DOCSLIB.ORG

Guide to Computer Security Log Management

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Guide to Computer Security Log Management Special Publication 800-92 Guide to Computer Security Log Management Recommendations of the National Institute of Standards and Technology Karen Kent Murugiah Souppaya NIST Special Publication 800-92 Guide to Computer Security Log Management Recommendations of the National Institute of Standards and Technology Karen Kent Murugiah Souppaya C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 September 2006 U.S. Department of Commerce Carlos M. Gutierrez, Secretary Technology Administration Robert C. Cresanti, Under Secretary of Commerce for Technology National Institute of Standards and Technology William Jeffrey, Director GUIDE TO COMPUTER SECURITY LOG MANAGEMENT Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-92 Natl. Inst. Stand. Technol. Spec. Pub l. 800-92, 72 pages (September 2006) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experim ental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Techn ology, nor is it intended to imply that the entities, materials, or equipment are neces sarily the best available for the purpose. ii GUIDE TO COMPUTER SECURITY LOG MANAGEMENT Acknowledgements The authors, Karen Kent and Murugiah Souppaya of the National Institute of Standards and Technology (NIST), wish to thank their colleagues who reviewed drafts of this document and contributed to its technical content, especially Bill Burr, Elizabeth Chew, Tim Grance, Bill MacGregor, Stephen Quinn, and Matthew Scholl of NIST, and Stephen Green, Joseph Nusbaum, Angela Orebaugh, Dennis Pickett, and Steven Sharma of Booz Allen Hamilton. The authors particularly want to thank Anton Chuvakin of LogLogic and Michael Gerdes for their careful review and many contributions to improving the quality of this publication. The authors would also like to express their thanks to security experts Kurt Dillard of Microsoft, Dean Farrington of Wells Fargo Bank, Raffael Marty of ArcSight, Greg Shipley of Neohapsis, and Randy Smith of the Monterey Technology Group, as well as representatives from the Department of Energy, the Department of Health and Human Services, the Department of Homeland Security, the Department of State, the Department of Treasury, the Environmental Protection Agency, the National Institutes of Health, and the Social Security Administration, for their valuable comments and suggestions. Trademarks All names are registered trademarks or trademarks of their respective companies. ii i GUIDE TO COMPUTER SECURITY LOG MANAGEMENT Table of Contents Executive Summary............................................................................................................ES-1 1. Introduction ................................................................................................................... 1-1 1.1 Authority................................................................................................................ 1-1 1.2 Purpose and Scope............................................................................................... 1-1 1.3 Audience ............................................................................................................... 1-1 1.4 Publication Structure ............................................................................................. 1-1 2. Introduction to Computer Security Log Management ................................................ 2-1 2.1 The Basics of Computer Security Logs.................................................................. 2-1 2.1.1 Security Software....................................................................................... 2-2 2.1.2 Operating Systems..................................................................................... 2-4 2.1.3 Applications................................................................................................ 2-4 2.1.4 Usefulness of Logs..................................................................................... 2-6 2.2 The Need for Log Management............................................................................. 2-7 2.3 The Challenges in Log Management..................................................................... 2-8 2.3.1 Log Generation and Storage ...................................................................... 2-8 2.3.2 Log Protection............................................................................................ 2-9 2.3.3 Log Analysis............................................................................................. 2-10 2.4 Meeting the Challenges....................................................................................... 2-10 2.5 Summary............................................................................................................. 2-11 3. Log Management Infrastructure................................................................................... 3-1 3.1 Architecture........................................................................................................... 3-1 3.2 Functions............................................................................................................... 3-3 3.3 Syslog-Based Centralized Logging Software......................................................... 3-5 3.3.1 Syslog Format............................................................................................ 3-5 3.3.2 Syslog Security .......................................................................................... 3-7 3.4 Security Information and Event Management Software ......................................... 3-9 3.5 Additional Types of Log Management Software................................................... 3-10 3.6 Summary............................................................................................................. 3-11 4. Log Management Planning........................................................................................... 4-1 4.1 Define Roles and Responsibilities ......................................................................... 4-1 4.2 Establish Logging Policies..................................................................................... 4-3 4.3 Ensure that Policies Are Feasible.......................................................................... 4-7 4.4 Design Log Management Infrastructures............................................................... 4-9 4.5 Summary............................................................................................................. 4-10 5. Log Management Operational Processes.................................................................... 5-1 5.1 Configure Log Sources.......................................................................................... 5-1 5.1.1 Log Generation .......................................................................................... 5-1 5.1.2 Log Storage and Disposal.......................................................................... 5-2 5.1.3 Log Security............................................................................................... 5-4 5.2 Analyze Log Data.................................................................................................. 5-5 5.2.1 Gaining an Understanding of Logs............................................................. 5-5 5.2.2 Prioritizing Log Entries ............................................................................... 5-6 5.2.3 Comparing System-Level and Infrastructure-Level Analysis....................... 5-7 iv GUIDE TO COMPUTER SECURITY LOG MANAGEMENT 5.3 Respond to Identified Events................................................................................. 5-8 5.4 Manage Long-Term Log Data Storage .................................................................. 5-9 5.5 Provide Other Operational Support...................................................................... 5-10 5.6 Perform Testing and Validation ........................................................................... 5-10 5.7 Summary............................................................................................................. 5-11 List of Appendices Appendix A— Glossary ........................................................................................................A-1 Appendix B— Acronyms ......................................................................................................B-1
Load more

Recommended publications
  • Guide to Computer Security Log Management
    Special Publication 800-92 Guide to Computer Security Log Management Recommendations of the National Institute of Standards and Technology Karen Kent Murugiah Souppaya GUIDE TO COMPUTER SECURITY LOG MANAGEMENT Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-92 Natl. Inst. Stand. Technol. Spec. Publ. 800-92, 72 pages (September 2006) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended
    [Show full text]
  • Centralized Log Management for Complex Computer Networks
    Centralized log management for complex computer networks Marcus Hanikat KTH ROYAL INSTITUTE OF TECHNOLOGY ELEKTROTEKNIK OCH DATAVETENSKAP Abstract In modern computer networks log messages produced on different devices throughout the network is collected and analyzed. The data from these log messages gives the network administrators an overview of the networks operation, allows them to detect problems with the network and block security breaches. In this thesis several different centralized log management systems are analyzed and evaluated to see if they match the requirements for security, performance and cost which was established. These requirements are designed to meet the stakeholder’s requirements of log management and allow for scaling along with the growth of their network. To prove that the selected system meets the requirements, a small-scale implementation of the system will be created as a “proof of concept”. The conclusion reached was that the best solution for the centralized log management system was the ELK Stack system which is based upon the three open source software Elasticsearch, Logstash and Kibana. In the small-scale implementation of the ELK Stack system it was shown that it meets all the requirements placed on the system. The goal of this thesis is to help develop a greater understanding of some well-known centralized log management systems and why the usage of them is important for computer networks. This will be done by describing, comparing and evaluating some of the functionalities of the selected centralized log management systems. This thesis will also be able to provide people and entities with guidance and recommendations for the choice and implementation of a centralized log management system.
    [Show full text]
  • Analysis of Security Information and Event Management (Siem) Evasion and Detection Methods
    TALLINN UNIVERSITY OF TECHNOLOGY Faculty of Information Technology Department of Computer Engineering ITC70LT Seyed Morteza Zeinali (IVCM131121) ANALYSIS OF SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM) EVASION AND DETECTION METHODS (Master Thesis) Supervisor: Bernhards Blumbergs Master’s Degree Ph.D. Student at Tallinn University of Technology Tallinn 2016 Declaration I hereby certify that I am the sole author of this thesis. All the used materials, references to the literature and the work of others have been referred to. This thesis has not been presented for examination anywhere else. .................................. .................................. (Author's signature) (Date) 2 Abstract: Security Information and Event Management (SIEM) systems have become today a crucial and essential component of complex enterprise networks. They typically aggregate and correlate incidents from different systems and platforms, and carry out a rule-based analysis to detect advanced threats. The latest reports show that in spite of the fact SIEMs are significantly efficient, but there are still shortcomings and evasion methods that can compromise the integrity of data and forge the data stored and need to improve over prior solutions. This paper evaluates and analyze the SIEM evasion detections, SIEM evasion methods, expresses approaches and the tools that evade security appliances. An attack simulation experiment is performed using multiple Advanced Evasion Techniques (AETs) to demonstrate the capabilities of SIEM in detecting any suspicious behaviour of event logs and alerting them in near real-time. The tested SIEM was able to collect, filter, normalize, correlate, alert, and report network attacks within minutes after attack incidents. Keywords: Evasion Detection, Event Management, Security Information, Evasion Techniques, SIEM, Outlier Detection, Information Management, Advanced Threats, AET, incident, Anomaly Behaviour.
    [Show full text]
  • Regulation for the Digital Logs Management in Public Administration
    PRIME MINISTER’S OFFICE NATIONAL AGENCY FOR CYBER SECURITY (ALCIRT) REGULATION FOR THE DIGITAL LOGS MANAGEMENT IN PUBLIC ADMINISTRATION Approved with Order no. 109 date 10.06. 2016 of the Director of the National Agency for Cyber Security (ALCIRT). REGULATION FOR THE DIGITAL LOGS MANAGEMENT IN PUBLIC ADMINISTRATION Content 1. Introduction ....................................................................................................................................... 4 2. Purpose .............................................................................................................................................. 4 3. Definitions .......................................................................................................................................... 5 4. General ............................................................................................................................................... 6 5. Activities for which logs will be held .................................................................................................. 7 5.1 Log elements ..................................................................................................................................... 7 5.2 Logs Management Infrastructure and Tasks of Responsible Staff for Log Management ................ 8 5.2.1 Log Management Infrastructure ................................................................................................... 8 Depending on the resources and specifics of the institution, log infrastructure
    [Show full text]
  • Cyber Security Monitoring and Logging Guide
    Cyber Security Monitoring and Logging Guide Version 1 Cyber Security Monitoring and Logging Guide Published by: CREST Tel: 0845 686-5542 Email: [email protected] Web: http://www.crest-approved.org Principal Author Principal reviewer Jason Creasey, Ian Glover, President, CREST Managing Director, Jerakano Limited DTP notes For ease of reference, the following DTP devices have been used throughout the Guide. Acknowledgements CREST would like to extend its special thanks to those CREST member organisations and third parties who took part in interviews, participated in the workshop and completed questionnaires. Warning This Guide has been produced with care and to the best of our ability. However, CREST accepts no responsibility for any problems or incidents arising from its use. A Good Tip ! A Timely Warning Quotes are presented in a box like this. © Copyright 2015. All rights reserved. CREST (GB). 3 Cyber Security Monitoring and Logging Guide Contents Part 1 - Introduction and overview • About this Guide .........................................................................................................................................6 • Audience .....................................................................................................................................................6 • Purpose and scope ......................................................................................................................................7 • A practical solution ......................................................................................................................................7
    [Show full text]