Log and Compliance

By: Kerna  05/12/2011
Keywords: security, firewalls, Risk Reduction

Compliance requires auditable reduction in operational risk

Operational risk reduction is a requirement of laws covering internal accounting controls, information security standards, best practice corporate governance codes and banking accords on capital adequacy, such as the Sarbanes-Oxley (SOX), ISO17799, London Stock Exchange Combined Code and Basle II. Achieving compliance requires increased regulation of sensitive information and the inclusion of IT-security processes and logs within audits. Financial institutions are required to:

  • Make a risk-based evaluation of what security event data to log
  • Establish the mandated log retention timeframes
  • Establish policies for secure handling and analysis of log files
E.g. both Basle II and SOX require log retention for up to 7 years.

Technical Challenge

A major organisation has evolved a heterogeneous mix of technologies and devices from different vendors. In response to new business requirements and the relentlessly changing threat environment, there is a regular addition of new devices that can generate new types of log information.

A large network continuously generates high volumes of log data from high performance security products such as firewalls and identity management systems. Comprehensive monitoring of all event logs is a daily task for operational IT managers. Correctly interpreted, event logs enable unusual events and threats to be identified and remedial action taken. This is a time-consuming task that requires well-trained and highly skilled staff.

Even for the same device type the data recorded by different vendors is typically different. E.g. PIX and Checkpoint firewalls record different data types; an IPtables-based firewall can log more details about packet headers than a PIX firewall.

Most network vendors provide their own management tools, which means it can be difficult to gain a correlated, comprehensive and real-time analysis of the extent and nature of unusual network activity. Different vendor management interfaces mean that log review is typically a sequential task. This increases the time taken to respond to a network attack and makes network managers reactive to events. This exposes the organisation to unnecessary risk.

A large network continuously generates high volumes of log data from high performance security products such as firewalls and identity management systems. Comprehensive monitoring of all event logs is a daily task for operational IT managers. Correctly interpreted, event logs enable unusual events and threats to be identified and remedial action taken. This is a time-consuming task that requires well-trained and highly skilled staff.

The wide range of log formats from different vendors greatly complicates log review. Even for the same device type the data recorded by different vendors is typically different. E.g. PIX and Checkpoint firewalls record different data types.

Most network vendors provide their own management tools, which means it can be difficult to gain a correlated, comprehensive and real-time analysis of the extent and nature of unusual network activity. Different vendor management interfaces mean that log review is typically a sequential task. This increases the time taken to respond to a network attack and makes network managers reactive to events. This exposes the organisation to unnecessary risk.

Log Consolidation reduces compliance risk

Log consolidation, which automates and centralises event logging and secure storage is the only practical approach to the regulatory and legal requirement to maintain logs for many years. Any such system needs to be scalable, high performance and have fast fine-grained search capabilities to be able to cope with the 3 fundamental problems of log management on large networks: the sheer amount of data, the high rate of incoming data and the lack of consistent log formatting.

Event logs should be collected securely from identified remote network resources as close to real time as possible. They should be correlated and displayed via a central monitoring station to give a coherent and informed over-view of network events and the full extent of a problem. The better log consolidation systems provide extensive auditing and reporting capabilities

To be useful in any legal dispute, log data needs to be securely transported, time-stamped and stored in original format. Relational databases are not suitable for this task, as they are too complicated and expensive to maintain and are too slow to quickly search up to terabytes of data for forensic analysis.

Normal practical considerations apply in terms of ensuring ease-of-use and minimising the cost of implementation and maintenance. Ideally, the management console should use a web-front end. To minimise total cost of ownership, it is important to avoid the need to install and to maintain agents on each network device.

Although a log consolidation solution will usually support a large number of vendor device types, it is not always possible to easily extract log information, especially for bespoke applications. Hence, there needs to be an API to enable the building of extensions.

Keywords: firewalls, Risk Reduction, security

Other products and services from Kerna

05/12/2011

Kerna Communications Products

These vendors have been carefully selected by us to ensure that they offer a full breadth of solutions based on the different criteria specified by the client. Kerna has an extensive list of product suppliers from whom we can source equipment and software as part of our solutions and managed services offerings. These factors typically include performance, resilience, scalability, cost as well as core functionality requirements.


05/12/2011

Kerna Communications Ireland

Security solutions are not commodity items sold on price and service but rather require an in-depth understanding of the issues and the ability to assist clients achieve the correct balance between the different factors such as cost, performance, availability and risk.


05/12/2011

Kerna Managed Services

The vulnerability assessment will identify single points of failure and potential performance bottlenecks during peak traffic flows, as well as a prioritised assessment of internal and external threats and the adequacy of internal IT procedures.