AUDIT LOGGING/LOG MANAGEMENT

Transcription

1 1 AUDIT LOGGING/LOG MANAGEMENT KATHLEEN A MULLIN, MBA, CIA, CISA, CISSP, ISA, CISM, CRISC, CGEIT DIRECTOR OF IT SECURITY/CISO HEALTHPLAN SERVICES (HPS) AHIA 31 st Annual Conference August 26-29, 2012 Philadelphia PA

2 Key Points 2 When is log information important and what Audit needs to focus on Where to look for additional information to interpret log data What actions should be taken by which role within the organization What are the appropriate actions based on the log data What is appropriate p without a logging g tool what organizations should evaluate when looking for a logging tool

3 3 When is log information important?

4 What to focus on 4 Information Overload Business Impact Analysis Risk Requirements Operational Business Regulatory

5 Appropriate p deployments 5 Project Approach Platform Business Geographic Stability Resource

6 What to Log 6 Syslog Events Access Logs Windows Log Events IDS / IPS Logs Database Logs Firewall Logs System Logs Network Flows Error Logs Security Logs Application Logs Backup Logs Patch Logs Anti-Malware Logs Policy Change Logs Integrity Logs Change Logs Engineering g Systems

7 Log Reporting What to focus on 7 SANS Top 5 Log Reports Attempts to Gain Access through Existing Accounts Failed File or Resource Access Attempts Unauthorized Changes to Users, Groups and Services Systems Most Vulnerable to Attack Suspicious or Unauthorized Network Traffic Patterns

8 Where to look for additional if information to interpret it t log dt data 8

9 Where to look for additional if information to interpret it t log dt data 9 Vendors Search Engines Additional i Resources

10 What actions should be taken by which role within the organization 10

11 What actions should be taken by which role within the organization 11 IT Information Security Incident Response Team Business Process Owner Risk Compliance Audit Finance Legal Human Resources Management

12 What actions should be taken by which role within the organization 12

13 What actions should be taken by which role within the organization 13

14 What actions should be taken by which role within the organization 14

15 What are the appropriate actions based on the log data 15 RISK Operational requirements Contractual requirements Insurance requirements Change Management RISK Incident cde Response se Plan Disaster Recovery Plans Business Continuity Plans

16 What are the appropriate actions based on the log data 16 Environmental Norm Critical Error Warning

17 What to do without a logging tool and what to look for in a logging tool 17

18 What to do without a logging g tool 18 RISK Based Operational requirements Contractual requirements Insurance requirements Change Management

19 What to look for in a logging g tool 19 Collect, Index- Correlate Alert Store Report Scalability Tuning Analytics Segregation of duties

20 What to look for in a logging g tool 20 Integration with work order systems File Integrity Monitoring Security Monitoring and Reporting Fraud Detection Data loss detection Compliance

21 Summary 21 When is log information important and what Audit needs to focus on Where to look for additional information to interpret log data What actions should be taken by which role within the organization What are the appropriate actions based on the log data What is appropriate without a logging tool what organizations should evaluate when looking for a logging tool

22 Additional Resources - ISACA 22 ISACA CoBIT CoBIT /COBIT/P / The Risk IT Framework Management/Pages/Risk-IT1.aspx

23 Additional Resources - NIST 23 NIST Guide to Computer Security Log Management pdf Recommended Security Controls for Federal Information Systems and Organizations rev3-final.pdf

24 Additional Resources e-discovery 24 Discovery Resources State by State Summary Report of E-Discovery Efforts discoveryresources org/library/case law and

25 Additional Resources - Microsoft 25 Microsoft p// /

26 Additional Resources Best Practices 26 SANS Critical Control 14: Maintenance, Monitoring, and Analysis of Security Audit Logs Top 5 Essential Log Reports The Unified Compliance Framework (UCF)

27 Additional Resources 27 PCI Data Security Standards p y_ standards/documents.php Kerberos Microsoft PowerShell for Windows Server C9C1DAB6E2BF&displaylang=en

28 28 Questions??

29 Thank-you 29

30 Save the Date: August 25-28, nd Annual Conference Chicago, IL 30