Secure Your Logs to the Root

SECURE YOUR LOGS DOWN TO THE ROOT QuintessenceAnx

@QuintessenceAnx /@AppDynamics Before I Get Started

@QuintessenceAnx /@AppDynamics There will be some text heavy slides. !”

@QuintessenceAnx /@AppDynamics There is a link to my slides & resources at the end.

@QuintessenceAnx /@AppDynamics Let’s Dive In.

@QuintessenceAnx /@AppDynamics Quick Overview of Terms and Concepts* *Not an exhaustive list.

@QuintessenceAnx /@AppDynamics Hash: obscuring data (one-way)

@QuintessenceAnx /@AppDynamics Pinch of salt #

@QuintessenceAnx /@AppDynamics Encrypt: obscuring data (reversibly)

@QuintessenceAnx /@AppDynamics Try to avoid bloating the term “security”

@QuintessenceAnx /@AppDynamics Different Security Objectives* Confidentiality Integrity Availability Authentication Authorization Non-repudiation *Also not an exhaustive list.

@QuintessenceAnx /@AppDynamics Always be aware of your objective(s).

@QuintessenceAnx /@AppDynamics Oh, and what do I not mean by security?

@QuintessenceAnx /@AppDynamics No. Security Through Obscurity Do not do this.

@QuintessenceAnx /@AppDynamics ‘cause consequences

@QuintessenceAnx /@AppDynamics e.g. “They don’t know where ${X} is, right?” Who needs consistent naming conventions anyway?

@QuintessenceAnx /@AppDynamics

@QuintessenceAnx /@AppDynamics e.g. “Key management is hard, let’s share.” This isn’t your housemate.

@QuintessenceAnx /@AppDynamics

@QuintessenceAnx /@AppDynamics There are more, but I think you grok me. ☺

@QuintessenceAnx /@AppDynamics The main event: how does this apply to logs? %

@QuintessenceAnx /@AppDynamics Log Lifecycle Create Store Ship Consume Convert Destroy

@QuintessenceAnx /@AppDynamics Create Create Store Ship Consume Convert Destroy

@QuintessenceAnx /@AppDynamics Do not write sensitive data to your logs

@QuintessenceAnx /@AppDynamics Do not. write. sensitive data. to your logs.

@QuintessenceAnx /@AppDynamics Sensitive data, e.g.: Personally identifying information (PII) SSNs are high cardinality, right? Credentials, including passwords and keys e.g. ever version control your dotfiles? Keystrokes Matching results by either percent (e.g. X% match on FaceID or fingerprint) or pass/fail Financial or health data Internal endpoints and/or IP addresses Database queries The list goes on.

@QuintessenceAnx /@AppDynamics Essentially, log only what you need.

@QuintessenceAnx /@AppDynamics “What if I really need that sensitive data”, you ask?

@QuintessenceAnx /@AppDynamics Food for thought, this is CWE-532. So it comes up.

@QuintessenceAnx /@AppDynamics Don’t ship it - log around it, e.g.: Use a token that references the data Use a salted or low-sodium hash Encrypt the log and/or your data Redact data as needed Remember to adhere to any regulatory compliance requirements e.g. PCI, HIPAA

@QuintessenceAnx /@AppDynamics Now what to do with these logs? ☺

@QuintessenceAnx /@AppDynamics Store Create Store Ship Consume Convert Destroy

@QuintessenceAnx /@AppDynamics Batten Down the Hatches Limit access to the log files Limit access to the storage volume(s) they reside on Log files should be append only Encrypt where possible Take a look at forward secure sealing (FSS) if you’re encrypting your logs i.e. how to prevent past manipulation with current keys Rotate your log files regularly

@QuintessenceAnx /@AppDynamics Ship Create Store Ship Consume Convert Destroy

@QuintessenceAnx /@AppDynamics Actually shipping it this time If you are using a 3rd party / SaaS solution: Make sure your provider supports shippers that allow you to ship securely, e.g. over TLS / SSL via rsyslog. If using an on prem solution: Secure your network Ship encrypted Limit key access to central log server

@QuintessenceAnx /@AppDynamics Consume & Convert Create Store Ship Consume Convert Destroy

@QuintessenceAnx /@AppDynamics Safe Data Use For a SaaS solution: ensure they provide access control For an on prem solution: ensure you have access control Also: limit access to the log server itself Limit / deny malformed or malicious queries e.g. Elastic has a handy 2014 blog post (back in its youth) that explains a few ways to crash the then-current version of Elasticsearch (to help you start thinking about this topic).

@QuintessenceAnx /@AppDynamics Destroy Create Store Ship Consume Convert Destroy

@QuintessenceAnx /@AppDynamics Secure Destruction This also comes up often (CWE-117) Ensure that locally and remotely (if using a SaaS) that data is destroy according to relevant industry standards e.g. CESG CPA, Crypt Erase, NIST This may mean anything from wiping data to shredding physical storage, depending on your industry. Do you need to delete or wipe? Know the difference. Use the difference.

@QuintessenceAnx /@AppDynamics Closing Tips

@QuintessenceAnx /@AppDynamics Tip # 1: Know your data &

@QuintessenceAnx /@AppDynamics Tip # 2: Know your infrastructure ‘

@QuintessenceAnx /@AppDynamics Tip # 3: Know your risks (

@QuintessenceAnx /@AppDynamics Tip # 4: Don’t apply what doesn’t apply %

@QuintessenceAnx /@AppDynamics Tip # 5: Trust, but verify )

@QuintessenceAnx /@AppDynamics Tip # 6: Use your metrics *

@QuintessenceAnx /@AppDynamics Tip # 7: Protect & utilize your audit trail +

@QuintessenceAnx /@AppDynamics Tip # 8: Use well designed alerts judiciously ,

@QuintessenceAnx /@AppDynamics Tip # 9: Don’t be a target - find help as needed

@QuintessenceAnx /@AppDynamics Tip # 10: Prevention is the difference between This Is a Problem and This Is a Disaster. % .

@QuintessenceAnx /@AppDynamics Slides, References, & Reading Available on Notist https://noti.st/quintessence

Thank you! QuintessenceAnx Technical Evangelist / @