Guide to Computer Security Log Management NIST

Guide To Computer Security Log Management Nist-Free PDF

  • Date:28 Jun 2020
  • Views:4
  • Downloads:0
  • Pages:72
  • Size:1.68 MB

Share Pdf : Guide To Computer Security Log Management Nist

Download and Preview : Guide To Computer Security Log Management Nist


Report CopyRight/DMCA Form For : Guide To Computer Security Log Management Nist


Transcription:

GUIDE TO COMPUTER SECURITY LOG MANAGEMENT,Reports on Computer Systems Technology. The Information Technology Laboratory ITL at the National Institute of Standards and Technology. NIST promotes the U S economy and public welfare by providing technical leadership for the nation s. measurement and standards infrastructure ITL develops tests test methods reference data proof of. concept implementations and technical analysis to advance the development and productive use of. information technology ITL s responsibilities include the development of technical physical. administrative and management standards and guidelines for the cost effective security and privacy of. sensitive unclassified information in Federal computer systems This Special Publication 800 series. reports on ITL s research guidance and outreach efforts in computer security and its collaborative. activities with industry government and academic organizations. National Institute of Standards and Technology Special Publication 800 92. Natl Inst Stand Technol Spec Publ 800 92 72 pages September 2006. Certain commercial entities equipment or materials may be identified in this. document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the. National Institute of Standards and Technology nor is it intended to imply that the. entities materials or equipment are necessarily the best available for the purpose. GUIDE TO COMPUTER SECURITY LOG MANAGEMENT,Acknowledgements. The authors Karen Kent and Murugiah Souppaya of the National Institute of Standards and Technology. NIST wish to thank their colleagues who reviewed drafts of this document and contributed to its. technical content especially Bill Burr Elizabeth Chew Tim Grance Bill MacGregor Stephen Quinn. and Matthew Scholl of NIST and Stephen Green Joseph Nusbaum Angela Orebaugh Dennis Pickett. and Steven Sharma of Booz Allen Hamilton The authors particularly want to thank Anton Chuvakin of. LogLogic and Michael Gerdes for their careful review and many contributions to improving the quality of. this publication The authors would also like to express their thanks to security experts Kurt Dillard of. Microsoft Dean Farrington of Wells Fargo Bank Raffael Marty of ArcSight Greg Shipley of Neohapsis. and Randy Smith of the Monterey Technology Group as well as representatives from the Department of. Energy the Department of Health and Human Services the Department of Homeland Security the. Department of State the Department of Treasury the Environmental Protection Agency the National. Institutes of Health and the Social Security Administration for their valuable comments and suggestions. Trademarks, All names are registered trademarks or trademarks of their respective companies. GUIDE TO COMPUTER SECURITY LOG MANAGEMENT,Table of Contents. Executive Summary ES 1,1 Introduction 1 1,1 1 Authority 1 1.
1 2 Purpose and Scope 1 1,1 3 Audience 1 1,1 4 Publication Structure 1 1. 2 Introduction to Computer Security Log Management 2 1. 2 1 The Basics of Computer Security Logs 2 1,2 1 1 Security Software 2 2. 2 1 2 Operating Systems 2 4,2 1 3 Applications 2 4. 2 1 4 Usefulness of Logs 2 6,2 2 The Need for Log Management 2 7. 2 3 The Challenges in Log Management 2 8,2 3 1 Log Generation and Storage 2 8.
2 3 2 Log Protection 2 9,2 3 3 Log Analysis 2 10,2 4 Meeting the Challenges 2 10. 2 5 Summary 2 11,3 Log Management Infrastructure 3 1. 3 1 Architecture 3 1,3 2 Functions 3 3,3 3 Syslog Based Centralized Logging Software 3 5. 3 3 1 Syslog Format 3 5,3 3 2 Syslog Security 3 7, 3 4 Security Information and Event Management Software 3 9. 3 5 Additional Types of Log Management Software 3 10. 3 6 Summary 3 11,4 Log Management Planning 4 1,4 1 Define Roles and Responsibilities 4 1.
4 2 Establish Logging Policies 4 3,4 3 Ensure that Policies Are Feasible 4 7. 4 4 Design Log Management Infrastructures 4 9,4 5 Summary 4 10. 5 Log Management Operational Processes 5 1,5 1 Configure Log Sources 5 1. 5 1 1 Log Generation 5 1,5 1 2 Log Storage and Disposal 5 2. 5 1 3 Log Security 5 4,5 2 Analyze Log Data 5 5,5 2 1 Gaining an Understanding of Logs 5 5.
5 2 2 Prioritizing Log Entries 5 6, 5 2 3 Comparing System Level and Infrastructure Level Analysis 5 7. GUIDE TO COMPUTER SECURITY LOG MANAGEMENT,5 3 Respond to Identified Events 5 8. 5 4 Manage Long Term Log Data Storage 5 9,5 5 Provide Other Operational Support 5 10. 5 6 Perform Testing and Validation 5 10,5 7 Summary 5 11. List of Appendices,Appendix A Glossary A 1,Appendix B Acronyms B 1.
Appendix C Tools and Resources C 1,Appendix D Index D 1. List of Figures, Figure 2 1 Security Software Log Entry Examples 2 3. Figure 2 2 Operating System Log Entry Example 2 4,Figure 2 3 Web Server Log Entry Examples 2 6. Figure 3 1 Examples of Syslog Messages 3 6,List of Tables. Table 4 1 Examples of Logging Configuration Settings 4 6. GUIDE TO COMPUTER SECURITY LOG MANAGEMENT,This page has been left blank intentionally.
GUIDE TO COMPUTER SECURITY LOG MANAGEMENT,Executive Summary. A log is a record of the events occurring within an organization s systems and networks Logs are. composed of log entries each entry contains information related to a specific event that has occurred. within a system or network Many logs within an organization contain records related to computer. security These computer security logs are generated by many sources including security software such. as antivirus software firewalls and intrusion detection and prevention systems operating systems on. servers workstations and networking equipment and applications. The number volume and variety of computer security logs have increased greatly which has created the. need for computer security log management the process for generating transmitting storing analyzing. and disposing of computer security log data Log management is essential to ensuring that computer. security records are stored in sufficient detail for an appropriate period of time Routine log analysis is. beneficial for identifying security incidents policy violations fraudulent activity and operational. problems Logs are also useful when performing auditing and forensic analysis supporting internal. investigations establishing baselines and identifying operational trends and long term problems. Organizations also may store and analyze certain logs to comply with Federal legislation and regulations. including the Federal Information Security Management Act of 2002 FISMA the Health Insurance. Portability and Accountability Act of 1996 HIPAA the Sarbanes Oxley Act of 2002 SOX the. Gramm Leach Bliley Act GLBA and the Payment Card Industry Data Security Standard PCI DSS. A fundamental problem with log management that occurs in many organizations is effectively balancing a. limited quantity of log management resources with a continuous supply of log data Log generation and. storage can be complicated by several factors including a high number of log sources inconsistent log. content formats and timestamps among sources and increasingly large volumes of log data Log. management also involves protecting the confidentiality integrity and availability of logs Another. problem with log management is ensuring that security system and network administrators regularly. perform effective analysis of log data This publication provides guidance for meeting these log. management challenges, Implementing the following recommendations should assist in facilitating more efficient and effective log. management for Federal departments and agencies, Organizations should establish policies and procedures for log management. To establish and maintain successful log management activities an organization should develop standard. processes for performing log management As part of the planning process an organization should define. its logging requirements and goals Based on those an organization should then develop policies that. clearly define mandatory requirements and suggested recommendations for log management activities. including log generation transmission storage analysis and disposal An organization should also. ensure that related policies and procedures incorporate and support the log management requirements and. recommendations The organization s management should provide the necessary support for the efforts. involving log management planning policy and procedures development. Requirements and recommendations for logging should be created in conjunction with a detailed analysis. of the technology and resources needed to implement and maintain them their security implications and. value and the regulations and laws to which the organization is subject e g FISMA HIPAA SOX. Generally organizations should require logging and analyzing the data that is of greatest importance and. also have non mandatory recommendations for which other types and sources of data should be logged. and analyzed if time and resources permit In some cases organizations choose to have all or nearly all. log data generated and stored for at least a short period of time in case it is needed which favors security. GUIDE TO COMPUTER SECURITY LOG MANAGEMENT, considerations over usability and resource usage and also allows for better decision making in some. cases When establishing requirements and recommendations organizations should strive to be flexible. since each system is different and will log different amounts of data than other systems. The organization s policies and procedures should also address the preservation of original logs Many. organizations send copies of network traffic logs to centralized devices as well as use tools that analyze. and interpret network traffic In cases where logs may be needed as evidence organizations may wish to. acquire copies of the original log files the centralized log files and interpreted log data in case there are. any questions regarding the fidelity of the copying and interpretation processes Retaining logs for. evidence may involve the use of different forms of storage and different processes such as additional. restrictions on access to the records, Organizations should prioritize log management appropriately throughout the organization.
After an organization defines its requirements and goals for the log management process it should then. prioritize the requirements and goals based on the organization s perceived reduction of risk and the. expected time and resources needed to perform log management functions An organization should also. define roles and responsibilities for log management for key personnel throughout the organization. including establishing log management duties at both the individual system level and the log management. infrastructure level, Organizations should create and maintain a log management infrastructure. A log management infrastructure consists of the hardware software networks and media used to. generate transmit store analyze and dispose of log data Log management infrastructures typically. perform several functions that support the analysis and security of log data After establishing an initial. log management policy and identifying roles and responsibilities an organization should next develop. one or more log management infrastructures that effectively support the policy and roles Organizations. should consider implementing log management infrastructures that includes centralized log servers and. log data storage When designing infrastructures organizations should plan for both the current and. future needs of the infrastructures and the individual log sources throughout the organization Major. factors to consider in the design include the volume of log data to be processed network bandwidth. online and offline data storage the security requirements for the data and the time and resources needed. for staff to analyze the logs, Organizations should provide proper support for all staff with log management responsibilities. To ensure that log management for individual systems is performed effectively throughout the. organization the administrators of those systems should receive adequate support This should include. disseminating information providing training designating points of contact to answer questions. providing specific technical guidance and making tools and documentation available. Organizations should establish standard log management operational processes. The major log management operational processes typically include configuring log sources performing. log analysis initiating responses to identified events and managing long term storage Administrators. have other responsibilities as well such as the following. Monitoring the logging status of all log sources,Monitoring log rotation and archival processes. GUIDE TO COMPUTER SECURITY LOG MANAGEMENT, Checking for upgrades and patches to logging software and acquiring testing and deploying. Ensuring that each logging host s clock is synched to a common time source. Reconfiguring logging as needed based on policy changes technology changes and other factors. Documenting and reporting anomalies in log settings configurations and processes. GUIDE TO COMPUTER SECURITY LOG MANAGEMENT,This page has been left blank intentionally.
GUIDE TO COMPUTER SECURITY LOG MANAGEMENT,1 Introduction. GUIDE TO COMPUTER SECURITY LOG MANAGEMENT Reports on Computer Systems Technology The Information Technology Laboratory ITL at the National Institute of Standards and Technology NIST promotes the U S economy and public welfare by providing technical leadership for the nation s

Related Books