NewslettersRelated Resources
EventSource April 2009 – Logs and forensics, a lesson in compliance and more
Featured Article How logs support data forensics investigations Novak and his team have been involved in hundreds of investigations employing data forensics. He says log data is a vital resource in discovering the existence, extent and source of any security breach. “Computer logs are central and pivotal components to any forensic investigation,” according to Novak. “They are a ‘fingerprint’ that provides a record of computer and system activities that may demonstrate a data leak or security breach.” The incriminating activities might include failed login attempts, user and system access, file uploads/downloads, database access or manipulation, access privilege modification, application system transactions, transmission of email messages or attachments, and many other common activities. In many cases, when logs are setup and configured properly, they can tell the story of the tactics a hacker used during a breach. They can give insight as to how advanced (or not) the hacker is, and provide an understanding of the extent of a breach by showing how long a hacker was inside the confines of the firewall. “You can see if the unauthorized person has been in your system for five minutes or five months,” explains Novak. Given the security insight that logs can provide, it’s no surprise that data protection regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Federal Rules of Civil Procedure (FRCP), the Sarbanes-Oxley Act (SOX), and the Health Insurance Portability and Accountability Act (HIPAA) all mandate the requirement for logs and log management. The information captured by logs can be used to help protect sensitive data and to support incident response and forensic analysis in the event of a suspected data breach. Often it’s these regulations that are driving organizations to become better at log management and event correlation. In Novak’s experience, however, many organizations do need to improve in their log monitoring and management practices. “It’s not uncommon to find that companies collect the logs but don’t review them as closely as they should,” says Novak. “The monitoring of logs in many instances is hampered due to the extensive amounts of good data being captured and the lack of means to properly manage or analyze that data. As a result, if there is a breach or questionable activity, it may take weeks or months to actually detect it – if it’s detected at all.” Novak says the lack of logs or log management can increase the cost and length of an investigation substantially. The dimension of data correlation is critically important in the support of a forensic investigation. Correlating data from multiple sources provides the means to substantiate other evidence sources, and logs are a good way to do that. “We use logs to corroborate what is seen in a forensic image or, vice versa, what we see in a forensic image to what we see in logs,” says Novak. In investigations, it’s common to use logs to play off one another to validate each other. For example, an environment has firewall, intrusion detection system (IDS), system and application logs. If they are properly configured, an investigator can go through all the logs and “show” that a hacker got into the network or application at a specific time. If all the logs aren’t in agreement about the illicit activity, this could be an indication the hacker manipulated one or more of the logs to make it difficult to follow his actions. By correlating the log data, it’s possible to determine this manipulation. Log data should be viewed and treated like a primary evidence source. Hopefully it will never be needed to investigate or validate a data breach or hacking incident. In any event, here are some best practices that can help ensure that log data and log management practices properly support forensic investigations.
If an incident or data breach is suspected, there are several steps to take right away:
With the right care and feeding, data logs can provide solid forensic evidence in the event of a security breach or data loss. Analyzing the logs may not make for an exciting TV drama, but it can be rewarding nonetheless. Brian Musthaler, CISA - is a Principal Consultant with Essential Solutions Corp. A former audit and information systems manager, he directs the firm’s evaluations and analysis of enterprise applications, with a particular interest in security and compliance tools. Industry News Conficker worm arms itself to steal and spam The Conficker/Downadup worm is on the move again. After a relatively uneventful April 1, on which the worm began widening the number of Web sites that it scanned for instructions, a new Conficker variant has emerged and appears to be preparing to spam and steal information. A lesson in compliance from the chemical industry Events occurring in the U.S. chemical-manufacturing industry, specifically those relating to security guidelines being enforced by the federal government, are likely foreshadowing what's next in line for other industries.
In poor economy, more IT pros could turn to e-crime In an annual security survey, Sixty-six percent of respondents felt that out-of-work IT workers would be tempted to join the criminal underground, driven in part by threats to bonuses, job losses, and worthless stock options Timeline: 4 years of data breaches In an annual security survey, Sixty-six percent of respondents felt that out-of-work IT workers would be tempted to join the criminal underground, driven in part by threats to bonuses, job losses, and worthless stock options Featured Whitepaper Ten Reasons EventTracker is your best choice for Event Log Management Brief overview of the top 10 reasons EventTracker should be your event log management solution. LogTalk Get the latest insight on all things related to Log Management on the Prism Microsystems blog . Feel free to leave comments and share your thoughts.
Legal
|
© 2010 Prism Microsystems, Inc. • Privacy • Terms of Use