How logs support data forensics investigations
Novak and his team have been involved in hundreds of investigations employing data forensics. He says log data is a vital resource in discovering the existence, extent and source of any security breach. “Computer logs are central and pivotal components to any forensic investigation,” according to Novak. “They are a ‘fingerprint’ that provides a record of computer and system activities that may demonstrate a data leak or security breach.” The incriminating activities might include failed login attempts, user and system access, file uploads/downloads, database access or manipulation, access privilege modification, application system transactions, transmission of email messages or attachments, and many other common activities.
In many cases, when logs are setup and configured properly, they can tell the story of the tactics a hacker used during a breach. They can give insight as to how advanced (or not) the hacker is, and provide an understanding of the extent of a breach by showing how long a hacker was inside the confines of the firewall. “You can see if the unauthorized person has been in your system for five minutes or five months,” explains Novak.
Given the security insight that logs can provide, it’s no surprise that data protection regulations such as the Payment Card Industry Data Security Standard (PCI DSS), the Federal Rules of Civil Procedure (FRCP), the Sarbanes-Oxley Act (SOX), and the Health Insurance Portability and Accountability Act (HIPAA) all mandate the requirement for logs and log management. The information captured by logs can be used to help protect sensitive data and to support incident response and forensic analysis in the event of a suspected data breach.
Often it’s these regulations that are driving organizations to become better at log management and event correlation. In Novak’s experience, however, many organizations do need to improve in their log monitoring and management practices. “It’s not uncommon to find that companies collect the logs but don’t review them as closely as they should,” says Novak. “The monitoring of logs in many instances is hampered due to the extensive amounts of good data being captured and the lack of means to properly manage or analyze that data. As a result, if there is a breach or questionable activity, it may take weeks or months to actually detect it – if it’s detected at all.” Novak says the lack of logs or log management can increase the cost and length of an investigation substantially.
The dimension of data correlation is critically important in the support of a forensic investigation. Correlating data from multiple sources provides the means to substantiate other evidence sources, and logs are a good way to do that. “We use logs to corroborate what is seen in a forensic image or, vice versa, what we see in a forensic image to what we see in logs,” says Novak.
In investigations, it’s common to use logs to play off one another to validate each other. For example, an environment has firewall, intrusion detection system (IDS), system and application logs. If they are properly configured, an investigator can go through all the logs and “show” that a hacker got into the network or application at a specific time. If all the logs aren’t in agreement about the illicit activity, this could be an indication the hacker manipulated one or more of the logs to make it difficult to follow his actions. By correlating the log data, it’s possible to determine this manipulation.
Log data should be viewed and treated like a primary evidence source. Hopefully it will never be needed to investigate or validate a data breach or hacking incident. In any event, here are some best practices that can help ensure that log data and log management practices properly support forensic investigations.
- Have a clear corporate policy for managing logs across the entire organization.
- Have centralized storage and retention of all logs, with everything in one place and in one format.
- Ensure the time synchronization of logs to facilitate correlating the data and retrieving data over specific timeframes.
- Ensure the separation of duties over logs and log management systems to protect from potential internal threats such as a super user or administrator turning off or modifying logs to conceal illicit activity.
- Always maintain backup copies of logs.
- Document what is being logged and why, and how the log data is captured, stored and analyzed. Ensure that 100 percent of log-able devices and applications are captured and the data is unfiltered.
- Have a defined retention policy that specifies the retention period across the organization for all log data. Organizations should work with counsel to determine the best time frames and have log data incorporated into an overall data retention policy.
- Have a defined procedure to follow after an incident.
- Test the incident response plan, including the retrieval of backup log data from off-site storage.
If an incident or data breach is suspected, there are several steps to take right away:
- Increase the logging capability to the maximum and consider adding a network sniffer to capture additional detail from network traffic. In an incident, it’s better to have more data rather than less.
- Freeze the rotation or destruction of existing logs to prevent the loss of potential evidence.
- Get backup copies of the logs and make sure they are secure.
- Deploy a qualified investigations team to determine the situation.
With the right care and feeding, data logs can provide solid forensic evidence in the event of a security breach or data loss. Analyzing the logs may not make for an exciting TV drama, but it can be rewarding nonetheless.
Brian Musthaler, CISA – is a Principal Consultant with Essential Solutions Corp. A former audit and information systems manager, he directs the firm’s evaluations and analysis of enterprise applications, with a particular interest in security and compliance tools.
Conficker worm arms itself to steal and spam
The Conficker/Downadup worm is on the move again. After a relatively uneventful April 1, on which the worm began widening the number of Web sites that it scanned for instructions, a new Conficker variant has emerged and appears to be preparing to spam and steal information.
Did you know? EventTracker is the only SIEM solution that comes integrated with a powerful change and configuration monitoring solution that detects zero-day attacks and helps prevent costly damage from new, emerging threats.
A lesson in compliance from the chemical industry
Events occurring in the U.S. chemical-manufacturing industry, specifically those relating to security guidelines being enforced by the federal government, are likely foreshadowing what’s next in line for other industries.
Did you know? EventTracker provides support for the broadest set of compliance requirements among SIEM/Log Management vendors. Customizable reports and active defense in depth ensure that companies are able to comply with constantly evolving and new regulations.
In poor economy, more IT pros could turn to e-crime
In an annual security survey, Sixty-six percent of respondents felt that out-of-work IT workers would be tempted to join the criminal underground, driven in part by threats to bonuses, job losses, and worthless stock options
Did you know? EventTracker detects in real-time suspicious activity that often precedes a security breach, and enables instant remediation before costly data theft occurs.