oartech logging, evidence, and network management brian moeller, cissp 10apr2002
TRANSCRIPT
OARtech OARtech Logging, evidence, and network Logging, evidence, and network
managementmanagementBrian Moeller, CISSPBrian Moeller, CISSP
10APR200210APR2002
Why are logs important?Why are logs important?
Performance managementPerformance management
Capacity planningCapacity planning
Cost justificationCost justification
Management reportingManagement reporting
Security Security both for integrity and for incident response – both for integrity and for incident response –
remember, security is there to *ensure* things remember, security is there to *ensure* things go as planned, not to prevent accessgo as planned, not to prevent access
Network ResponsibilityNetwork Responsibility
It’s your job to know what’s going on with It’s your job to know what’s going on with the network!the network!
Logs are a wonderful troubleshooting tool Logs are a wonderful troubleshooting tool when things don’t go as planned.when things don’t go as planned.
The basicsThe basics
The 3 LayersThe 3 Layers NetworkNetwork Operating SystemOperating System ApplicationApplication
The basicsThe basics
AuthenticationAuthentication
AuthorizationAuthorization
AccountabilityAccountability
AuthenticationAuthentication
Most common authentication – PasswordsMost common authentication – Passwords
Authentication – the process of matching a Authentication – the process of matching a user to an accountuser to an account
AuthorizationAuthorization
After a user is authenticated, the After a user is authenticated, the permissions, connections, access, and permissions, connections, access, and quotas assigned to a user.quotas assigned to a user.
AccountabilityAccountability
The process of keeping records of activityThe process of keeping records of activity
The ability to answer the questions:The ability to answer the questions:- Who did it?- Who did it?- What happened?What happened?- Where they were located?Where they were located?- When it happened?When it happened?- How it was done and/or How much was used?How it was done and/or How much was used?
What should you log?What should you log?
Log enough to answer the questions…Log enough to answer the questions… Who, What, When, Where, HowWho, What, When, Where, How
Authentication logsAuthentication logs Show who logged on whenShow who logged on when Don’t show who accessed whatDon’t show who accessed what
What should you log?What should you log?
What happened?What happened? Application logsApplication logs File access/change logsFile access/change logs Keystroke logging/activity loggingKeystroke logging/activity logging
What should you log?What should you log?
Where were they located?Where were they located? An updated network map is importantAn updated network map is important Naming conventions/Addressing policiesNaming conventions/Addressing policies
What should you log?What should you log?
When did it happen?When did it happen? Time synchronization between logs is an Time synchronization between logs is an
issueissue
What should you log?What should you log?
How was it done/How much was used??How was it done/How much was used?? Network traffic logsNetwork traffic logs Transaction logsTransaction logs Access logsAccess logs
Building a caseBuilding a case
Use several logs to prove the same pointUse several logs to prove the same point Authentication log shows user logged inAuthentication log shows user logged in Access log shows access to files-in-questionAccess log shows access to files-in-question Network logs shows traffic from workstation to Network logs shows traffic from workstation to
servers where files are locatedservers where files are located Application logs show activity to process filesApplication logs show activity to process files OS logs show operating system state during OS logs show operating system state during
activityactivity
Building a caseBuilding a case
Use several logs to prove the same pointUse several logs to prove the same point Other application logs show access to other Other application logs show access to other
applications during the same time period applications during the same time period (helps during an interview – “Yes, I did check (helps during an interview – “Yes, I did check my e-mail at that time, and I did run that my e-mail at that time, and I did run that application, but no, I certainly didn’t change application, but no, I certainly didn’t change that file….)that file….)
Building a caseBuilding a case
An example:An example: Workstation cache shows suspected activityWorkstation cache shows suspected activity Network traffic logs indicate suspected activityNetwork traffic logs indicate suspected activity Files not found on workstation, but are found Files not found on workstation, but are found
in a recent backupin a recent backup User maintains innocenceUser maintains innocence But…..But…..
Building a caseBuilding a case
An example:An example: But…..telephone records show phone calls….But…..telephone records show phone calls….
Questions…but few answersQuestions…but few answers
What should I log?What should I log? Log as much as is practical for your needs. Log as much as is practical for your needs.
How long should logs be kept?How long should logs be kept? Be practical…a general rule of thumb is 3 Be practical…a general rule of thumb is 3
months of ‘quick’ access, then another 3 months of ‘quick’ access, then another 3 months ‘offline’months ‘offline’
Research, government, health care, Research, government, health care, accounting, tax, DoD, and others may have accounting, tax, DoD, and others may have additional requirementsadditional requirements
Questions…but few answersQuestions…but few answers
How should the logs be kept?How should the logs be kept? As safely as practical – backups, check to As safely as practical – backups, check to
make sure what you want to log is really being make sure what you want to log is really being logged…logged…
On a system that isn’t likely to be On a system that isn’t likely to be compromised…compromised…
Sometimes difficult for some OS and Application Sometimes difficult for some OS and Application logslogs
Questions…but few answersQuestions…but few answers
Who should have access to the logsWho should have access to the logs Only a limited number of people – they’re not Only a limited number of people – they’re not
public logs…(see your legal department, your public logs…(see your legal department, your mileage may vary)mileage may vary)
How much should I log?How much should I log? Be practical. Log more than you think you Be practical. Log more than you think you
might need, but not so much that it causes might need, but not so much that it causes problems with network or system problems with network or system performance. Generally plan on 10% of performance. Generally plan on 10% of systemsystem
An ounce of Prevention…An ounce of Prevention…
Effort used to prevent incidents is well Effort used to prevent incidents is well worth it!worth it!
Use the logs to verify that the correct Use the logs to verify that the correct things are happening, and to know what things are happening, and to know what happened when things don’t go well happened when things don’t go well