owasp logging project presentation by marc chisinevski
TRANSCRIPT
![Page 1: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/1.jpg)
OWASP Logging Project
Presentation by Marc Chisinevski
![Page 2: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/2.jpg)
Objectives of this presentation
Explain the goals of the OWASP Logging Project
Discuss how to integrate application logs into a Security Information Management system (SIM). Live demo 1.
Discuss SIM common issues and present a multidimensional solution prototype. Live demo 2.
![Page 3: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/3.jpg)
Goals of the OWASP Logging Project
1) Provide tools for software developers in order to help them define and provide meaningful logs.
2) Provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps).
3) Integrating application logs into a Security Information Management configuration.
4) Facilitate attack reconstruction.
5) Facilitate information sharing around security events.
![Page 4: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/4.jpg)
1) Provide tools for software developers in order to help them define and provide meaningful logs
IDE integration:
auto-completion
templates
logging policy definition support.
![Page 5: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/5.jpg)
IDE (Integrated Development Environment) Templates can provide checks/hints/defaults.Examples defined by the OWASP Enterprise Security API:- hashed value of the session ID, identity of the user that caused the event, description of the event (supplied by the caller)- whether the event succeeded or failed (indicated by the caller), severity level of the event (indicated by the caller)- that this is a security relevant event (indicated by the caller)- hostname or IP where the event occurred (and ideally the user's source IP as well), a time stamp
![Page 6: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/6.jpg)
2) Provide code audit tools to ensure that log
messages are consistent and complete
Code audit tools s.a. OWASP yasca can be easily adapted in order to ensure that:
- logging standards are respected
- and log messages are consistent and complete (content, format, timestamps).
![Page 7: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/7.jpg)
3) Integrating application logs into a Security Information Management configuration
OSSIM (http://www.ossim.net/)
has numerous plugins for parsing:
webserver, appserver, WAF, IPS, IDS logs
and generating/storing events in its standard format.
![Page 8: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/8.jpg)
Adding a plugin for parsing custom application logs is as easy as finding the correct regular expression provided that: - developers included all relevant information in the log message - and that they have done so in a consistent way.
![Page 9: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/9.jpg)
Current problems
Difficult to obtain relevant views of consolidated data
Examples:
Alarms concerning Client1 in December
Alarms in Datacenter1 in January
Difficult to calculate indicators
Example:
Annual Loss Expectancy for Asset1
![Page 10: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/10.jpg)
Current problems
Difficult to compare with historical data
Performance issues
![Page 11: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/11.jpg)
Live Demo 1 - Ossim
A « click and play » virtual appliance containing
a full OSSIM installation is provided
![Page 12: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/12.jpg)
OSSIM executive dashboard
![Page 13: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/13.jpg)
Current day details from the previous Executive Dashboard:
very technical information, clearly not useful for CFO/CEOs, with all due respect
![Page 14: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/14.jpg)
Functional benefits of a multidimensional solution
Presenting risk assessments and safeguard cost-effectiveness scenarios to CFO/CEO
Different views: Client, Asset, Data Center, Time
Indicators: Loss Expectancy, Risk …
![Page 15: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/15.jpg)
Functional benefits of the multidimensional solution
Aggregation levels are clearly defined:
Raw data: Event, Server
Consolidated data: Alarm, Asset, Client, Data Center, Time, Geography
![Page 16: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/16.jpg)
Technical benefits of the multidimensional solution
Reporting queries no longer run on the production SIM database
Drill-down, roll-up, slice without writing SQL
Integrate data from different sources
![Page 17: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/17.jpg)
Live Demo 2 - Multidimensional solution
Essbase example
![Page 18: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/18.jpg)
Essbase outlines
![Page 19: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/19.jpg)
Essbase outlines
![Page 20: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/20.jpg)
Demo data feed
![Page 21: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/21.jpg)
Asset view
Data Center view
![Page 22: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/22.jpg)
Client view
![Page 23: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/23.jpg)
Questions
![Page 24: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/24.jpg)
Acknowledgments
OSSIM team
Wojtek Janeczek, friend and multidimensional DB expert
![Page 25: OWASP Logging Project Presentation by Marc Chisinevski](https://reader035.vdocuments.us/reader035/viewer/2022070406/56649de35503460f94ada5c0/html5/thumbnails/25.jpg)
Thank you!