The Practical Aspect: Challenges of Security Log Management

In the world of information systems, data have gained the most influential position. Data are about entities—resource, agent or event—and among these, event data are probably the most pervasive group. Even in a short period of time, a business may generate millions of data points about events, for the business thrives on creating value through events such as marketing, sales, services and client support. Interestingly, wherever events occur, there is room for logging the events. Logs are the lifeline of the information systems value chain. Financial and managerial accounting, for example, depend on logging all economic events of the entity and, in the process, creating audit trails to provide support for assurance of such events and their consequences.

Some businesses, such as Fitbit, thrive on events in the life of their customers. The Fitbit wearer generates continuous data in very large measure. Of course, the Fitbit user is not interested in individual event data, but rather the aggregate information, such as the number of steps walked in a day, or trends. For this, Fitbit logs each event—literally each step walked by the user—and processes data into information useful to the user.

As businesses capture and store high volumes of data in their operational logs every day, they also create a challenge for themselves: ensuring that the data are accurate, the common data types are standardized across all logs and the logs are protected. For Fitbit, this becomes a question of protecting the privacy of users by securing personally identifiable information (PII) in the best possible manner. Thus, the operations and resulting operational data create the need for filtering data that warrant information security measures.

It is important to differentiate between operational data and security-related data. Fitbit creates value through operational data and, in the process, has to have information protection measures, for example, to guard the privacy of its customers. In contrast to value creation using operational data, businesses could create value by protecting clients from various information-related risk. LifeLock is an example of such a business where the company scans and monitors sensitive client identification data, provides alerts and, where necessary, helps restore the client’s compromised identity.

Most businesses have both operational data and security-related data, sometimes integrated into the same database. To manage security-related data within the operational logs and data in dedicated security logs, a sophisticated technology called security information and event management (SIEM) has emerged. SIEM attempts to fulfill two separate needs: real-time monitoring, correlation and processing of security events (called security event management [SEM]) and the historical analysis of log file information (called security information management [SIM]), for example, to support forensic investigations. SEM is closely related to incident response management when the incident may concern information security. SEM represents a continuous, ongoing effort while SIM is undertaken only as needed.¹ A high-level overview of a log management scenario is presented in figure 1.

It is important to recognize that logs of operational events, while only incidentally involved in information security initiatives, may be of value to the organization. For example, a real-time monitoring of disk space utilization may be programmed to send an alert once the disk space is 80 percent full. Operational event logs should also be filtered for security-relevant data. An audit of operational logs to identify any deviations from the compliance of security log management policy should prove helpful in proactively addressing any emerging issues. An example can be seen in Uber’s experience.

Organizations that do not value the importance of logging and monitoring may have to face issues in case of a breach or incident due to absence of records and evidence, or lax data management practices. This may also lead to legal, contractual or regulatory noncompliance. For example, Uber used a program called “God View,” which allowed employees to monitor the locations of riders. The US Federal Trade Commission (FTC) alleged that this was an improper business practice. In a settlement with the FTC, Uber declared that, for a similar application now in use at Uber, it has limited access only to those with a critical need to access such data. As part of the settlement, Uber agreed that it will undergo third-party audits every two years for the next 20 years to seek assurance that it meets or exceeds the FTC requirements for privacy protections.²

From Technology to Solution

SIEM is a technology, not a solution. A technology can provide the backbone, or infrastructure, to develop a solution, but by itself, it will not create an optimal security log management for the business. So, the success of security log management in a large, complex enterprise depends on two related decisions:

1. Policy and strategy should drive the security log management program. Top-down risk analysis should guide decisions regarding what data to collect, how to correlate them, and how to produce and distribute information intelligence created from such logs. Staff should be competent and motivated, and challenged to continuously innovate in an area that may be perceived as static and docile.
2. Invest the appropriate amount of resources to develop an SIEM infrastructure that meets the needs of the organization. Proper selection of the SIEM technology and its customized, risk-relevant implementation within the organization is important to achieve security log management objectives.

Visa Europe, within the context of Payment Card Industry Data Security Standard (PCI DSS) data, has suggested the following steps for designing and deploying a logging solution:³

1. Understand the drivers.
   • Prepare for log analysis.
   • Analyze business drivers and compliance requirements.
2. Develop policy and process.
   • Scope the solution and logging strategy.
   • Develop log analysis policy.
3. Select and implement a solution.
   • Develop solution evaluation criteria.
   • Evaluate the options.
   • Develop a proof of concept.
   • Deploy log analysis.
4. Maintain and utilize the logging solution.
   • Review and refine log solution deployment.

Challenges

There are several challenges in creating value from log management initiatives. Whether value creation involves minimizing risk, improving efficiency of operations or increasing the information supply chain effectiveness, significant challenges remain along the way. First, the task of log management may not be considered by tech-savvy staff as exciting or helpful in career building. This perception may hinder the cause of attracting talent to the task. For security log management to work effectively, the staff should be experienced in the business processes of the company and be cognizant of the nature and sources of risk. Insights from this experience could lead to major risk-related decisions impacting what to log, how to correlate logged data, what to aggregate and how often to review the intelligence produced. This has a direct bearing on the effectiveness of the security log management policy.

Because SIEM includes SEM, it is particularly important that the incident response staff embrace SIEM and work within its scope to leverage the incident reporting activities. Without the buy-in of the incident response teams, SIEM may fail to yield the best possible results from an SIEM infrastructure. The support of an established incident response program is a necessary element of an effective SIEM solution.⁴

A second challenge rests in “balancing a limited quantity of log management resources with a continuous supply of log data.”⁵ Clearly, the volume, variety and complexity of data sources have increased. With limited resources, what logs to select and how to optimize the security log management function can prove to be difficult, especially at a time when there are more and more significant changes that impact data sources. Examples of such changes include the Internet of Things (IoT), device proliferation (bring your own device [BYOD]) and cloud sourcing. Sure enough, the eyes should be set on where the risk is; however, this itself remains a moving target in a dynamic, technology-leveraged organization. Under these circumstances, proving value received from security log management could be a formidable challenge.

A security log management program, by its nature, depends on filtering and correlating log data. Log data sources must support business use cases; otherwise, they will be of little value. “Sending too much data to a SIEM system will burden it with correlating and processing data unnecessarily, thus leading to poor performance.”⁶ Inasmuch as there is the risk of collecting too much log data, there is also the risk of not collecting enough risk-relevant data. This may be particularly critical in the life of a business where technology-induced changes are frequent and impactful. The log management team should be aware of the business processes of the organization to effectively understand the technology and business risk. With proper business knowledge, the team will be able to identify the type of necessary logs to be collected, determine the log aggregation criteria with respect to the business process, determine the threats related to the business, and efficiently store and analyze logs organizationwide.

In 2016, hackers stole US $81 million from a Bangladesh bank by hacking into SWIFT. The incident remained undetected for months as the logs of the fraudulent activities were being cleared by the malware.⁷ Recently, hackers leaked upcoming episodes of the popular US television series Games of Thrones and hacked the show’s network, HBO. The breach included employees’ personal data and emails. Hackers have demanded US $6 million as ransomware.⁸ If such attacks had been identified at the right time, HBO would not have to face these reputational and financial loss issues. Visa Europe⁹ suggests that in many cases organizations are operating completely unaware of a compromise because of:

• Disabled logging
• Loss of trigger events due to overwritten logs
• Failure to monitor logs
• Lack of awareness of events being logged

In the current state of information technology deployment, it is even more crucial to return the priority to security logging. However, it must be done correctly to yield benefits from the significant effort involved and the other resources it would take to implement and maintain an effective security log management program.

Endnotes

¹ ISACA, Security Information and Event Management: Business Benefits and Security, Governance and Assurance Perspectives, USA, 2010
² Bensinger, G.; “Uber Agrees to Decades of Audits to End FTC Probe,” The Wall Street Journal, 16 August 2017
³ Visa Europe, “Planning for and Implementing Security Logging,” fact sheet, www.visaeurope.com/media/images/security_logging_factsheet-73-18417.pdf
⁴ Op cit, ISACA, p. 8
⁵ Kent, K.; M. Souppaya; Guide to Computer Security Log Management, National Institute of Standards and Technology Special Publication SP 800-92, USA, 2006
⁶ Frye, D.; Effective Use Case Modeling for Security Information and Event Management, SANS Institute Reading Room, 21 September 2009, p. 7, www.sans.org/reading-room/whitepapers/bestprac/effective-case-modeling-security-information-event-management-33319
⁷ Smith, M.; “Bangladesh Bank Cyber-Heist Hackers Used Custom Malware to Steal $81 Million,” CSO, 25 April 2016, www.csoonline.com/article/3060798/security/bangladesh-bank-cyber-heist-hackers-used-custom-malware-to-steal-81-million.html
⁸ Associated Press, “Hackers Leak More Game of Thrones Scripts and HBO Emails in Demand for Millions in Ransom Money,” The Telegraph, 8 August 2017, www.telegraph.co.uk/technology/2017/08/08/hackers-leak-game-thrones-scripts-hbo-emails-demand-millions/
⁹ Op cit, Visa Europe