Secure Your Logs Down to the root Quintessence Anx, Technical Evangelist @QuintessenceAnx DEVLIT-4020
A presentation at Cisco Live EMEA 2020 in January 2020 in Barcelona, Spain by Quintessence Anx
Secure Your Logs Down to the root Quintessence Anx, Technical Evangelist @QuintessenceAnx DEVLIT-4020
Agenda • Introduction • Quick Concept Review • Log Management Life Cycle • Security Implications Over the Cycle • Best Practices Moving Forward • Conclusion DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Before I Get Started DEVLIT-4020
There will be some text heavy slides 😱📚 DEVLIT-4020
There is a link to my slides & resources at the end. DEVLIT-4020
Let’s Dive In DEVLIT-4020
A Quick Overview of Terms & Concepts DEVLIT-4020
Hash: Obscuring Data (one directional) DEVLIT-4020
Pinch of salt DEVLIT-4020
Encrypt: Obscuring Data (bi-directional) DEVLIT-4020
Common Weakness Enumeration (CWE) DEVLIT-4020
Common Vulnerabilities and Exposures (CVE) DEVLIT-4020
Try to avoid bloating the term “security” DEVLIT-4020
Different Security Objectives* • Confidentiality • Integrity • Availability • Authentication • Authorization • Non-repudiation *Not an exhaustive list DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Always be aware of your objective(s). DEVLIT-4020
Oh, and what do I not mean by security? DEVLIT-4020
Security through obscurity DEVLIT-4020
Because (unintended) consequences DEVLIT-4020
e.g. “They don’t know where ${X} is, right?” (Who needs consistent naming conventions anyway?) DEVLIT-4020
DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
e.g. “Key management is hard, let’s share.” (This isn’t your housemate.) DEVLIT-4020
DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
There are more, but I think you got it. DEVLIT-4020
The main event: how does this apply to logs? DEVLIT-4020
DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Do not write sensitive data to your logs DEVLIT-4020
DEVLIT-4020
What is sensitive data? DEVLIT-4020
Some Examples of Sensitive Data* • Personally identifying information (PII) • • Tax and passport IDs are high cardinality, right? Credentials, including passwords and keys • e.g. ever version control your dotfiles? • Keystrokes • Matching results by either percent (e.g. X% match on FaceID or fingerprint) or pass/fail • Financial or health data • Internal endpoints and/or IP addresses • Database queries *Not an exhaustive list DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Essentially, log only what you need. DEVLIT-4020
“What if I really need that sensitive data”, you ask? DEVLIT-4020
Food for thought, this is CWE-532*. So it comes up. DEVLIT-4020
Don’t ship it - log around it, e.g.: • Use a token that references the data • Use a salted or low-sodium hash • Encrypt the log and/or your data • Redact data as needed • Remember to adhere to any regulatory compliance requirements • e.g. GDPR, CCPA, PCI, HIPAA DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Now what to do with these logs? DEVLIT-4020
DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Batten Down the Hatches • Limit access to the log files • Limit access to the storage volume(s) they reside on • Log files should be append only • Encrypt where possible • Take a look at forward secure sealing (FSS) if you’re encrypting your logs • • i.e. how to prevent past manipulation with current keys Rotate your log files regularly DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Actually Shipping It This Time • If you are using a 3rd party / SaaS solution: • • Make sure your provider supports shippers that allow you to ship securely, e.g. over TLS / SSL via rsyslog. If using an on prem solution: • Secure your network • Ship encrypted • Limit key access to central log server DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Safe Data Use • For a SaaS solution: ensure they provide access control • For an on prem solution: ensure you have access control • • Also: limit access to the log server itself Limit / deny malformed or malicious queries • e.g. Elastic has a handy 2014 blog post (back in its youth) that explains a few ways to crash the then-current version of Elasticsearch (to help you start thinking about this topic). DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Secure Destruction • This also comes up often (CWE-117) • Ensure that locally and remotely (if using a SaaS) that data is destroyed according to relevant industry standards / procedures • e.g. CESG CPA, NIST, Cryptographic Erase • This may mean anything from wiping data to shredding physical storage, depending on your industry. • Do you need to delete or wipe? Know the difference. Use the difference. DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Closing Tips DEVLIT-4020
Tip # 1: Know your data DEVLIT-4020
Tip # 2: Know your infrastructure DEVLIT-4020
Tip # 3: Know your risks DEVLIT-4020
Tip # 4: Don’t apply what doesn’t apply DEVLIT-4020
Tip # 5: Trust, but verify DEVLIT-4020
Tip # 6: Use your metrics DEVLIT-4020
Tip # 7: Protect & utilize your audit trail DEVLIT-4020
Tip # 8: Use well designed alerts judiciously DEVLIT-4020
Tip # 9: Don’t be a target find help as needed DEVLIT-4020
Tip # 10: Prevention is the difference between This Is a Problem and This Is a Disaster. DEVLIT-4020
Before you go… • Security is a broad space with a lot of separate concepts • • Don’t store sensitive data … • • e.g. Authorization, Integrity, Availability, etc. … but if you do, make sure it’s obscured, e.g. via token, hash, or encryption. Know your data and your infrastructure: you need to know what tradeoffs you are making to address them later. DEVLIT-4003 DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Before you go… • Security is a broad space with a lot of separate concepts • • e.g. Authorization, Integrity, Availability, etc. Don’t store sensitive data … • … but if you do, make sure it’s obscured, e.g. via token, hash, or encryption. • Know your data and your infrastructure: you need to know what tradeoffs you are making to address them later. • For more questions: please join the WebEx room DEVLIT4020 • Help me iterate – complete the survey and tell me your thoughts! DEVLIT-4003 DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Slides, Live Streaming, and Recordings Available on Cisco Live https://www.ciscolive.com/online References & Reading Available on Notist https://noti.st/quintessence DEVLIT-4020
Complete your online session survey • Please complete your session survey after each session. Your feedback is very important. • Complete a minimum of 4 session surveys and the Overall Conference survey (starting on Thursday) to receive your Cisco Live t-shirt. • All surveys can be taken in the Cisco Events Mobile App or by logging in to the Content Catalog on ciscolive.com/emea. Cisco Live sessions will be available for viewing on demand after the event at ciscolive.com. DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Cisco Webex Teams Questions? Use Cisco Webex Teams to chat with the speaker after the session How 1 Find this session in the Cisco Events Mobile App 2 Click “Join the Discussion” 3 Install Webex Teams or go directly to the team space 4 Enter messages/questions in the team space • DEVLIT-4020 DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Continue your education Demos in the Cisco Showcase Walk-In Labs Meet the Engineer 1:1 meetings Related sessions DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Learn more about the new DevNet Certifications and how you can prepare now! Associate Level Specialist Level Professional Level Expert Level Engineering Future Offering Software DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Start Here | Upcoming Cisco DevNet Certifications • Start at Meet DevNet DEVNET-2864: Getting ready for Cisco DevNet Certifications Offered daily at 9am, 1pm & 4pm at Meet DevNet • Attend a brownbag session DEVNET-4099: DevNet Certifications: Bringing software practices & software skills to networking Offered daily 12:15-12:45 in the DevNet Zone Theater • Visit the Learning@Cisco booth • Scan this code to sign up for the latest updates or go to http://cs.co/20eur02 DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Find shared code repositories of use cases for network automation & more! Don’t miss our 5 Automate Infrastructure demos in the DevNet Zone! Scan this code or go to the URL to learn more Start at Meet DevNet DEVNET-3010 [a-j] Learn how to make Network Automation Simple with the Community Offered Monday 2pm & 5pm, Tuesday & Wednesday 10am, 2pm & 5pm, and Thursday 10am & 5pm at Meet DevNet http://cs.co/20eur01 DEVLIT-4020 © 2020 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you
