OWASP Logging Project - Roadmap

Similar documents
Guideline on Auditing and Log Management

OSSIM. Open Source Security Information Management. Brian E. Lavender. Sac State. CSC 250, Spring Final Project

Environment. Attacks against physical integrity that can modify or destroy the information, Unauthorized use of information.

To read more Linux Journal or start your subscription, please visit

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

How To Protect A Network From Attack From A Hacker (Hbss)

USM IT Security Council Guide for Security Event Logging. Version 1.1

Open Source Security Tool Overview

Payment Card Industry Data Security Standard Payment Card Industry Data Security Standard (PCI / DSS)

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Payment Card Industry Self-Assessment Questionnaire

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Plugin Name. X N/A sudo X Antivirus Avast avast X GFI Security gfi X McAfee mcafee X mcafee-epo

Intrusion Detection and Intrusion Prevention. Ed Sale VP of Security Pivot Group, LLC

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

MONITORING AND VULNERABILITY MANAGEMENT PCI COMPLIANCE JUNE 2014

Log Management, Compliance and Auditing

Information Security Measures and Monitoring System at BARC. - R.S.Mundada Computer Division B.A.R.C., Mumbai-85

Automate PCI Compliance Monitoring, Investigation & Reporting

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

SANS Top 20 Critical Controls for Effective Cyber Defense

Locking down a Hitachi ID Suite server

Network Security Administrator

Critical Security Controls

IDS / IPS. James E. Thiel S.W.A.T.

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

SecurityCenter 5.1 with Nessus Agent Support. October 22, 2015

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

O S S I M. Open Source Security Information Manager. User Manual

BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports

Effective Threat Management. Building a complete lifecycle to manage enterprise threats.

INCIDENT RESPONSE CHECKLIST

PCI DSS Requirements - Security Controls and Processes

How To Manage Security On A Networked Computer System

PCI DSS Best Practices with Snare Enterprise Agents PCI DSS Best Practices with Snare Enterprise Agents

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Log Management for the University of California: Issues and Recommendations

Intrusion Detection Systems

United States Trustee Program s Wireless LAN Security Checklist

Cloud Security:Threats & Mitgations

Hosts HARDENING WINDOWS NETWORKS TRAINING

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Nessus and Antivirus. January 31, 2014 (Revision 4)

Tk20 Network Infrastructure

Client Security Risk Assessment Questionnaire

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

74% 96 Action Items. Compliance

Introduction... Error! Bookmark not defined. Intrusion detection & prevention principles... Error! Bookmark not defined.

Passive Vulnerability Detection

Intrusion Detection in AlienVault

Security Event Management. February 7, 2007 (Revision 5)

CTS2134 Introduction to Networking. Module Network Security

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

Why The Security You Bought Yesterday, Won t Save You Today

Ovation Security Center Data Sheet

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FISMA / NIST REVISION 3 COMPLIANCE

INTRUSION DETECTION SYSTEMS and Network Security

The Business Case for Security Information Management

ITEC441- IS Security. Chapter 15 Performing a Penetration Test

New Systems and Services Security Guidance

Fear Not What Security Can Do to Your Firm; Instead, Imagine What Your Firm Can Do When Secured!

State of Vermont. Intrusion Detection and Prevention Policy. Date: Approved by: Tom Pelham Policy Number:

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Passing PCI Compliance How to Address the Application Security Mandates

McAfee Next Generation Firewall (NGFW) Administration Course

CSE331: Introduction to Networks and Security. Lecture 17 Fall 2006

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

BM482E Introduction to Computer Security

Information Security Office. Logging Standard

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

Securing and Accelerating Databases In Minutes using GreenSQL

Section 12 MUST BE COMPLETED BY: 4/22

SURVEY OF INTRUSION DETECTION SYSTEM

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Retention & Destruction

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

NETWORK SECURITY HACKS *

Audit and IDS Steve Grubb, Red Hat

B database Security - A Case Study

Sygate Secure Enterprise and Alcatel

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

24/7 Visibility into Advanced Malware on Networks and Endpoints

SonicWALL PCI 1.1 Implementation Guide

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Transcription:

OWASP Logging Project - Roadmap SUMMARY Why log?... 2 What is commonly logged?... 2 What are security logs?... 2 What are the most common issues with logging?... 2 What are the common functions of a log management infrastructure?... 3 General... 3 Storage... 3 Analysis... 3 Disposal... 3 How to plan a logging infrastructure?... 4 What is log management?... 4 What application logs/events to monitor?... 5 Application logs and Security Information Management systems... 6 Case study - OSSIM (Open Source Security Information Management system)... 6 Figure 1 - OSSIM correlation. The Directive Editor allows us to define what events to correlate... 7 Figure 2 - OSSIM example. Alerts resulting from correlation... 7 Tools... 8 References... 8

Why log? identify security incidents monitor policy violations identify fraudulent activity identify operational and longterm problems establish baselines ensure compliance with laws,rules and regulations What is commonly logged? NB Much of the info below can only be logged by the applications themselves (this is especially true for applications used through encrypted network communications) Client requests and server responses Account activities (login, logout, change password etc.) Usage information (transaction types and sizes, generated traffic etc.) Significant operational actions such as application startup and shutdown, application failures, and major application configuration changes. This can be used to identify security compromises and operational failures. What are security logs? security software logs (Antimalware Software, IDS, IPS, Remote Access Software, Web Proxies, Vulnerability Management Software, Authentication Servers, Routers, Firewalls) operating system logs (System Events, Audit Records) application and database logs - commercial offtheshelf (COTS) applications (s.a. email servers and clients, Web servers and browsers, file servers and file sharing clients, database servers and clients, ERP and CRM systems) - custom-developed applications What are the most common issues with logging? high number of log sources inconsistent log content inconsistent log formats inconsistent timestamps increasingly large volumes of log data

What are the common functions of a log management infrastructure? General Log parsing Event filtering (e.g. suppression of duplicate entries and standard informational entries) Event aggregation (see Figure 1 - OSSIM correlation) Storage Log rotation Log archival Log compression Log reduction Log conversion Log normalization (e.g. storing dates and times in a single format) Log file integrity checking (involves calculating a message digest for each file and storing the message digest securely to ensure that changes to archived logs are detected). Analysis Event correlation - rulebased correlation - using statistical methods or visualization tools See Figure 2 OSSIM example alerts resulting from correlation Log viewing (displaying log entries in a human-readable format) Log reporting is displaying the results of log analysis. Log reporting is often performed to summarize significant activity over a particular period of time or to record detailed information related to a particular event or series of events. Disposal

How to plan a logging infrastructure? develop standard processes for log management define its logging requirements and goals define mandatory requirements and suggested recommendations for log management activities prioritize the requirements/goals based on the organization s perceived reduction of risk and the expected time and resources needed to perform log management functions prioritize/classify data in order to log/analyze data that is of greatest importance (e.g. Business data, Application binaries, configurations and documentation, System binaries, configurations and documentation, Application and database logs, System logs. For each data class, criteria such as criticality, security and retention duration requirements must be defined. define roles and responsibilities for log management for key personnel throughout the organization, including log management duties at both the individual system level and the log management infrastructure level create and maintain a log management infrastructure define standard log management operational processes (configuring log sources, performing log analysis, initiating responses to identified events, managing longterm storage, monitoring the logging status of all log sources, monitoring log rotation and archival, checking for upgrades and patches to logging software, and acquiring, testing, and deploying them, ensuring that each logging host s clock is synched to a common time source, reconfiguring logging as needed based on policy changes, technology changes, and other factors, documenting and reporting anomalies in log settings, configurations, and processes). (Source : http://csrc.nist.gov/publications/nistpubs/80092/sp80092.pdf) What is log management? log generation transmission storage analysis disposal ensuring that security, system, and network administrators regularly perform effective analysis of log data protecting the confidentiality, integrity, and availability of logs

What application logs/events to monitor? What to monitor? Pros Cons SQL statements generated by application activity Sequence monitoring (base on multiple activities) : (pattern of activity, frequence of activity, order between activities) What data is returned on which session? ; How much data is returned? monitor usage of procedures and packages that are vulnerable and/or useful in attacks ; profile under what conditions they are used normally Example : white list of users and white list of IPs for the use of UTL_SMTP Example : black list of errors that we do not allow for any session An unknown column error might indicate an SQL injection attack Easier to baseline than SQL issued by DBAs, developers and power users This gives us a window of opportunity to block an attack Can help us identify compromised sessions/accounts Can allow us to quickly identify attacks and terminate rogue sessions High volume Difficult to implement/configure Difficult to implement/configure This measure is less reliable than implementing reactive session termination in the application (e.g. a session provoking s.a. errors gets terminated by the application) A single user credential that is concurrently being used from different IPs is at least a misuse of credentials and sometimes an intrusion Events related to known application vulnerabilities that have not yet been addressed Can allow us to fight against misuse of credentials and intrusions Can represent a quick protection against such vulnerabilities in the application. Not always possible : Centralized session management is a prerequisite Temporary solution. Can be used as an excuse to delay implementation of proper defenses in the application To be continued/detailed

Application logs and Security Information Management systems Case study - OSSIM (Open Source Security Information Management system) Ossim s generic correlation engine allows us to configure alerts based on information from: - the integrated software components detailed below - various provided plugins (WMWare Workstation, OpteNEt, Nepenthes, ISA Server, Aladdin, Avast, Bro-IDS, Enterasys Dragon, Honeyd, MCAfee Antivirus, Sidewinder, SonicWall, Trendmicro, Cyberguard, VSftpd, Bind etc.) - application logs *** In order to generate IDS events/alerts from your customs-developed applications logs : the logs must be consistent (content, format, timestamps) ; you need to write your own OSSIM plugin (no need to be scared, plugin writing amounts to finding the right regular expression) Ossim software components * Arpwatch, used for mac anomaly detection. * P0f, used for passive OS detection and os change analisys. * Pads, used for service anomaly detection. * Nessus/OpenVAS, used for vulnerability assessment and for cross correlation (IDS vs Security Scanner). * Snort, the IDS, also used for cross correlation with nessus. * Spade, the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signature. * Tcptrack, used for session data information which can grant useful information for attack correlation. * Ntop, which builds an impressive network information database from which we can get aberrant behaviour anomaly detection. * Nagios. Being fed from the host asset database it monitors host and service availability information. * Osiris, a great HIDS. * OCS-NG, Cross-Platform inventory solution. * OSSEC, integrity, rootkit, registry detection and more.

Figure 1 - OSSIM correlation. The Directive Editor allows us to define what events to correlate. The number of occurrences for each event is used to calculate reliability (see Event aggregation) Figure 2 - OSSIM example. Alerts resulting from correlation.

Tools Tool Role Link Splunk indexes all of your IT data in real time, without requiring you to write connectors, plugins, custom parsers or controls http://www.splunk.com Ossim Open Source Security Information Management system https://www.ossim.net/ References http://csrc.nist.gov/publications/nistpubs/80092/sp80092.pdf https://www.ossim.net/ http://www.splunk.com/base/documentation/latest/user/splunkoverview

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information