Log Management Crucial to Effective Security
One of the best ways financial institutions have of protecting critical infrastructure is to monitor system logs, which contain a gold mine of information about the health of the network. Network devices such as servers, routers, firewalls, wireless access points, and antivirus systems all generate log data, which should be archived and monitored regularly for oversight of employee activity, as well as preventing and detecting system outages and breaches.When properly configured, logs record the day-to-day activity of system users, administrative changes made to critical production systems, and evidence produced by malicious activity. Logs provide a way to spot unusual activity from authorized users, as well as the ability to monitor unauthorized users and what they’re doing when they get in. With the right logging configuration financial institutions can capture the history of a hacker's activity, from the establishment of unauthorized accounts to the installation of back-doors, enabling them to quickly isolate and repair affected systems after an intrusion.
At Citizens & Northern Bank, a $1.2 billion community bank headquartered in Pennsylvania, log management is a requirement for complying with information security regulations such as Gramm-Leach-Bliley and Sarbanes-Oxley. The auditors who review the bank’s systems interpret those laws to mean that it should be actively monitoring those logs. The task has been eased with the installation of log management software that provides an e-mail alert that shows who has been authenticated and how many times they’ve been authenticated. The log is printed out and provided to auditors to review.
Any deviations from the norm are quickly spotted and reported, giving administrators a chance to act before any damage is done. “As administrators responsible for various network devices and operating systems, we need to know what typical behavior is,†says Pete Boergermann, head of MIS at Citizens & Northern. “When we look at events, we are more apt to know what we are looking at and respond.â€
The FFIEC has stated that “log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information. Without real log management, organizations are out of compliance and at risk.â€
Intruders will often attempt to conceal any unauthorized access by editing or deleting log files. Therefore, institutions should strictly control and monitor access to log files whether on the host or in a centralized logging facility.
Some considerations for securing the integrity of log files include encrypting log files that contain sensitive data or are transmitted over the network; ensuring adequate storage capacity to avoid gaps in data gathering; securing back-up and disposal of log files; logging the data to a separate, isolated computer; logging the data to write-only media like a write-once/read-many (WORM) disk or drive; and setting logging parameters to disallow any modification to previously written data.
hen planning and implementing log collection and analysis, organizations often discover that they are not realizing the full promise of such a system. While collecting and storing logs is important, it’s only a means to an end – knowing what is going on and responding to it. Thus, once the technology is in place and logs are collected, there needs to be a process of ongoing monitoring and review.
Looking at logs proactively helps financial institutions better realize the value of their existing security infrastructure. Network intrusion detection systems often produce false alarms of various kinds (“false positivesâ€, etc.) leading to decreased reliability of their output and inability to act on it. Comprehensive correlation of network intrusion logs with other records such as firewalls logs, server audit trails allows companies to gain new detection capabilities from such correlation (such as real-time blocking and attack mitigation).
It’s also critical that logs be converted into a universal format which allows financial institutions to compare and correlate different log data sources. Lack of standard logging formats leads to financial institutions needing different expertise to analyze the logs. Not all skilled Unix administrators will be able to make sense out of an obscure Windows event log record (and vice versa).
Individuals commonly have experience with a limited number of commercial intrusion detection and firewall solutions and thus will be lost in the log pile spewed out by a different device type. As a result, a common format that can encompass all the possible messages from security-related devices is essential for analysis, correlation and ultimately for decision-making.