Security is a Holistic Proposition

Gorka Sadowski

Subscribe to Gorka Sadowski: eMailAlertsEmail Alerts
Get Gorka Sadowski: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Article

Preventive Security Through Behavior Modification - Part 3

Part 3 - Manage your evidence

This week let's review why logs are such a popular and powerful tool when performing forensics, and how to insure that investigators are working from a clean stream of data.

Logs used in forensics have several distinct advantages.

First, logs can be used not only to solve the IT crime, but also as evidence in a court of law, provided that they have been properly managed.

Second, logs are widely available. Logs have been around for the past 25 years and today all electronic equipments are capable of generating logs.

Third, best practices for log management are mature, all system administrator manuals have a section on logs, and most of the compliance mandates ask for proper log management (SOX, PCI, etc.).

Fourth, log management tools and solutions are now capable of automating the processing and management of logs, which facilitates forensics and the admissibility of logs as evidence.

Let's look at some of the critical success factors necessary in your log management solution which will help you leverage the maximum benefit from logs.

1. Collect all your logs. It is important to collect and manage all of the logs to get a complete and accurate picture of what happened. You never know which log you will need in the future, so when in doubt, collect it and properly manage it.

2. Ensure log integrity. To guarantee that you stay on the right track during your forensics, and that your logs are admitted and accepted as evidence, you need to ensure the integrity of the logs. In fact, you need to ensure two kinds of integrity: integrity of each log (to demonstrate that no log has been tampered with) and integrity of the log sequence (to demonstrate that no log has been added and/or no log has been deleted).

3. Store logs efficiently. Now that you are collecting and managing all of your logs, you will realize that they represent a huge amount of data that needs to be stored. This means that you need to be efficient in how you store your logs. Look into compression mechanisms, use of external storage devices and other tricks to maximize your storage space and minimize costs.

4. Provide for lightning fast and intuitive search capabilities. When you are performing forensics, you are essentially doing investigative work, or looking for a needle in the haystack. Make sure that your tool provides you with an intuitive way to perform these searches, and that you get near-instantaneous results.

If you use a tool that respects these basic critical success factors, you will be in a good position to perform proper digital forensics, catch the bad guys and obtain evidence to prosecute them successfully.

Next week we'll see that Log Management can be an instrument of change in people's perception and is a powerful tool for behavior modification.

 

More Stories By Gorka Sadowski

Gorka is a natural born entrepreneur with a deep understanding of Technology, IT Security and how these create value in the Marketplace. He is today offering innovative European startups the opportunity to benefit from the Silicon Valley ecosystem accelerators. Gorka spent the last 20 years initiating, building and growing businesses that provide technology solutions to the Industry. From General Manager Spain, Italy and Portugal for LogLogic, defining Next Generation Log Management and Security Forensics, to Director Unisys France, bringing Cloud Security service offerings to the market, from Director of Emerging Technologies at NetScreen, defining Next Generation Firewall, to Director of Performance Engineering at INS, removing WAN and Internet bottlenecks, Gorka has always been involved in innovative Technology and IT Security solutions, creating successful Business Units within established Groups and helping launch breakthrough startups such as KOLA Kids OnLine America, a social network for safe computing for children, SourceFire, a leading network security solution provider, or Ibixis, a boutique European business accelerator.