Log Management and Compliance

From Socology.org - The Study of Security Operations
Revision as of 08:39, 3 November 2018 by Chrismaulding (Talk | contribs)

Jump to: navigation, search

This section is under development

Objective

To discuss log management and compliance in relation to industry-specific compliance regulations. Regulations discussed will be PCI, SOX, HIPAA, etc.

Process

Below are general guidelines for getting the logs necessary to meet your compliance needs. These are just guidelines and may need to be modified based on your business needs. 

 1. Identify what logs are needed based on compliance regulations.

 2. Configure devices with the necessary information to send logs to a SIEM or other logging mechanism.

 3. Verify logs are being received by the SIEM or log management server. 

 4. Use business cases to generate alerts when necessary.

 5. Review the logs after network maintenance and upgrades.

Tooling

There are many tools both paid and open source that can be used to collect and store the logs necessary to meet compliance needs. Here we will focus on the open source tools and be as vendor neutral as possible. 

 Elastic Stack(ELK Stack): This is a group of tools that can be used to store, search and visualize the logs and data that you are collecting

 OSSIM: The open source version of Alienvault. This tool can collect and normalize the logs you are sending to it. This can also be configured to do Intrusion Detection(IDS) and integrates with the Open Threat Exchange(OTX) which 
        is community-based threat feeds. 

 Security Onion: This is a security distribution that is based on Ubuntu. This has many tools that can be configured to store, log, alert and visualize the data being sent to it. 

 OSSEC: This is an agent-based service that can collect windows event logs and Linux event logs.

This is not an exhaustive list by any means there are always new tools coming out, and being used. Keep in mind that one tool may not meet all of your requirements. In many environments, more than one of these tools will be required to meet your specific needs.

Ticketing

Tickets or documentation of incidents is required by all regulations. There are even some specific reporting requirements that we will get to in another section. Ticketing is mainly used by a SOC or internal security person to track their investigations and keep all documentation in a central location. As to keep with the open source theme we will steer clear of paid products. 

 TheHive: This is the most SOC or security specific platform. This open source incident response system allows teams to collaborate on tickets and track actions taken during an investigation. This system allows the analyst to 
          integrate with MISP (Malware Information Sharing Platform). This tool has other pieces that can be integrated to enrich the information available. More specific information about this tool can be found on their site. 
          https://thehive-project.org/

There are many more ticketing systems that can be used to track incidents and investigations. A quick google search will turn up quite a few. This as with other open source tools with need to fit what you are looking to do and achieve based on your business goals and requirements.

Reporting

Staffing

Budgeting

Communications

Documentation

Lessons Learned | Pain Points

Citations

Network Managment Division of Ipswitch Inc. https://www.ipswitch.com/Ipswitch/media/Ipswitch/Documents/Resources/Whitepapers%20and%20eBooks/ELM_Security_WP.pdf?ext=.pdf

Daniel Berman logz.io https://logz.io/blog/open-source-siem-tools/

The Hive Project https://thehive-project.org/

Open Source Ticketing - Predictive Analytics https://www.predictiveanalyticstoday.com/top-free-open-source-helpdesk-software/

Retrieved from "https://socology.org/wiki/index.php?title=Log_Management_and_Compliance&oldid=355"