Security and networking technologists since 1995
   Specialists in Enterprise best practice
Logging
Kerna has an extensive list of product suppliers from whom we can source equipment and software as part of our solutions and managed services offerings.
These vendors have been carefully selected by us to ensure that they offer a full breadth of solutions based on the different criteria specified by the client. These factors typically include performance, resilience, scalability, cost as well as core functionality requirements.
Regulatory compliance drives change. Today it is forcing a change in the business processes and technologies used in IT-security. The previous focus on external threat prevention and fast incident response has moved to an emphasis on operational risk reduction and internal threat management.

It is essential to secure sensitive information over its full lifecycle, as some threats, particularly those related to internal fraud can be long-term activities. It is also important to be able to clearly articulate to auditors how this is done.

To enable auditors to go back several years to trace and to forensically examine security violations, compliance now requires security event logs from network nodes and key applications to be securely collected and stored for many years.

Compliance requires auditable reduction in operational risk

Operational risk reduction is a requirement of laws covering internal accounting controls, information security standards, best practice corporate governance codes and banking accords on capital adequacy, such as the Sarbanes-Oxley (SOX), ISO27001, London Stock Exchange Combined Code and Basle II. Achieving compliance requires increased regulation of sensitive information and the inclusion of IT-security processes and logs within audits. Financial institutions are required to:

E.g. both Basle II and SOX require log retention for up to 7 years.

Technical Challenge

A major organisation has evolved a heterogeneous mix of technologies and devices from different vendors. In response to new business requirements and the relentlessly changing threat environment, there is a regular addition of new devices that can generate new types of log information.

A large network continuously generates high volumes of log data from high performance security products such as firewalls and identity management systems. Comprehensive monitoring of all event logs is a daily task for operational IT managers. Correctly interpreted, event logs enable unusual events and threats to be identified and remedial action taken. This is a time-consuming task that requires well-trained and highly skilled staff.

The wide range of log formats from different vendors greatly complicates log review. E.g. a recent Kerna customer needed to securely monitor the following logs: Windows 2003/NT network logs (active directory), LDAP, HP Unix, AIX, Oracle, SYBASE, IBM ACF2 mainframe, UniSys mainframe, PIX and Checkpoint firewalls, Vasco and RSA remote access systems, Barracuda spam classifier / blocker, BlueCoat proxy for anti-virus / spy-ware scanning and Tumbleweed email security.

Even for the same device type the data recorded by different vendors is typically different. E.g. PIX and Checkpoint firewalls record different data types; an IPtables-based firewall can log more details about packet headers than a PIX firewall.

Most network vendors provide their own management tools, which means it can be difficult to gain a correlated, comprehensive and real-time analysis of the extent and nature of unusual network activity. Different vendor management interfaces mean that log review is typically a sequential task. This increases the time taken to respond to a network attack and makes network managers reactive to events. This exposes the organisation to unnecessary risk.

A large network continuously generates high volumes of log data from high performance security products such as firewalls and identity management systems. Comprehensive monitoring of all event logs is a daily task for operational IT managers. Correctly interpreted, event logs enable unusual events and threats to be identified and remedial action taken. This is a time-consuming task that requires well-trained and highly skilled staff.

The wide range of log formats from different vendors greatly complicates log review. Even for the same device type the data recorded by different vendors is typically different. E.g. PIX and Checkpoint firewalls record different data types.

Most network vendors provide their own management tools, which means it can be difficult to gain a correlated, comprehensive and real-time analysis of the extent and nature of unusual network activity. Different vendor management interfaces mean that log review is typically a sequential task. This increases the time taken to respond to a network attack and makes network managers reactive to events. This exposes the organisation to unnecessary risk.

Log Consolidation reduces compliance risk

Log consolidation, which automates and centralises event logging and secure storage is the only practical approach to the regulatory and legal requirement to maintain logs for many years. Any such system needs to be scalable, high performance and have fast fine-grained search capabilities to be able to cope with the 3 fundamental problems of log management on large networks: the sheer amount of data, the high rate of incoming data and the lack of consistent log formatting.

Event logs should be collected securely from identified remote network resources as close to real time as possible. They should be correlated and displayed via a central monitoring station to give a coherent and informed over-view of network events and the full extent of a problem. The better log consolidation systems provide extensive auditing and reporting capabilities

To be useful in any legal dispute, log data needs to be securely transported, time-stamped and stored in original format. Relational databases are not suitable for this task, as they are too complicated and expensive to maintain and are too slow to quickly search up to terabytes of data for forensic analysis.

Normal practical considerations apply in terms of ensuring ease-of-use and minimising the cost of implementation and maintenance. Ideally, the management console should use a web-front end. To minimise total cost of ownership, it is important to avoid the need to install and to maintain agents on each network device.

Although a log consolidation solution will usually support a large number of vendor device types, it is not always possible to easily extract log information, especially for bespoke applications. Hence, there needs to be an API to enable the building of extensions.

Business Challenge

Important event logs to monitor

A risk based evaluation of what security event data to record will typically log:

Changing threat profile

Malware such as viruses and spam are a highly visible threat and sophisticated attacks, such as a spam-bot distributed denial-of-service attack, can paralyse large parts of the business for days. Aside from direct losses, it may cause a confusion of highly unproductive organisational activity and damage important partner relationships.

Although far less visible, the threat posed by organisational insiders may be even greater and be far more difficult to detect: E.g. fraudulent manipulation of financial data may be a subtle background activities happening over months or years and intellectual property may be consciously or inadvertently sent by a disgruntled employee to a competitor.

Efficient Incident Response

An IT-security incident should trigger a structured response that requires review of all security logs. The quality of response will depend upon:

A log consolidation solution supports these requirements with a single integrated management console.

Business Value

Log consolidation can be a cornerstone of regulatory compliance. However, its benefits are felt most immediately in incident response, as it provides a single comprehensive overview of network activity and a highly efficient process for searching and correlating events in real time.

Informed Action

If you have specific compliance or security certification requirements, Kerna can help you design and implement a phased plan towards full compliance.

Kerna has an extensive list of product suppliers from whom we can source equipment and software as part of our solutions and managed services offerings.

These vendors have been carefully selected by us to ensure that they offer a full breadth of solutions based on the different criteria specified by the client. These factors typically include performance, resilience, scalability, cost as well as core functionality requirements.