Security Ripcord

I was going to post a comment to Michael’s Computer World post titled “OK CXO, does this incident convince you of the need for security???” when I decided not to do it. Instead I realized that this is a prefect opportunity to do another Email Interview. So I hammered out a few questions I figured would be easy to answer and then tossed them his way. The following are his responses with the questions included in bold.

Who do you work for and what do you do?

Accuvant. Pre-sales Security Engineer. Basically, I am in customer
relations, with the occasional product evaluation installation thrown
in.

Centralized logging is one of the keys to a good security posture.
Percentage-wise, how many companies do you see doing this?

Unfortunately, the customers I have been dealing with are very late
coming to this game. And I am not talking about SIEM either. Just
centralized logging. Many of them have some kind of syslog server with
a few logs getting thrown to it, but very few have any kind of real
centralized logging solution where they can go do forensics and get a
good idea of what was happening in their network as a whole at any given
time.

When they are designing the networks, do you find that the
administrators are aware of the pitfalls and nuances of setting up a
logging infrastructure?

Generally they think it is just a matter of throwing some logs into a
bucket o’ hard drives and that is it. Not many think about the logs
being used for forensic purposes later in the case of an incident. Many
aren’t aware that normalizing logs pretty much makes it fodder for the
defense attorney. Administrators up until now have had to be concerned
with keeping servers going, and they read the logs when there is a
problem. Most don’t think from a security mindset, so they don’t have a
clue what to do to if those logs aren’t there (because they got deleted
by Mr. Bad Guy). There’s also the matter of retention and drive space,
maintaining the logs in such a manner that they can’t be altered, etc.
I mean, that is the central reason for logs: forensics. And forensics
does not necessarily mean criminal forensics. It means that if there is
any incident, malicious, accidental, mechanical, whatever. And if the
logs get corrupted, then you have problems.

Another problem that people don’t think about is application logs and
“x”-flow data. These are often very critical to determining what
happened in incidents because they give you two ends of the spectrum
that just server and device logs don’t give you. Of course, that will
greatly increase your storage needs, so be careful.

Where are the common weaknesses and how can we educate our
administrators better? Certifications associated with log management
and review?

See above for common weaknesses. As far as another specialized cert, I
don’t think that is the way to go. I know SANS is big on this, and I
have nothing but respect for those guys, but I really think that
security cannot be stovepiped anymore. Security has to be a part of a
sys admin’s job and training. This is one facet of that training, and
it realistically not all of security can be thrown into a couple of
Windows courses. But the mindset has to be taught more. A single cert
can’t do that.

Is it common practice to have critical systems administered through a
management network that does not touch the production network?
Basically, a network that is separated from the intranet and Internet?

Do you mean having something like separate NICs in critical servers
plugged into a different VLAN for management, and plugging management
NICS on devices into that same VLAN? To my knowledge, that is not very
common. It makes sense, but I could see it being something of a
headache to get setup. As far a segmenting critical systems altogether,
that is happening in a big way. PCI is driving that everywhere.

Can Small and Medium-Size Businesses really afford taking on a project
like centralized log management? What would be the first steps?

Yes, SMB’s can do this. I does not have to be expensive. I did it when
I was at an SMB. I used the PRO version of KIWI syslog server
(http://www.kiwisyslog.com/) and pointed all my devices and servers at
it. I used SNARE (http://www.intersectalliance.com/projects/Snare/) to
push server logs to the KIWI syslog. KIWI even has the ability to read
application logs if they are put into a flat file. It really is not
hard to setup if you are willing to take the time to organize it. But
be sure to take note of the problems mentioned above.

Do you have any recommendations for the Small/Home Office businesses
when it comes to log management?

See above. Should also work for them.

Companies are generally aware that they need to backup their common and
critical data. How much are they aware that they need to do the same
with logs? What is common practice in log retention?

I think they are becoming MORE aware, but the awareness is not where it
should be. Again, this is a failing in training. Security is not
taught as a “baked-in” component of knowledge.

Common practice depends. It seems like 7 years tends to be a good
retention length of time, but that can change depending on compliance
and other laws.

What types of sensitive information could be found in logs and what does
this mean about the protections associated with collecting and retaining
this information? When do you think encryption would be necessary?

It is feasible for access logs on servers containing data to hold
sensitive information such as credit card numbers, SSN’s, etc. It is
also feasible for logs from network devices such as routers and
firewalls to have sensitive data in them because the data passes through
them. That is why PCI specifically addresses this issue.

Encryption of sensitive fields in a database should always be in place.
Encryption when transmitting data should be the norm. And obfuscation
of sensitive data (”x”ing out most of the SSN number or the CC number)
should be done when records are viewed by parties that do not need the
information to perform their duties.

How does log management tie into forensic investigations?

As I mentioned above, log management is crucial to forensic
investigations. Most log management systems normalize logs because they
have to store the data in a manageable format. However, there has to be
some way to recover the raw log in order for the log to be used in
investigations. It is not as crucial if all you are trying to do is
determine what happened in an event. But if plans are to use the logs
in prosecution of criminal activity, then you have to be able to prove
that the logs are the raw, original logs that came from the servers and
devices.

If an investigation team walks in the crime scene and fouls evidence,
the judge is very likely not to admit it. Or if the cops don’t retain a
good chain of custody of the evidence, then the defense lawyer can make
the claim that there is no way to know that the police did not alter the
evidence in some fashion. Logs are evidence, so the same rules apply.

Do any of the forensic programs out there integrate with the logging
solutions you are familiar with?

Good question. I don’t know of any that do off the top of my head.
However, if standards are used to code each one, there is likely a way
to integrate them and transfer logs between them. But again, this can
only be done successfully if the evidence is not altered in doing so.

How can your company help with the issues related to this topic?

Accuvant has four practice areas (Security Assessment, Compliance,
Security Technologies, and Wireless). Our compliance team would be
specifically helpful with this kind of issue because they know the
different compliance controls that would require a company to adhere to
log management standards, and they could perform a gap analysis to let a
company know where they are lacking. They can also provide remediation
assistance to fill the gaps.

The assessment team can perform policy review and architecture review to
tell a company where they are lacking in this area and their security
posture as a whole. They can also perform penetration and vulnerability
tests to see what is getting logged and at what level. And they can
perform application code review to determine if an app’s logging is
sufficient. They can also provide remediation assistance.

The security technologies team can help in recommending an appropriate
log management solution, and they can provide professional services for
installation, configuration, and management of the solution.

The wireless team does not seem to be specific to this issue, but
wireless is actually an area that many administrators and managers tend
to kind of forget is in their network. Thus, logging rarely happens
from these devices. Our wireless team has expertise with many different
manufacturers of wireless technology, and they would be able to provide
best practices for gathering logs from these devices.

You are a blogger and Internet author. Tell us a bit about that.

Internet author?? Really just a blogger since I have rarely written
anything more than a page at one time. But oh well. It sounds good!

I started blogging a little over a year ago when I was in the trenches
as an Information Security Manager at a small / medium-sized psychiatric
clinic in Houston. I really enjoyed being able to write about the
things I ran into during the course of my job. It gave me a chance to
grow as a security professional, and it really helped me hone my writing
style.

As I went forward with it, I realized that it was also a way to get my
name known out in the world of security, which I think will help my
career in the long run.

I maintain two security-related blogs. My personal blog is at
http://infosecplace.com/blog. That one is known as An Information
Security Place. I also blog about security at ComputerWorld at
http://computerworld.com/blogs/farnum.

I also have a personal blog at http://infosecplace.com/tangential. I
don’t update that on a lot. It is mainly a place to keep anything
personal I want to write about, and it helps me maintain a more pure
security blog.

Nothing really ground breaking here. Just a few questions that I thought might help others that are thinking about centralized logging. Hopefully Michael’s answers will help you when you are considering initiating or increasing logging and log management within your environment.

I would like to thank Michael again for taking time out of his very busy schedule to answer these questions. Check out his sites when you have a few extra minutes. It is definitely worth bookmarking or placing into your feeds.

Go forth and do good things,
Cutaway

logging, Accuvant, An Information Security Place, Computer World, Michael Farnum, Security Ripcord

Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.