没有合适的资源?快使用搜索试试~ 我知道了~
Log_Management_Best_Practices.pdf
1.该资源内容由用户上传,如若侵权请联系客服进行举报
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
2.虚拟产品一经售出概不退款(资源遇到问题,请及时私信上传者)
版权申诉
0 下载量 196 浏览量
2022-01-02
22:15:20
上传
评论
收藏 292KB PDF 举报
温馨提示
试读
16页
Log_Management_Best_Practices.pdf
资源推荐
资源详情
资源评论
Log Management Best Practices
The Foundation for Comprehensive Security
Information and Event Management
White paper
Contents
Definition of Log (Event) Management page 1
Why do Logs Matter for Security and Compliance? page 1
Challenges Addressed by Log Management page 1
The Business Value of Best Practices in Log Management page 3
Inputs Into Your Organization's Best Practices page 3
Recommended Best Practices page 4
I. Logging Policies, Procedures and Technology (LP) page 5
II. Log Generation and Capture (LG) page 5
III. Log Retention and Storage (LR) page 6
IV. Log Analysis (LA) page 10
V. Log Security and Protection (LS) page 10
Conclusion page 11
Solutions for Implementing Best Practices page 11
Appendices
Appendix 1—Sources and Contents of Logs page 12
Appendix 2—Compliance Requirements for Log Management page 13
Executive Summary
Log (event) management is the collection, analysis
(real-time or historical), storage and management of
logs from a range of sources across the enterprise. It is
the foundation for comprehensive security information
and event management (SIEM). Organizations which
develop best practices in log management will get
timely analysis of their security profile for security
operations, ensure that logs are kept in sufficient detail
for the appropriate period of time to meet audit and
compliance requirements, and have reliable evidence
for use in investigations.
Businesses face a number of challenges that make best
practices in log management an increasingly important
part of an overall enterprise IT security strategy. These
include the need to control the vast amounts of data
being generated by more and more systems, the
increased requirements of today's regulated environ-
ment and a new breed of more advanced attacks.
By establishing best practices in log management,
information executives can bring tremendous value to
their organization by avoiding costs and increasing
efficiencies in areas such as compliance, risk
management, legal, forensics, storage and operations.
Best practices in log management should be based on
the requirements of applicable regulations and
standards, guidance from legal counsel, business and
operational objectives, and risk analysis.
Although best practices should be developed by each
individual organization based on their particular
environment, there are some general best practices
which can be universally applied. This paper is intended
to help organizations develop their own comprehensive
set of best practices by providing a set of 40 recom-
mended best practices covering logging policies,
procedures and technology; log generation and capture;
log retention and storage; log analysis; and log security
and protection.
Definition of Log (Event) Management
A log is a record of an event or activity occurring within an
organization’s systems or networks. Examples include a
firewall allowing or denying access to a network resource, a
change to the configuration of the operating system
performed by an administrator, a system shut down or start
up, a user logging-in to an application, or an application
allowing or denying access to a file. For more examples of
events or activities, please see appendix 1, “Sources and
contents of logs.” Log (event) management is the
collection, analysis (real-time or historical), storage and
management of logs from a range of sources across the
enterprise including security systems, networking devices,
operating systems, and applications.
Log management is the foundation for comprehensive
security information and event management (SIEM)
including the following use cases:
– Real-time threat detection and mitigation
– Incident investigation and forensics
– Compliance to regulations and standards
– Capacity planning, performance and uptime
– Evidence for legal and human resources cases
– Detecting and preventing IP theft
– Auditing and enforcing employee productivity
– Troubleshooting system and network problems
– Auditing and enforcing IT security policy
Why do Logs Matter for Security and Compliance?
Without sufficient collection, regular review and long-term
retention of logs, your organization will not be in
compliance with regulations nor able to properly protect its
information assets. Logs provide a way to monitor your
systems and keep a record of security events, information
access and user activities.
Today's regulated environment coupled with a new breed of
more advanced attacks makes log management an
increasingly important component of your IT security
strategy. A log management capability will enable you to
detect unauthorized activities in real-time and to ensure
logged data is available for audits and investigations and
properly stored over its entire lifecycle.
The inability to manage logs is one of the major reasons
that enterprises fail compliance audits. For example,
inadequate review of audit logs is one of the top five IT
control weaknesses cited by Sarbanes-Oxley auditors.
Inadequate logging is also one of the top three areas of
failure for the Payment Card Industry (PCI) Data Security
Standard (DSS) according to PCI auditors.
Lack of competency in log management is also a major
reason for data compromises. For example, MasterCard's
forensic research indicates that the lack of real-time
security monitoring is one of the top five reasons that
merchants are getting hacked. In their investigations of
companies which have suffered data breaches, the US
Federal Trade Commission (FTC) has found that one of the
major causes was failure to use sufficient measures to
detect unauthorized access.
Without adequate log management, it is very difficult for
enterprises to investigate and recover from a security
breach. Massive data breaches have been headline news
over the last couple of years. In many cases, these
companies did not retain sufficient logs extending back in
time to the initial intrusions, making it nearly impossible to
determine exactly how the attack took place.
Regulation has also stretched out required retention time
frames. For example, to prove the integrity of financial
reports, corporate governance regulations require audit
records be kept for many years. To account for disclosures
of personal information, privacy regulations create the need
for years-long storage of access logs.
Organizations which develop best practices in log
management will get timely analysis of their security profile
for security operations, ensure that logs are kept in
sufficient detail for the appropriate period of time to meet
audit and compliance requirements, and have reliable
evidence for use in investigations.
Challenges Addressed by Log Management
Businesses face a number of challenges that make best
practices in log management an essential part of an overall
enterprise IT security strategy:
1. The huge number and variety of systems generating logs
Over the last few years, in response to increased security
threats, organizations have deployed many security systems
– including intrusion prevention, patch management and
anti-virus systems. As more business processes have been
automated, more network devices, servers, storage
subsystems and applications have also been added to the
environment. The result is an increasingly larger and
complex mix of systems generating logs. See appendix 1,
"Sources and contents of logs."
1
RSA White Paper
With so many sources of logs, it is very difficult to make
sense of them. It is hard to determine the overall security
profile or get a complete picture of information access and
user activities. For example, auditors may be expected to
read reams of print-outs from many different systems in
order to piece together evidence that only authorized users
are accessing protected information. These kinds of
activities make audits very expensive.
Without sound retention policies, logs from so many varied
sources will likely not be getting stored properly. Logs with
little value from some sources may be getting stored while
important records from other sources may not be stored at all.
2. The volume of logged data
Global 2000 organizations can generate in excess of 10 TB
of raw logs each month or more. With this amount of data, it
is no wonder that many companies that collect logs do not
actually analyze them because it is too difficult. Even if
procedures for reviewing the logs have been established,
often they are not followed reliably because it is extremely
tedious to go through so many logs manually. Businesses
need to develop best practices for analysis and reporting in
order to make use of this critical information. It is also
important to determine retention / retrieval strategies that
will enable auditors and investigators to easily sort through
the mountains of data to get the information they need.
3. The changing threat landscape
The attacks perpetrated nowadays are not just disruptive
attacks such as the I LOVE YOU virus or denial of service
attacks but very targeted and sophisticated attacks carried
out by organized crime against specific information assets
over long periods of time. In a recent high profile case, a
large retailer had their systems infiltrated undetected over a
period of 18 months.
This kind of environment calls for effective real-time
monitoring to better detect intrusions, and for detailed
logging of information that will be relevant in the case of a
security breach. The need to go back in time over a period
of several months or even years to collect evidence is real.
The length of time organizations need to retain logs must
be aligned with this new reality. Log records must be
complete and readily retrievable to be useful during an
incident investigation.
4. The more stringent regulatory requirements
Over the past several years, there has been a flood of
regulations and legislation globally, mandating the
protection of information. Organizations now have a legal
obligation to protect information and are required to prove
that their security measures are adequate.
Log management is the process of generating, analyz-
ing and storing logs. Organizations which develop best
practices in log management will get timely analysis of
their security profile for security operations, ensure
that logs are kept in sufficient detail for the appropriate
period of time to meet audit /compliance requirements,
and have reliable evidence for use in investigations.
Businesses face a number of challenges that make best
practices in log management an increasingly important
part of an overall enterprise IT security strategy. These
include the need to control the vast amounts of data
being generated by more and more systems, the
increased requirements of today's regulated environ-
ment and a new breed of more advanced attacks.
By establishing best practices in log management,
information executives can bring tremendous value to
their organization by avoiding costs and increasing effi-
ciencies in compliance, risk management, legal, foren-
sics, storage and operations. Best practices should be
based on the requirements of applicable regulations
and standards, guidance from legal counsel, business
and operational objectives, and risk analysis.
Although best practices should be developed by each
individual organization based on their particular envi-
ronment, there are some general best practices which
can be universally applied. This paper is intended to
help organizations develop their own set of best prac-
tices by recommending best practices in log manage-
ment policy, procedures and technology; log genera-
tion; retention and storage; analysis; and protection
and security.
2
RSA White Paper
Logging serves two functions for compliance. Logging is a
central pillar of any security program and therefore
essential for protecting information. Logging can no longer
be left disabled and/or logs left un-reviewed if the
organization wants to meet its legal obligations to protect
information.
Logs are also the essential evidence for proving compliance
or conformance to policy. Without logs, it is very difficult to
impossible to answer questions such as, "Has this financial
data been changed without proper authorization?" or "Were
there any unauthorized disclosures of this health data? or
"Are accesses to cardholder data limited to those with a
business need?"
In the new regulated environment, most organizations are
subject to multiple regulations and periodic internal or
independent audits of their information systems to
determine the adequacy of security measures. Logs must be
collected in sufficient detail to enable an assessment and
be readily available for review by the auditor.
Once an audit is completed, the organization will likely
need to retain certain logs, often for years, in case the logs
are requested as evidence by the regulators or the courts.
Log retention requirements are now driven by the need to
have the right information on hand to meet audit cycles and
then retained long-term to meet the legal requirements for
record keeping.
5. The increasing number of stakeholders
It is no longer just security and network operations that
require information from logged data. Other groups across
the enterprise need this information including Human
Resources, Legal, Internal Audit, Finance, Engineering,
Customer Service, Sales and Marketing. For example, HR
needs it for managing personnel issues to prove employee
behavior. Legal, Internal Audit and Finance use the
information in compliance initiatives. Logs can help groups
across the enterprise monitor employee productivity and
track access to intellectual property. Best practices in log
management should provide stakeholders across the
organization with secure, quick and reliable access to the
information they need.
6. The uncertainties of future regulatory and legal issues
There are more regulations in the pipeline worldwide. For
example, comprehensive privacy legislation in the US is
under discussion, and other geographies such as India and
China are looking into introducing new laws. With future
regulations, it is impossible to determine what logs will be
necessary to prove compliance. Litigation due to security
and privacy breaches has already begun. In fact, it is
剩余15页未读,继续阅读
资源评论
mYlEaVeiSmVp
- 粉丝: 1907
- 资源: 19万+
下载权益
C知道特权
VIP文章
课程特权
开通VIP
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功