What Logging You MUST Do For PCI DSS Compliance?

Posted on February 17th, 2008 by Anton Chuvakin

Somebody asked me a few days ago: EXACTLY what logging we absolutely MUST do for PCI DSS compliance? This is actually not as simple!

The honest answer to the above question is that there is no list of what EXACTLY you MUST be logging due to PCI or, pretty much, any other recent “compliance thingy” (as we all know, PCI DSS rules are more specific than most others). However, the above does NOT mean that you CAN log nothing.

Is this bizarre or what? Yes, it is :-)

But that is exactly why vendors and consultants tell you what you SHOULD be logging. There is no easy “MUST-log-this” list; it is pretty much up to individual auditor, consultant, vendor, engineer, etc to interpret (again, not simply ‘read’, but interpret!) the PCI DSS guidance (e.g. Requirement 10 that is dedicated to logging) in your own environment.

Logging vendor’s field engineers do interpret it for their customers; I provided my own interpretation in my PCI book, etc. But, there is still no MUST list; just the following route:

PCI DSS guidance -> consultant, vendor engineer, etc -> your very own logging recommendations.

A few folks wondered: why not ask the auditor? Well, these critters :-) will tell you whether “yours is OK” (rarely) or “Oh, no!” (frequently), but will certainly not write your logging policy for you. With them, the best approach is: define your logging policy, then show to auditor, if they are happy - now you know what you MUST do this time.

As a final word: still, I dislike the above compliance-induced daze as much as the next guy. I much prefer that people think what they want from their logs as well as how they need to use them and then log that!

Technorati tags: , , ,

Welcome Shyaam Sundhar to the Log Analysis Professionals Blogger Roster

Posted on February 9th, 2008 by Andrew Hay

I’d like to welcome Shyaam Sundhar to the Log Analysis Professionals stable of professional bloggers.

Shyaam Sundhar is a security analyst at Symantec MSS. He has been working as an analyst for almost two years, where he was a threat analyst and intrusion signature writer in the previous job. Shyaam, has a background in information security, computer security and information assurance though academia. He holds a Master’s in Information Security from the George Washington University, Master’s Certificate in Computer Security and Information Assurance from the George Washington University and graduate level security certificate in Computer Security from Stanford University. With active professional membership with ACM, ACFE, ISACA and IACSP, he has been actively participating in the community in a very stealthy way. He holds professional certs such as, GPCI, GCDS, GLDR, SSP-CNSA, SSP-MPA, SSP-GHD, GREM, GHTQ, GWAS, GIPS and GCFA. He is a board member at IARIA research group where he has participated as TPC, Chair and Co-Chair of several IEEE conferences related to Security. His profile can be found at http://www.linkedin.com/in/intrusion.

The Log Analysis Professionals FeedBurner Network

Posted on February 3rd, 2008 by Andrew Hay

We recently kicked off the Log Analysis Professionals FeedBurner network. If you have a log-(analysis/management/related) blog and would like to be a member, please send me an email at andrewsmhay/at/gmail.com.

Proud member of Log Analysis Professionals, a FeedBurner Network.

Two New SANS Reading Room Papers on Logging Available

Posted on February 3rd, 2008 by Andrew Hay

Many who know me, know that I am a huge fan of free security resources. Papers from the SANS Information Security Reading Room are just such a resource. Two new papers were recently posted to the reading room that are certainly worth checking out. I’m sure the authors would greatly appreciate any additional incite you might have.

The first paper is entitled Auditing a Corporate Log Server by Roger Meyer. The paper is not about log management or analysis per se, but rather discusses how to audit a corporate log server that houses all of your logs.

Abstract:

This paper was written to fulfill requirements for GIAC Gold for the GSNA1 (GIAC Systems and Network Auditor) Certification.

This paper details an audit of a corporate log server. The goal of the audit is to measure if implemented security controls are adequate on the server and to validate the configuration, since prevention is always better than cure.

The ever increasing number of computer devices located in a corporation produce a vast amount of log data. This log data contains information related to specific events that have occurred on a system. Collection and storage of these logs is important for reasons like traceability, statistics and identifying security events. Increasingly compliance requirements, laws, and industry regulations dictate the storage, and analysis of security events.

The audited log server collects log data from multiple sources including firewalls, VPN, routers and other security related systems, stores them and permits analysis and monitoring.

The remainder of this paper is divided into 5 parts:

It starts with the Introduction which explains the background material like risk and log management. The Identification describes the audited device, in this case the log server and surrounding infrastructure. The Risk Analysis defines the terms risk, threat, vulnerability and impact. Three risks to the log server are isolated and analyzed in detail.
The next part – Testing – compiles a list of tests to determine the vulnerabilities chosen in the preceding part. The Audit performs the tests developed in the previous chapter.
The methodology used to evaluate the risk was derived from the function that risk is a multiplication of the threat likelihood and the threat impact. The vulnerabilities with the biggest impacts were chosen and analyzed. The tests showed that the identified risks were addressed appropriately with some minor recommendations for improvements.

The second paper is entitled Detecting Attacks on Web Applications from Log Files also by Roger Meyer (looks like someone was busy over the past couple of months). This paper discusses the logs generated from web application servers when subjected to common attacks.

Abstract:

Web traffic (Hypertext Transfer Protocol, HTTP) has overtaken P2P traffic and continues to grow. [Ellacoya, 2007] Web site hacks are on the rise and pose a greater threat than the broadbased network attacks as they threaten to steal critical customer, employee, and business partner information stored in applications and databases linked to the Web. [Greenemeier, 2006]

The increasing shift towards web applications opens new attack vectors. Traditional protection mechanisms like firewalls were not designed to protect web applications and thus do not provide adequate defense. Current attacks cannot be thwarted by just blocking ports 80 (HTTP) and 443 (HTTPS).

Preventive measures (like Web Application Firewall rules) are not always possible. Reactive methods – to detect what happened previously – are usually easier but have the disadvantage of always being behind the actual event.

This paper explains how to detect the most critical web application security flaws. Web application log files allow a detailed analysis of a users actions. Log files have its limits, though. Web server log files contain only a fraction of the full HTTP request and response. Knowing those limits, the majority of attacks can be recognized and acted upon to prevent further exploitation.

Welcome Ron Gula to the Log Analysis Professionals Blogger Roster

Posted on January 31st, 2008 by Andrew Hay

I’d like to welcome Ron Gula to the Log Analysis Professionals stable of professional bloggers.

Ron Gula was the original author of the Dragon IDS and CTO of Network Security Wizards which was acquired by Enterasys Networks. At Enterasys, Mr. Gula was Vice President of IDS Products and worked with many top financial, government, security service providers and commercial companies to help deploy and monitor large IDS installations. Mr. Gula was also the Director of Risk Mitigation for US Internetworking and was responsible for intrusion detection and vulnerability detection for one of the first application service providers. Mr. Gula worked for BBN and GTE Internetworking where he conducted security assessments as a consultant, helped to develop one of the first commercial network honeypots and helped develop security policies for large carrier-class networks. Mr. Gula began his career in information security while working at the National Security Agency conducting penetration tests of government networks and performing advanced vulnerability research. Mr. Gula has a BS from Clarkson University and an MSEE from the University of Southern Illinois. Ron Gula was the recipient of the 2004 Techno Security Conference “Industry Professional of the Year” award.

Welcome Harlan Carvey to the Log Analysis Professionals Blogger Roster

Posted on January 29th, 2008 by Andrew Hay

I’d like to welcome Harlan Carvey to the Log Analysis Professionals stable of professional bloggers.

Harlan is a nerd who does incident response and computer forensics work, and is based out of the Metro DC area. In an effort to demonstrate just how much of a nerd he is, Harlan has authored three books on incident response, computer forensics, and Perl scripting, all for the Windows platform. His dislikes include being required to use EnCase for analysis, and he enjoys moonlit walks on the beach, Registry analysis, Perl’s ‘use’ and ‘require’ pragmas, and a frothy ale with a nice copper color.

Welcome Daniel Cid to the Log Analysis Professionals Blogger Roster

Posted on January 29th, 2008 by Andrew Hay

I’d like to welcome Daniel Cid to the Log Analysis Professionals stable of professional bloggers.

Daniel Cid is the creator and main developer of the OSSEC HIDS (Open Source Security Host Intrusion Detection System). Daniel has been working in the security area for many years, with a special interest in intrusion detection, log analysis and secure development. He is currently working at Q1 Labs Inc. as a software engineer. In the past, he worked at Sourcefire, NIH and Opensolutions. Daniel holds several industry certifications including the CCNP, GCIH, and CISSP.

Against Log Silos!

Posted on January 28th, 2008 by Anton Chuvakin

While the world of logging is full of inconsistencies and troubles (e.g. ugly logs!), there is one that beats many others: siloed approach to logs!

There is little that I hate more than siloed approach to logs. A situation where your security team “owns” network IDS logs, the network team has firewall and router logs (as well as all SNMP traps) and the system administrator has the logs from servers and desktop, is not only sad, counterproductive, inefficient, and wasteful, but it is also dangerous.

Where does the siloed approach to logs (when they are divided by both technical and political chasms) break down most painfully? In the case of an incident response, of course! An incident response is where, instead of one query across all logs and all log sources (or whatever needed subset of logs or log sources), you would end up running around, begging, connecting, waiting, swearing, waiting, downloading logs, digging in many places at once, waiting, grep, suffering with many UIs, swearing some more, etc. You would be doing all this, instead of connecting to your shiny new log management system and running a few reports, doing drilldowns, and searching across the relevant logs!

Where else does it break down? Compliance of course! Most regulations and mandates don’t call out logs by the log source type, instead they call all logs equally. Therefore having one system to verify the compliance status is much more productive compared to digging in many systems.

Ideally, you’d break down the silo walls by deploying a log management platform across the entire organization and then controlling access to every team requiring access to the system for logs, using the interface or a web API. Apart from being a trend (e.g. see recent ESG report), it will make your IT and security operations that much more efficient - and pleasant!

On the other hand, what is bizarre, is some newer vendors, claiming to do log management, actually work to propagate, not combat, the siloed approach. For example, selling the tool for $5,000 to each of the various teams within the organization IMHO must be made illegal :-) because it builds walls, not bridges; digs holes and overall “silo-izes” your IT operation…

Welcome Dr. Anton Chuvakin to the Log Analysis Professionals Blogger Roster

Posted on January 28th, 2008 by Andrew Hay

I’d like to welcome Dr. Anton Chuvakin to the Log Analysis Professionals stable of professional bloggers.

Dr. Anton Chuvakin, GCIA, GCIH, GCFA (http://www.chuvakin.org) is a recognized security expert and book author. In his current role as a Chief Logging Evangelist with LogLogic, a log management and intelligence company, he is involved with projecting LogLogic’s product vision and strategy to the outside world, conducting logging research as well as influencing company vision and roadmap.A frequent conference speaker, he also represents the company at various security meetings and standards organizations. He is an author of a book “Security Warrior” and a contributor to “Know Your Enemy II”, “Information Security Management Handbook”, “Hacker’s Challenge 3″, “PCI Compliance” and the upcoming book on logs. Anton also published numerous papers on a broad range of security and logging subjects. In his spare time he maintains his security portal http://www.info-secure.org and several blogs such as one at http://www.securitywarrior.org.

Welcome Rory Bray to the Log Analysis Professionals Blogger Roster

Posted on January 28th, 2008 by Andrew Hay

I’d like to welcome Rory Bray to the Log Analysis Professionals stable of professional bloggers.

Rory Bray is senior software engineer at Q1 Labs Inc. with years of experience developing Internet and security-related services. In addition to being a long-time advocate of Open Source software, Rory has developed a strong interest in network security and secure development practices. Rory has a diverse background, which includes embedded development, web application design, software architecture, security consulting and technical editing. This broad range of experience provides a unique perspective on security solutions.In February 2008 Rory co-authored his first book entitled The OSSEC Host-based Intrusion Detection Guide through Elsevier.