Secure Your Logs Down to the root Quintessence Anx, Technical Evangelist @QuintessenceAnx DEVLIT-4020

Agenda • Introduction • Quick Concept Review • Log Management Life Cycle • Security Implications Over the Cycle • Best Practices Moving Forward • Conclusion DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3

Before I Get Started DEVLIT-4020

There will be some text heavy slides 😱📚 DEVLIT-4020

There is a link to my slides & resources at the end. DEVLIT-4020

Let’s Dive In DEVLIT-4020

A Quick Overview of Terms & Concepts DEVLIT-4020

Hash: Obscuring Data (one directional) DEVLIT-4020

Pinch of salt DEVLIT-4020

Encrypt: Obscuring Data (bi-directional) DEVLIT-4020

Common Weakness Enumeration (CWE) DEVLIT-4020

Common Vulnerabilities and Exposures (CVE) DEVLIT-4020

Try to avoid bloating the term “security” DEVLIT-4020

Different Security Objectives* • Confidentiality • Integrity • Availability • Authentication • Authorization • Non-repudiation *Not an exhaustive list DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15

Always be aware of your objective(s). DEVLIT-4020

Oh, and what do I not mean by security? DEVLIT-4020

Security through obscurity DEVLIT-4020

Because (unintended) consequences DEVLIT-4020

e.g. “They don’t know where ${X} is, right?” (Who needs consistent naming conventions anyway?) DEVLIT-4020

DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

e.g. “Key management is hard, let’s share.” (This isn’t your housemate.) DEVLIT-4020

DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

There are more, but I think you got it. DEVLIT-4020

The main event: how does this apply to logs? DEVLIT-4020

DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Do not write sensitive data to your logs DEVLIT-4020

DEVLIT-4020

What is sensitive data? DEVLIT-4020

Some Examples of Sensitive Data* • Personally identifying information (PII) • • Tax and passport IDs are high cardinality, right? Credentials, including passwords and keys • e.g. ever version control your dotfiles? • Keystrokes • Matching results by either percent (e.g. X% match on FaceID or fingerprint) or pass/fail • Financial or health data • Internal endpoints and/or IP addresses • Database queries *Not an exhaustive list DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31

Essentially, log only what you need. DEVLIT-4020

“What if I really need that sensitive data”, you ask? DEVLIT-4020

Food for thought, this is CWE-532*. So it comes up. DEVLIT-4020

Don’t ship it - log around it, e.g.: • Use a token that references the data • Use a salted or low-sodium hash • Encrypt the log and/or your data • Redact data as needed • Remember to adhere to any regulatory compliance requirements • e.g. GDPR, CCPA, PCI, HIPAA DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35

Now what to do with these logs? DEVLIT-4020

DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Batten Down the Hatches • Limit access to the log files • Limit access to the storage volume(s) they reside on • Log files should be append only • Encrypt where possible • Take a look at forward secure sealing (FSS) if you’re encrypting your logs • • i.e. how to prevent past manipulation with current keys Rotate your log files regularly DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38

DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Actually Shipping It This Time • If you are using a 3rd party / SaaS solution: • • Make sure your provider supports shippers that allow you to ship securely, e.g. over TLS / SSL via rsyslog. If using an on prem solution: • Secure your network • Ship encrypted • Limit key access to central log server DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40

DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Safe Data Use • For a SaaS solution: ensure they provide access control • For an on prem solution: ensure you have access control • • Also: limit access to the log server itself Limit / deny malformed or malicious queries • e.g. Elastic has a handy 2014 blog post (back in its youth) that explains a few ways to crash the then-current version of Elasticsearch (to help you start thinking about this topic). DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42

DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Secure Destruction • This also comes up often (CWE-117) • Ensure that locally and remotely (if using a SaaS) that data is destroyed according to relevant industry standards / procedures • e.g. CESG CPA, NIST, Cryptographic Erase • This may mean anything from wiping data to shredding physical storage, depending on your industry. • Do you need to delete or wipe? Know the difference. Use the difference. DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44

Closing Tips DEVLIT-4020

Tip # 1: Know your data DEVLIT-4020

Tip # 2: Know your infrastructure DEVLIT-4020

Tip # 3: Know your risks DEVLIT-4020

Tip # 4: Don’t apply what doesn’t apply DEVLIT-4020

Tip # 5: Trust, but verify DEVLIT-4020

Tip # 6: Use your metrics DEVLIT-4020

Tip # 7: Protect & utilize your audit trail DEVLIT-4020

Tip # 8: Use well designed alerts judiciously DEVLIT-4020

Tip # 9: Don’t be a target find help as needed DEVLIT-4020

Tip # 10: Prevention is the difference between This Is a Problem and This Is a Disaster. DEVLIT-4020

Before you go… • Security is a broad space with a lot of separate concepts • • Don’t store sensitive data … • • e.g. Authorization, Integrity, Availability, etc. … but if you do, make sure it’s obscured, e.g. via token, hash, or encryption. Know your data and your infrastructure: you need to know what tradeoffs you are making to address them later. DEVLIT-4003 DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Before you go… • Security is a broad space with a lot of separate concepts • • e.g. Authorization, Integrity, Availability, etc. Don’t store sensitive data … • … but if you do, make sure it’s obscured, e.g. via token, hash, or encryption. • Know your data and your infrastructure: you need to know what tradeoffs you are making to address them later. • For more questions: please join the WebEx room DEVLIT4020 • Help me iterate – complete the survey and tell me your thoughts! DEVLIT-4003 DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Slides, Live Streaming, and Recordings Available on Cisco Live https://www.ciscolive.com/online References & Reading Available on Notist https://noti.st/quintessence DEVLIT-4020

Complete your online session survey • Please complete your session survey after each session. Your feedback is very important. • Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt. • All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea. Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com. DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59

Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space • DEVLIT-4020 DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60

Continue your education Demos in the Cisco Showcase Walk-In Labs Meet the Engineer 1:1 meetings Related sessions DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

Learn more about the new DevNet Certifications and how you can prepare now! Associate Level Specialist Level Professional Level Expert Level Engineering Future Offering Software DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Start Here | Upcoming Cisco DevNet Certifications • Start at Meet DevNet DEVNET-2864: Getting ready for Cisco DevNet Certifications Offered daily at 9am, 1pm & 4pm at Meet DevNet • Attend a brownbag session DEVNET-4099: DevNet Certifications: Bringing software practices & software skills to networking Offered daily 12:15-12:45 in the DevNet Zone Theater • Visit the Learning@Cisco booth • Scan this code to sign up for the latest updates or go to http://cs.co/20eur02 DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Find shared code repositories of use cases for network automation & more! Don’t miss our 5 Automate Infrastructure demos in the DevNet Zone! Scan this code or go to the URL to learn more Start at Meet DevNet DEVNET-3010 [a-j] Learn how to make Network Automation Simple with the Community Offered Monday 2pm & 5pm, Tuesday & Wednesday 10am, 2pm & 5pm, and Thursday 10am & 5pm at Meet DevNet http://cs.co/20eur01 DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public

Thank you