Logging the Pillar of Compliance

Transcription

1 WHITEPAPER Logging the Pillar of Compliance Copyright BalaBit IT Security All rights reserved. 1

2 Table of Content Introduction 3 Open-eyed management 4 ISO PCI DSS 5 Sarbanes Oxley Act (SOX) 6 HIPAA 7 COBIT 7 How can BalaBit syslog-ng help in cost-efficient compliance? 8 Learn More 9 2

3 Introduction It is a common experience among corporations and institutions that compliance with different security requirements and the increasing number of international standards means a great burden for IT and security experts as well as for business managers. Worries and excitement grow especially if an audit is approaching and no mistakes should be made, that is, compliance should be granted in order to maintain the continuity of business. However, this is not an easy task, since there are different regulations that define security requirements in several fields, and the strict auditors will find even the smallest mistakes. The question of how these increasingly rigorous requirements can be met with the least human resources and expenditures arises frequently by no surprise. There is no simple answer to this question. However, this document intends to describe the possibilities that help avoid a breach of compliance, and make business, IT and security processes become transparent, and at last but not least continuous. Logging is placed in the focus, and it will be revealed soon that without the adequate realization of logging, compliance cannot even be mentioned nowadays. Inevitable compliance Nowadays service providers of critical infrastructures at state, financial, health-care, telecommunications, and large enterprise sectors cannot afford ignoring security rules and laws concerning their industries. However, it is a common mistake to think that small and medium-size enterprises can totally ignore these requirements, since trends of the previous years revealed that compliance will sooner or later play a decisive role in the life of every organizations operating IT systems and handling data. In case of companies where operation according to the strict standards is not compulsory yet, it is worth studying the following regulations since they can provide useful guidelines that will finally enhance the prevention of security incidents as a result of the creation and maintenance of protection. And this is not only beneficial for the organizations, but also serves the interests of their customers. AUDITORS Asset inventory Compliance reports by host, policy control Audit trail IT Compliance Audit Team HIPAA GLBA PCI SOX Basel II MANAGEMENT Dashboard and risk analysis Scorecards by business unit and asset groups Trend reports Management Team OPERATIONS Patch reports Integration with Helpdesk Configuration reports Alerts IT Remediation Team Vulnerability Management Web Application Auditing Database Auditing Wireless Auditing COBIT, ISO and NIST Frameworks SECURITY Technical reports Differential reports Risk report by host and asset group Alerts Vulnerability and Risk Management Team Integrated view of compliance and security In order to provide adequate security level and hence compliance of data and infrastructures, the security capabilities of IT systems, the deficiencies, security gaps, and undesirable events should be known exactly. Whether it is an external or internal attack, or availability problem, troubleshooting and problem handling are essential. This requires continuous alertness. It is not an exaggeration to state that one of the cornerstones of compliance nowadays is logging. Compliance cannot be provided without logging, not only because it is a basic criteria of almost all standards but also due to the fact that compliance to several regulations is impossible to be realized or approved, even in case these regulations show no relation with a logging management system for the first sight. Meanwhile, risks that arise because of inadequate logging that can even lead to the loss of log messages and hence can deteriorate the authenticity of systems cannot be ignored either. 3

4 Open-eyed management Before presenting the most crucial chapters of logging standards, we intend to highlight the importance of management involvement into dealing with compliance issues, and why it cannot be completely handed over to security experts and external consultants. One of the most important reasons is the management s commitment to protection at all levels of the organization. It is a must for the successful accomplishment of audits to prevent the failure of the security projects. If compliance is damaged, business activities and processes are hindered and also, the market position might be eroded, resulting in competitors with higher security awareness getting an advantage. Therefore, the responsibility of the management cannot be questioned. Security standards usually affect business processes, and hence the contribution of management is essential as well. Fortunately, nowadays technologies primarily due to the adequately organized, filtered and presented information are already available for supporting management in controlling compliance projects, and hence decision making can be well-grounded. Modern logging systems offer great assistance in this process, since they can produce management reports that contain information that is relevant for decision makers. Logging does not only provide transparency and auditability, but also continuity. Until now, discrepancies were revealed only a few weeks before the audit, and then were resolved in a hurry. Now, logging provides regular reports on the state of security, and with the help of forecasts, problems can be prevented. If an undesired event occurs, upper management can be informed about it as quickly as the IT group or security personnel. If this function additionally is connected to activity monitoring, the activities of the employees, administrators and privileged users can be controlled as well. The following sections will describe the most frequently applied standards and requirements, where logging based on modern technology is not only an inevitable tool, but also facilitates the successful accomplishment of audits. 4

5 ISO ISO is the most rapidly and most widely spreading requirement system. This is a frequently occurring requirement in the corporate sector, especially when a company aims to be a supplier in a logistic chain. Chapter of the standard includes measures that are inevitable for compliance, that is, the observation of information processing activities. A basic requirement of ISO standard is the logging of user, administrator, system manager activities, and information processing device usage. It also states that logging data has to be stored for a definite period of time and log entries on system usage should be investigated regularly. Therefore, logging of system errors is a must, and then subsequent steps have to be taken. Plan: Establish the ISMS Do: Implement and operate the ISMS Act: Maintain and improve the ISMS In case the management has decided that they are committed to the ISO security standard, a modern logging system has to be established. Not only because ISO sticks to this, but also because only this way can changes in the IT infrastructure and business processes be controlled and validated. PCI DSS Check: Monitor and review the ISMS ISO PDCA strategy Since nowadays credit card data are very popular among cyber criminals, there are more and more malware aiming at stealing money or security incidents due to phishing. Obviously, credit card companies recognized that a solution for this is of paramount importance, since it is their own interest to protect credit card users data. That is why the largest credit card companies (Visa and MasterCard being at the top of the list) have elaborated a standard in 2004 that aims at reducing credit card incidents at commercial companies, web stores, services and other places that accept them. As a result, these regulations are to be applied by all organisations receiving, handling, transferring or storing credit card data. When PCI DSS (Payment Card Industry Data Security Standard) was being elaborated, the most important aim was to reduce risks and to create a uniform regulation that takes reality into consideration. It phrases goals about each requirement rather than strict rules. It contains more definite requirements than ISO 27001; however, it gives a free hand to a certain degree to users to take into consideration security preferences that their organisation consider important and to create their own security system consequently. 5

6 PCI DSS classifies its regulations into the following main areas: network data protection managing vulnerabilities access protection security monitoring security regulations. Looking at the list, it is obvious that these tasks cannot be realized completely without logging. It is vital to log all network events, to ensure the traceability of data breach incidents, to prevent risks due to vulnerabilities, to trace accesses, to monitor security on several levels, to record and to assess events related to the realization of security regulation requirements. One might wonder why the security areas covered by PCI DSS are important for the upper management? Because it is the responsibility of the management to ensure that security measures are implemented properly and that they have positive effects on business processes. Sarbanes Oxley Act (SOX) The SOX Act is one of the regulations that define strict regulations concerning leadership, IT and security. In case of non-compliance, management and even management board can be negatively affected. SOX emphasizes importance of auditing the controlling, finance and related departments as well as the necessity of data security measures. The audits get a crucial role in this Act, that can only be based on trusted, non-compromised and authentic data. That is why SOX, being compulsory for enterprises present on the US Stock Exchange imposes serious responsibility on logging systems as well. Logging has to be able to ensure that any frauds are detected, alerted and, if possible, prevented, being committed either by external or internal attackers. Log has to cover the whole IT infrastructure and focus on efficient application logging. In the case of SOX, company leaders including top-level and financial directors are responsible for non-compliance; they can even be sentenced to prison in case of serious infringements. 6

7 HIPAA One of the most important security regulation of the health care sector, HIPAA (Health Insurance Portability and Accountability Act) defines relatively specific rules in connection with logging and requires the protection of sensitive data that are stored on computers or transferred on the network. Since log messages may also contain sensitive data, logging infrastructure has to comply with these regulations as well, and has to play a crucial role in forensics situations. 6 STEP 6 Monitor Regulation Changes 5 1 STEP 1 Readiness Assessment 2 STEP 2 Gap Assessment 3 This regulation states that data has to be non-compromised and confidential, and also emphasizes encryption. Log data should also comply with this, thus, implementing and operating logging systems that focus on data security is of paramount importance. STEP 5 Implementation 4 STEP 4 Implementation Plan HIPAA Compliance Lifecycle STEP 3 Risk Analysis COBIT Although authorities require relatively rarely that a log infrastructure complies with COBIT regulations, it still has to be considered. Some regulations (for example Sarbanes-Oxley Act or Basel II accord) do not define precise technical requirements, and thus conformity with these regulations can only be achieved by using an already successful framework, like which responds to Business Requirements drive the investments in COBIT. COBIT methodology was elaborated by ISACA, the Information Systems Audit and Control Association, so that business leaders recognize and reduce risks to an acceptable level. Enterprise Information to deliver IT Processes IT Resources that are used by COBIT deals with data security and monitoring requirements, like all other regulations. However, it should be emphasized that COBIT also deals with requirements such as managing changes and the configuration management of IT devices and software (including logging systems). The latter ones can have a serious impact on security as well as availability, productivity and business performance. 7

8 How can BalaBit syslog-ng help in cost-efficient compliance? In the previous sections, we have presented some regulations and standards of logging. We have demonstrated that without up-to-date log management, company management as well as IT and security departments cannot efficiently accomplish their tasks in connection with compliance. Therefore, during the development of the syslog-ng logging product family, we do not only take technological aspects into consideration, but also the expectations of company managers concerning log management. The syslogng solution merges the features of logging clients, log transferring devices and log servers into a reliable log infrastructure. It collects log messages of operating systems and applications, then it transfers them to a high-performance log server via an encrypted and trusted channel, where messages are further processed, classified and stored in secure and encrypted files or databases. The syslog-ng solution is also available in an open source version; however, the commercial version has numerous extra functions facilitating compliance and reliable and lossless message transfer. The syslog-ng solution supports many additional compliance cases besides the regulations described in this document. It is capable of accomplishing the requirements that are related to data confidentiality, authenticity, availability and integrity in all cases. In addition, it contributes to compliance cost-reduction and successful audits, whereas it also helps users to easily monitor, supervise and control processes at every organisation level. The syslog-ng solution, as the most widespread universal log management tool in the world, is efficiently used by companies and institutes that face the strictest security requirements day by day. However, it is also helpful for companies where the standards mentioned in this document are just recommendations. 8

9 Learn More BalaBit IT Security is an innovative information security company, one of the global leaders in developing privileged activity monitoring, trusted logging and proxy-based gateway technologies to help customers be protected against insider and outsider threats and meet security and compliance regulations. As an active member of the open source community, we provide solutions to a uniquely wide range of both open source and proprietary platforms, even for the most complex and heterogeneous IT systems across physical, virtual and cloud environments. BalaBit is also known as the syslogng company, based on the company s flagship product, the open source log server application, which is used by more than customers worldwide and became the globally acknowledged de-facto industry standard. BalaBit, the second fastest-growing IT Security company in the Central European region concerning Deloitte Technology Fast 50 list, has local offices in France, Germany, Italy, Russia, and in the USA, and cooperates with partners worldwide. Its R&D and global support centres are located in Hungary, Europe. Read more about BalaBit syslog-ng products Request evaluation version Request callback 9