Sunday, January 21, 2007

Logs and Compliance: Married for Life

Despite this cheesy title, I am talking about something serious here. Many security solutions are being sold as "compliance solutions" nowadays (and there is nothing wrong with that). However, sometimes I can't help but chuckle (or, less often, roll on the floor laughing :-)) when I see a vendor make an especially tenuous connection between their offering and whatever compliance mandate or regulation (e.g. "our firewall is really a ... khmmm ... yes!  a compliance solution, because it ... eeeeh ... helps you, you know, be compliant and stuff" :-))

However, there is one technology that has "compliance" written all over it:  log management. Why am I saying this? Is it because LogLogic pays me?  No, this post is actually inspired by this paper here. Two quotes illustrate  my point:

1.  "By reviewing the logs, data center managers can record specific kinds of activities to show auditors that controls are in place." Yes, one can try to look at the configurations to see the controls, but only logs show how those controls manifest in real life.

2. "The other function of log data in compliance is to report on exceptions -- explicit log events that represent issues requiring investigation [...]" Indeed, logs provide an objective (subject to known caveats ...) trail of activity and should be used pretty much in all investigations.

The paper further mentions the role of logs in SAS 70 audits; while some people make jokes about it as a means to "prove security", it seems to be the choice of some companies that seem to streamline their audit processes.

Dr Anton Chuvakin