Log Management and Compliance
This section is under development
Contents
Objective
To discuss log management and compliance in relation to industry-specific compliance regulations. Regulations discussed will be PCI, SOX, HIPAA, etc.
Process
Below are general guidelines for getting the logs necessary to meet your compliance needs. These are just guidelines and may need to be modified based on your business needs.
1. Identify what logs are needed based on compliance regulations.
2. Configure devices with the necessary information to send logs to a SIEM or other logging mechanism.
3. Verify logs are being received by the SIEM or log management server.
4. Use business cases to generate alerts when necessary.
5. Review the logs after network maintenance and upgrades.
Tooling
There are many tools both paid and open source that can be used to collect and store the logs necessary to meet compliance needs. Here we will focus on the open source tools and be as vendor neutral as possible.
Elastic Stack(ELK Stack): This is a group of tools that can be used to store, search and visualize the logs and data that you are collecting
OSSIM: The open source version of Alienvault. This tool can collect and normalize the logs you are sending to it. This can also be configured to do Intrusion Detection(IDS) and integrates with the Open Threat Exchange(OTX) which is community-based threat feeds.
Security Onion: This is a security distribution that is based on Ubuntu. This has many tools that can be configured to store, log, alert and visualize the data being sent to it.
OSSEC: This is an agent-based service that can collect windows event logs and Linux event logs.
This is not an exhaustive list by any means there are always new tools coming out, and being used. Keep in mind that one tool may not meet all of your requirements. In many environments, more than one of these tools will be required to meet your specific needs.
Ticketing
Reporting
Staffing
Budgeting
Communications
Documentation
Lessons Learned | Pain Points
Citations
Network Managment Division of Ipswitch Inc. https://www.ipswitch.com/Ipswitch/media/Ipswitch/Documents/Resources/Whitepapers%20and%20eBooks/ELM_Security_WP.pdf?ext=.pdf
Daniel Berman logz.io https://logz.io/blog/open-source-siem-tools/