So Where Do You Start?

Transcription

1 So Where Do You Start?

2 Chris Conley :: Moderator Steve Challans :: Presenter

3 Why the need for logging and auditing on systems Basic architecture and strategy of what should be done Compliance with Standards and Regulations Some pitfalls and failures Some examples of how do it and what do use Summary Questions

4 My name is Steve Challans. I am a security professional and have been working in IT for over 30 years and have been specialising in Information Security for the last 16 years working in senior security roles for a few security service providers. Currently I am working for Intersect Alliance International as the Chief Technology Officer. We are the creators of the Snare Server SIEM and Snare agents. Intersect Alliance was formed in 1999 by two senior security minded people that had previously worked in the Australian Defence organisations who saw a need for security event management as there was a lack of tools in the market. The company is now owned by Prophecy International head quartered in Adelaide with staff in ACT, QLD, USA and UK.

5 There are a number of things that need to be considered Cyber security risks web sites, ecommerce, billing, financial information Forensics - was I hacked, what, how, who, when Due to a lack of logging and a variety of factors, the exact timeframes on such attacks can be a bit fuzzy Verizon Data Breach report 2013 If not the most, this must be one of the most important challenges to the security industry. Prevention is crucial, and we can t lose sight of that goal. But we must accept the fact that no barrier is impenetrable, and detection/response represents an extremely critical line of defense. Let s stop treating it like a backup plan if things go wrong, and start making it a core part of the plan. Verizon Data Breach report 2013

6 It s a sad reality that most organizations that suffer a data breach don t detect it themselves, but only become aware of it when they receive notification from a law enforcement agency, the card brands, or another third party.. Verizon PCI Compliance report 2015 In the last months we have seen major data breaches Linikedin, Nintendo, E-Harmony, Target, JP Morgan, Home Depot, Kmart, Sony, Apple massive data losses

7

8 Forensics - was I hacked, what, how, who, when What level of logging do I have for my host based security solutions? What data am I logging on my network devices? Do I track all application requests? Would I know if I am vulnerable to SQL injection attacks or command injection and are they occurring? Regulations/Standards PCI DSS, ISO27001, SOX, HIPPA, FISMA, ISM/PSPF, ISMF, SANS, NIST etc DSD top35 12, 13 - Centrally store logs and keep them for at least 18 months It s a key component of the Information Security triad Confidentiality, Integrity, Availability (CIA)

9 Privacy loss of private/personal data, medical information. New data breach laws in many states and countries requires that adequate security controls are in place and that monitoring and review are in in place Logging is a key security control in all standards You don t know your ok if you cant prove it You cant fix a weakness it if you don t know what s happening Detective control you cant do anything about what you don t know Its key component of incident response and management processes

10

11 So why the need for a Security Information and Event Management (SIEM) Basic syslog collects information but lacks tools around it reporting and analysis Need to collect multiple sources Syslog Agents OS auditing, file auditing Correlation of events and information Have user SID information but who is that user? Pull this information together so its human understandable Correlate events from different sources as part of an incident Provide trending statistics this happens at this time every day

12 Have a need for forensics of activity that has occurred Assist with data breach investigations A diagnostic tool to help debug application, system and network issues Tracking of privileged users what they do its hard to audit trust Help monitor activity on a system to provide assurance on the integrity of the information it stores Other cultural, ethics and behaviour needs to be addressed Third party use when, what did they access Regulatory compliance..

13 Perform risk assessment Determine critical needs and compliance needs for coverage Focus efforts on high risk areas first then work down to lower risk areas Eg Ecommerce systems, financial databases, Internet facing firewall and networking, systems with third party connections and critical data flows Systems that will cause a lot of pain if the information integrity, confidentiality or availability is compromised Keep in manageable components and expand as you understand the data and what it means in your business Define what events constitute a threat Detail what should be done and in what timeframe

14 Implement separation of duties The doers should not be looking at their own logs as they can cover up their own tracks Often part of the Security or Compliance teams role Implement a corporate Information Security policy to cover all the business requirements Should detail the actions required and be supported by relevant standards procedures for staff to follow. Ensure that all relevant staff know the policy and procedures should be covered in security awareness training Get help if you cant do it on your own.

15 Need to get logging and auditing information from all sources that are relevant to the operation As close to the source as possible if not directly from the source Implement a centralised logging system to collect and store the information Combining multiple sources in to the central repository Need to understand all components and their interactions Good access controls to limit access Restrict user access to logs to a need to know basis

16 Accurate time from all devices to allow tracking of events as a sequential line of activity ie use NTP its critical Servers, databases, applications, firewalls, routers, switches, IPS etc All components are valuable and needed Real time collection to centralised server However cater for network and system downtime things happen Store and forward - caching Collect events and audit information that is of relevance Filter out the noise if its not useful don t keep it

17 Regular review of reports Reports need to be meaningful, accurate and timely Schedule daily, weekly, monthly etc Get to know you data and what it means what's normal and what's not for quick detection of abnormal behaviours Disaster Recovery or high availability Service recovery Replication to alternate sites or high availability logging systems Collect from one SIEM and forward to another Backup your data

18 Need for compliance with standards regulations PCI DSS, ISO27001/2, SOX, FISMA, CoBIT etc PCI DSS Section 10 logging has many logging requirements ISO27001/2 A10.10 audit logging, monitoring, protection, administrator Cobit 5 Support the Governance and business objectives Be inline with the plan, build, run and monitor management domains Have People, Skills and Competencies to support the business needs.

19 Each have their needs and requirements Records retention policy Evidence based Must keep records for regulation or legal purposes Data retention periods eg 1 years worth of logs and 3 months immediately available for PCI DSS Backup the logs tape, disk, dvd archive keep secure encryption tamper prevention/detection controls Promptly backup the audit logs to a centralised logging system away from the source this helps to prevent tampering or deletion of the logs.

20 Each have their needs and requirements Restrict access to need to know Logs kept secure and not tampered with Protect the logs of unauthorised access and modification Use file integrity/change detection on the logs to ensure that if they are tampered with it will be alerted or recorded Accurate time on all systems - NTP REVIEW THE KEY LOGS REPORTS AT LEAST DAILY!!!

21 Types of data that needs to be recorded Individual accesses to data All actions taken with root, administrator or privileged in some way Who accessed the audit trails Invalid logical access attempts to data or systems Details on the use or identification and authentication mechanisms Details on initialisation of the audit logs who and when Creation and details of system level objects Details on the userid, type of event, date and time Was it a success or failure The source and origination of the event machine, IP address, program etc Details of the affected component or data

22 Implementations not used waisted money and effort Set and forget quickly becomes out of date No regular review of reports, activity or evidence kept that it was reviewed incidents occur and no one knows Not maintained with new systems or devices, new systems added and not included gaps in environment Software versions left and not maintained new vulnerabilities creep in, reduce the integrity of the systems when not maintained, loss of faith from systems

23 Incorrect audit settings we don t audit that system or data - missing key information Going overboard and auditing to much lots of noise in the logs, storage problems, performance problems on source or collection systems or network Be very wary of the ALL EVENTS options They may kill performance on your systems and generally gather lots of noise Use it for testing or debugging only Collect what is needed so make review easier

24 Desktops Firewall Ports Snare or 3 rd Party Servers Routers, Switches & Network Access Points Database Servers Servers Web Servers

25 Implement a solution to cover your architecture Servers OS Events inbuilt auditing system Privileged user access who changes settings, was it part of a change control Be selective in what you collect and don t go overboard Particular log files events that are important, errors, warnings Databases/Applications Key bits of information viewed or changed rows, columns, whole tables Privileged User access admins/dba/super users doing the right thing Application log files Network devices Firewall, routers, switches, wireless devices Access lists and logging Who is changing the configuration was it authorised

26 Several methods Syslog redirected to central server UDP select port and destination Mostly networking devices but can be Mainframe and Unix Use TCP if you can more reliable in delivery Agents - Windows OS agent to read and work with the audit subsystem Agent in control of auditing OS in control but requires more manual effort to manage configure in both places Scrape key log files for key information - web server logs, OS logs, Application logs TCP more reliable delivery Encryption use TLS for confidentiality of data being transmitted.

27 Agents - Unix OS agent to read and work with the audit subsystem Agent in control of auditing Scrape log files for key information - web server logs, syslogs, messages files, cron logs etc TCP more reliable delivery Encryption use TLS for confidentiality of data being transmitted. Browsers Plugins track browser activity if proxy logs are insufficient

28 FTP/SCP files to logging server Copy the files directly to the logging server Process the files on a schedule and upload in to a database Not well suited to real time alerting Poll devices from central system to obtain the events Usually specific to a network flow or security zones Does not scale as well with high frequency Can lead to higher system loads High management overhead More complicated security controls with remote access Admin password management can add overhead and security exposures with credentials being spread around Can create a SOD conflict security now has admin passwords!

29 Data is securely stored Scheduled reporting and alerting of activities Implement specific reports to alert of inappropriate activity Mine the data for specific information SIEM System is used as part of incident management processes Ensure that regular review of the reports occurs at least daily for key components

30 Data volumes are increasing rapidly Fortunately disk sizes are as well Where customers would have a few hundred GB of disk of storage for their logs 5-10 years ago now they have many terabytes or more of logs to deal with. Why is this? Some basic math Windows events can average 2,000 bytes other appliances are generally less that 600 bytes 1,000 systems generating 10 EPS (moderate to low) = 20,000,000 Mbytes/sec (160 megabit for a network) 20 Megbytes/sec = 72 GB/hour = 1,728 GB/day = 52 TB /Month = 630 TB per year That s a lot a new raw log data

31 We have some customers that have domain controllers that generate 2-3GB of event logs per hour per machine on their own. Windows 2008/Vista onwards implemented custom event logs, over 70 of them so lots more than just the old security, application and system logs that contain administrative logs The SIEM systems are dealing with big data issues So with all this data storage compression is a key factor Most SIEM systems implement some form of compression to reduce the data volume in the data store. So knowing your EPS rates and the number of each device type is a key factor in knowing how to size your SIEM system.

32 Can the SIEM keep up with your planned EPS rates and the number of devices sending logs and your normal business growth Can your hardware keep up with the growth you are having Disk is the slowest part fastest IO that you can afford Memory helps with data in memory queries Along with Multiple CPU s to balance the load Commodity hardware with 64GB ram, Multiple Xeon cores, many TB s of disk $5-10k range so easily in reach of most companies

33 There is collection speeds plus allowing capacity for reporting on the logs you have. Different methods of reporting and indexing of data, allowing complex queries to find data Large environments using Hadoop clusters to manage the big data loads Improved real time AI in alerting on malicious activities and anomaly detection Fast access to data like google searching So SIEM systems are continually evolving and adapting as the industry matures

34 Perform risk assessment know what s important to log and from all key devices or locations Implement a centralised logging system gather and protect the data Point all of your key systems to the central system Implement processes to review the data regularly at least daily for key areas Continually build on it as you gain understanding of the data Implement in manageable chunks you don t have to do all at once Get help if you cant do it on your own

35 ISACA Logging-and-Tertiary-Monitoring-of-Continuous-Assurance-Systems.aspx Introduction-to-Auditing-HP-NonStop-Servers-Review-of-User-Access.aspx OS-and-Database-Controls.aspx Ppr-8Dec2010.pdf Center/Research/Documents/DataAnalytics_WP_21July2011_Research.pdf

36 Industry hp

37 Appreciate your time today, thanks for coming