A presentation at Cisco Live EMEA 2020 in in Barcelona, Spain by Quintessence Anx
With increasingly large and complex IT environments, it’s becoming more and more difficult to keep up with securing each component. Of particular interest, what about ensuring that your logs and audit trails themselves are secure? This is what I will be focusing on, in particular how to get started securing each phase of the log management lifecycle.
The following resources were mentioned during the presentation or are useful additional information.
Gerson Ruiz @ Sucuri has written a 5 part series on the Top 10 Security Vulnerabilities published by OWASP. Links to the previous 4 parts are included in the TOC at the top of the post. Posts were written Oct 2018 - Jan 2019.
This 2013 piece by Jay Kreps is a very, very deep dive into logging. Going deep into different types of logs, their sources, their implications, etc. This post is (according to a word counter) ~12,500 words, so definitely plan to use a whole lunch break (or two) on this one.
OWASP has a series of cheat sheets, relevantly including this Logging Cheat Sheet. Cheat sheet includes ideas for what to log, how to log, and how to safely destroy the log. If you’re interested in learning Docker, .NET, error handling, etc. simply go up to the parent directory - they’re all being maintained on this GitHub project.
Helpful for security Q&A. Depending on your topic of interest be prepared for some math.
Physical (or digital) book, useful reference manual. From the book summary:
If you’re a software developer, systems manager, or security professional, this book will show you how to use threat modeling in the security development lifecycle and in the overall software and systems design processes. Author and security expert Adam Shostack puts his considerable expertise to work in this book that, unlike any other, details the process of building improved security into the design of software, computer services, and systems — from the very beginning.
Use specific, actionable advice regardless of software type, operating system, or program approaches and techniques validated and proven to be effective at Microsoft and other top IT companies
Unsure of what key lengths / encryption types to use? The recommendation may vary depending on your implementation and compliance requirements, but BlueKrypt has a list of recommendations for ENCRYPT-CSA, NIST, ANSSI, and more.
Paper by Giorgia Azzurra Marson and Bertram Poettering that covers building forward secure logs - i.e. preventing an attacker who has access to current keys from being able to use them to manipulate past log entries to cover their tracks.
Short article that describes forward secure sealing (relevant to the Partial Secure Logging paper).
Keeping sensitive data out of the logs will protect you in the event of a breach - no one can take what isn’t there. This 2018 blog post by Joe Crobak outlines seven ways to keep sensitive data out of your logs.
2014 Elastic blog post that I can best summarize as: How To Create Mayhem. Nice reading and can get you started on thinking about how to protect your own logging solution, ELK or otherwise, from malformed / malicious queries.
Just what it sounds like - a lengthy list of data destruction methods and a blurb about each.