Log Management and Compliance

From Socology.org - The Study of Security Operations
Revision as of 08:54, 3 November 2018 by Chrismaulding (Talk | contribs)

Jump to: navigation, search

This section is under development

Objective

To discuss log management and compliance in relation to industry-specific compliance regulations. Regulations discussed will be PCI, SOX, HIPAA, etc.

Process

Below are general guidelines for getting the logs necessary to meet your compliance needs. These are just guidelines and may need to be modified based on your business needs.

 1. Identify what logs are needed based on compliance regulations.
 2. Configure devices with the necessary information to send logs to a SIEM or other logging mechanism.
 3. Verify logs are being received by the SIEM or log management server. 
 4. Use business cases to generate alerts when necessary.
 5. Review the logs after network maintenance and upgrades.

Tooling

There are many tools both paid and open source that can be used to collect and store the logs necessary to meet compliance needs. Here we will focus on the open source tools and be as vendor neutral as possible.

 Elastic Stack(ELK Stack): This is a group of tools that can be used to store, search and visualize the logs and data that you are collecting
 OSSIM: The open source version of Alienvault. This tool can collect and normalize the logs you are sending to it. This can also be configured to do Intrusion Detection(IDS) and integrates with the Open Threat Exchange(OTX) which 
        is community-based threat feeds. 
 Security Onion: This is a security distribution that is based on Ubuntu. This has many tools that can be configured to store, log, alert and visualize the data being sent to it. 
 OSSEC: This is an agent-based service that can collect windows event logs and Linux event logs. 

This is not an exhaustive list by any means there are always new tools coming out, and being used. Keep in mind that one tool may not meet all of your requirements. In many environments, more than one of these tools will be required to meet your specific needs.

Ticketing

Tickets or documentation of incidents is required by all regulations. There are even some specific reporting requirements that we will get to in another section. Ticketing is mainly used by a SOC or internal security person to track their investigations and keep all documentation in a central location. As to keep with the open source theme we will steer clear of paid products.

 TheHive: This is the most SOC or security specific platform. This open source incident response system allows teams to collaborate on tickets and track actions taken during an investigation. This system allows the analyst to 
          integrate with MISP (Malware Information Sharing Platform). This tool has other pieces that can be integrated to enrich the information available. More specific information about this tool can be found on their site. 
          https://thehive-project.org/

There are many more ticketing systems that can be used to track incidents and investigations. A quick google search will turn up quite a few. This as with other open source tools with need to fit what you are looking to do and achieve based on your business goals and requirements.

Reporting

Reporting can mean a couple of different things in security. It can mean reporting of an incident or it can mean reporting for an auditor. The requirements for both may differ based on the regulations that affect your organization.

Common Report types:

 Access Report - This is a report that can track the access to systems. i.e Successful or failed Windows logons, or SSH authentications. 
 
 Account Lockouts - This report will show all accounts that were locked out in a specified time frame. 

 Asset Reports - These reports will be specific to the regulation and may only require a subset of assets. 
 Password Changes - A report that tracks when users passwords are changed. 
  
 Firewall Changes - Tracks changes that have been made in the firewall. 
 Malware Events - A report to track malware detections by Anti-Virus, or Anti-Malware systems. 
 Active Directory Changes - Tracks all users added removed along with group changes in the environment. 
 Vulnerability reports - A report that tracks vulnerability in the environment. 

This again is not an exhaustive list but something that you can build upon and baseline based on your business requirements.

Staffing

Budgeting

Communications

Documentation

Lessons Learned | Pain Points

Citations

Network Managment Division of Ipswitch Inc. https://www.ipswitch.com/Ipswitch/media/Ipswitch/Documents/Resources/Whitepapers%20and%20eBooks/ELM_Security_WP.pdf?ext=.pdf

Daniel Berman logz.io https://logz.io/blog/open-source-siem-tools/

The Hive Project https://thehive-project.org/

Open Source Ticketing - Predictive Analytics https://www.predictiveanalyticstoday.com/top-free-open-source-helpdesk-software/