsite SIEM Ability to customize rules to your specifications All data stays within the enterprise Typically expensive to deploy and operate Requires purchase hardware and software Implementation through Professional Services on using existing staff may be time consuming May require additional staffing 24x7x365 analysis requires at least 9 people for full coverage Keeping staff interested and involved may be a challenge Managed Security Service Provider Shared Log Management Service Reduces costs Shared hardware and software may allow for more features MSSP analysts reduce the need to hire staff Provide incident response Immediately escalate high priority alerts Provide remediation recommendations MSSP must meet compliance requirements Business Associate Agreement HIPAA Compliance 13

14 Thank You Questions? 14