Audit and Trace Log Management: Consolidation and Analysis
by Phillip Q. Maier
Auerbach Publications 2006.
ISBN 978-0-8493-2725-4. Amazon.com $79.95
Reviewed by Richard Austin 1/4/2007
If I had to pick one topic that was both critical to the security practitioner and yet as interesting as watching paint dry or grass grow, it would be the subject of audit logging. Our enterprises are littered with intelligent devices that commonly have some capability to generate copious floods of event notifications or log records and it has long been common practice to use these data in various ways to allow detection of security incidents and support the follow-on investigation of exactly what may have happened.
However, new regulatory requirements that are making their way into the auditing standards require us to yet again revisit this issue with an eye to harnessing this ocean of data to demonstrate compliance with policy and ensure accountability. Maier provides an excellent roadmap for this re-exploration.
The first page of this book seized my attention with one of the most succinct summaries of the problems in enterprise audit logging: "The security administrator of today may feel like the SETI scientists, who have gathered countless terabytes of radio wave data and are endlessly sifting through it in an attempt to find intelligible signals ..." The first two chapters delve into the "why" of logging to flesh out just exactly what "intelligible signals" may mean to a particular enterprise in a given regulatory environment.
In the third chapter, Maier presents a 14 point survey that asks important questions to aid in understanding today's situation. The survey includes obvious capacity planning questions around the daily rates and volume of data, but then it moves into less obvious questions regarding where the logs are to be stored (on the monitored device or centrally), the security classification of log data, and the policy for permitting access to the various parts of it.
After establishing a firm foundation in understanding what is being done presently, Maier delves into the process and criteria for deciding what to capture and how. There's little concrete guidance provided, but Maier gives good coverage to the issues one needs to consider and pays due attention to one that has vexed your humble correspondent on more than one occasion: normalization. Unfortunately, log record formats tend to be very vendor and even device specific, which makes creating and querying a central log repository a most "interesting" endeavor. Interposing a step to "normalize" log records to a standard format between the filter and the central repository is a critical measure to enable the ensuing tasks of correlating records, reporting and, quite importantly, setting alert thresholds and escalation levels.
These topics each receive good coverage in their own chapter with detailed examples and a few flowcharts to illustrate processes in operation.
The book concludes on the important topic of "making your case" to build a business justification for the creation of a logging infrastructure (including metrics).
There are only a few books that I would recommend every security professional keep on the shelf, but this is one of them. It was written by someone who has lived the numbing nightmare of surveying the endlessly proliferating sources of event data in a modern enterprise, of identifying what must be collected, how it should be collected, filtered and stored, and what should be done with it. Most importantly, Maier kept careful notes along the way and has provided a guidebook that will help those of us who follow.
Richard Austin is a resident curmudgeon at a Fortune 100 company who continues to wage a battle with a tottering tower of new security tomes. Periodically he has been known to take a break and share his opinion of the latest book to migrate from the tower to the shelf. He can be reached at firstname.lastname@example.org.