Secure Your Logs to the Root

A presentation at Cisco Live EMEA 2020 in in Barcelona, Spain by Quintessence Anx

With increasingly large and complex IT environments, it’s becoming more and more difficult to keep up with securing each component. Of particular interest, what about ensuring that your logs and audit trails themselves are secure? This is what I will be focusing on, in particular how to get started securing each phase of the log management lifecycle.

Resources

The following resources were mentioned during the presentation or are useful additional information.

  • OWASP Top 10 Security Risks – Part V (2018/2019 - 5 Part Series)

    Gerson Ruiz @ Sucuri has written a 5 part series on the Top 10 Security Vulnerabilities published by OWASP. Links to the previous 4 parts are included in the TOC at the top of the post. Posts were written Oct 2018 - Jan 2019.

  • The Log: What every software engineer should know about real-time data’s unifying abstraction

    This 2013 piece by Jay Kreps is a very, very deep dive into logging. Going deep into different types of logs, their sources, their implications, etc. This post is (according to a word counter) ~12,500 words, so definitely plan to use a whole lunch break (or two) on this one.

  • OWASP Logging Cheat Sheet

    OWASP has a series of cheat sheets, relevantly including this Logging Cheat Sheet. Cheat sheet includes ideas for what to log, how to log, and how to safely destroy the log. If you’re interested in learning Docker, .NET, error handling, etc. simply go up to the parent directory - they’re all being maintained on this GitHub project.

  • Crypto Stack Exchange

    Helpful for security Q&A. Depending on your topic of interest be prepared for some math.

  • Threat Modeling: Designing for Security

    Physical (or digital) book, useful reference manual. From the book summary:

    If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and in the overall software and systems design processes. Author and security expert Adam Shostack puts his considerable expertise to work in this book that, unlike any other, details the process of building improved security into the design of software, computer services, and systems — from the very beginning.

    • Find and fix security issues before they hurt you or your customers
    • Learn to use practical and actionable tools, techniques, and approaches for software developers, IT professionals, and security enthusiasts
    • Explore the nuances of software-centric threat modeling and discover its application to software and systems during the build phase and beyond
    • Apply threat modeling to improve security when managing complex systems
    • Manage potential threats using a structured, methodical framework
    • Discover and discern evolving security threats

    Use specific, actionable advice regardless of software type, operating system, or program approaches and techniques validated and proven to be effective at Microsoft and other top IT companies

  • BlueKrypt Cryptographic Key Length Recommendation

    Unsure of what key lengths / encryption types to use? The recommendation may vary depending on your implementation and compliance requirements, but BlueKrypt has a list of recommendations for ENCRYPT-CSA, NIST, ANSSI, and more.

  • Practical Secure Logging: Seekable Sequential Key Generators

    Paper by Giorgia Azzurra Marson and Bertram Poettering that covers building forward secure logs - i.e. preventing an attacker who has access to current keys from being able to use them to manipulate past log entries to cover their tracks.

  • Forward secure sealing (on LWN.net)

    Short article that describes forward secure sealing (relevant to the Partial Secure Logging paper).

  • Seven Best Practices for Keeping Sensitive Data Out of Logs

    Keeping sensitive data out of the logs will protect you in the event of a breach - no one can take what isn’t there. This 2018 blog post by Joe Crobak outlines seven ways to keep sensitive data out of your logs.

  • Six Ways to Crash Elasticsearch

    2014 Elastic blog post that I can best summarize as: How To Create Mayhem. Nice reading and can get you started on thinking about how to protect your own logging solution, ELK or otherwise, from malformed / malicious queries.

  • A Comprehensive List of Data Wiping and Erasure Standards

    Just what it sounds like - a lengthy list of data destruction methods and a blurb about each.