A good Defense in Depth security strategy leverages a series of protective and defensive security controls to ensure that there are redundant and complementary security services in place to help reduce the risk of a security incident. It subscribes to the idea that security is continuously evolving, and the best solution to an evolving landscape is a layered approach to security. It's with this mindset that a security control like logging becomes so important.
Defense in depth security strategies often employ a combination of technologies that fit into three security domains:
Log management fits into the detection domain. It is critical to understanding what is happening in the environment and critical to facilitating corrective measures. Depending on how it's configured it can also apply value to an organizations preventive controls. Regardless of the number of preventive controls deployed, an organization must always assume they are one bad decision, configuration, from a compromise. Employing a log management program as part of your security strategy gives you the resource you don't realize you need, until you do.
Effective log management programs have the ability to provide insights and visiblity, and have the ability to expedite incident responses, reporting and restore organizaitonal health post-compromise. We don’t have to look far to identify global events that suffered massive breaches and where the lack of a log management program contributed greatly to the impact of a compromise.
On September 2017 Equifax disclosed a mega-breach of its systems, carried out through exploitation of a web application, which leaked personal records (Names, Date of Birth, Credit Card #’s, Social Security #’s, Drivers License #’s, home addresses, etc..) of over 145 M US residents and 400k Brits.
Attackers were able to compromise Equifax by exploiting a publicly disclosed vulnerability in the Apache Struts framework. Although Equifax had been notified by the U.S. Department of Homeland Security, Computer Emergency Readiness Team (US-CERT) their inventory of current assets failed to notify the teams that specific systems were leveraging the Struts framework. This failure in detection occurred both in their inventory of assets and real-time scans specifically looking for the vulnerability. Attackers were able to mask their activity on the network for 76 days due to expired digital certificates.
A critical digital certificate used by the Network Intrusion Detection System (NIDS) expired 10 months earlier. This made it so that the attackers could extract and query internal database systems undetected. The minute the certificate was reissued the attackers were detected and the company initiated its incident response protocols.
This scenario highlights the importance of detection measures and how they fit into an organization's Defense in Depth paradigm. This scenario is a great example of the importance of detection measures like log aggregation, incident detection, and log retention. While multiple failures contributed to this hack, one important failure was the absence of an effective SIEM / Log Management program that would have helped identify there was a problem and given the security team the information they required to rectify the problem sooner. A SIEM / Log management would not have prevented this hack but would have played an important role in helping to minimize its impact on the organization and affected consumers.
A more comprehensive report on the Equifax incident can be found in the report prepared by the US Government Accountability Office.
Most systems, whether they are IoT devices, servers, notebooks and desktop, provide logging functionality. This logging functionality helps track what is happening, debug potential issues, and create an inventory of activity (often in chronological order). In addition to the default log provided by your systems and application, as an organization you have the ability to create additional, more detailed, logs to capture richer information if you require it.
The challenge we face with logging isn’t that logs don’t exist, but rather the robust nature of today’s organizational environments and the scale of activity happening at any given time across the organization. Having logs and actively using them to monitor the state of your environment are two fundamentally different concepts. “Without the active monitoring and analysis of security logs, the erosion of information security defenses by capable adversaries will likely go undetected and will eventually result in the compromise of the very assets that require protection.” (PCI Security Standards Council, 2016).
All commerce organizations, whether they are doing commerce online or in traditional brick-and-mortar, have a responsibility to comply with the guidelines set for by the Payment Card Industry Data Security Standard (PCI DSS).
If your organization requires regulatory compliance or collects sensitive data, you must deploy log management across your environment as part of your overall security strategy.
Similar to security, when designing a log management strategy its important you take a hollistic approach. To help, here are a couple of considerations that are designed to help you think beyond the tactics of deploying log management technologies and help you focus on the outcomes you're hoping to achieve with a log management program:
| Consideration | Discussion |
|---|---|
| What is driving the need for log management at your company? | Is the logging requirement being driven by a business objective? industry regulation (e.g., PCI)? |
| Identify the systems and applications that fall into the scope of monitoring efforts | Understanding scope is critical to an effective deployment. What systems are included in the scope? What applications? Understanding the driver is extremely helpful in determining scope (i.e., SOX regulation might be different from a PCI one). |
| Determine log monitoring retention and security requirements | Many regulations require retention of reasonable amounts of data for reasonable amounts of time, leaving interpretation up to security officers and auditors. |
| Determine what types of events and transactions require monitoring | Logs by their nature are extremely noisy. What logs actually matter? What logs will help identify and remediate issues? |
| Define review and response requirements for detection and prevention | Logs that get monitored should have an appropriate monitoring and response protocol. The response should clearly articulate the process from detection to response. For example, events deemed as critical to a system should have a corresponding response protocol. |
Like other strategies, your log management strategy is not set in stone and should be revisited at some set freqency and updated to reflect your organizations changing needs. Once a strategy is created, your organization can dive into the more complex domains of log management like Log Analysis, where you can make your logs work for you vs being something referenced as an after thought.