Keeping and maintaining data logs is a corporate best practice and, in many cases, when you consider regulation and industry standards, it’s the law. Still, few companies take advantage of the benefits of log maintenance when it comes to detecting and responding to data breaches.
In fact, according to Verizon’s 2011 Data Breach Investigations Report, less than one percent of the breaches analyzed were discovered through log analysis, while 69 percent of those breaches were detectable via log evidence. What this signals is that companies either don’t maintain the logs needed to identify unusual system behavior or they do and they just fail to take advantage of them.
Either way, it’s clear that there is a gap between awareness and meaningful use and companies may suffer the consequences. Why don’t more organizations take advantage of log analysis as a data security tool? Too expensive? Not enough resources? Too tedious to perform regular audits? All of these are common answers, but perhaps the most important factor is a general lack of understanding among key decision makers about the value of log maintenance and analysis. For that audience, we offer the following facts to consider:
The downside of maintaining logs are far outweighed by the benefits gained. As mentioned, there are reasons as to why organizations fail to keep adequate logs: expense, resources, etc. However, logs of any kind can be useful in security analysis, and are invaluable to reconstructing the events of an intrusion. In some cases, logs are kept, but not to the extent or the length of time necessary to be useful. While there are limits to how long logs should be kept for legal reasons, legal counsel can help you determine what is appropriate.
Maintaining logs is an important step in regulatory and standards compliance. Many companies housing sensitive data must comply with state and federal laws or industry standards that require log maintenance. For example, the HIPAA Security Rules require covered entities to regularly review information system activity through records such as audit logs, access reports and security incident tracking reports. The PCI DSS requirements also call for review procedures for investigating possible credit card fraud or other security issues, and tracking and monitoring access to network and cardholder data.
Logs won’t tell you directly that you’ve had a breach, but unusual or abnormal occurrences within the log activity will. If you know what to look for, data logs are your guide to detecting abnormal server activity. For instance, malware attacks might appear as unusual communications or traffic in places you would not normally expect, as the malware “calls home” at scheduled intervals. In its 2010 report, Verizon explains the importance of looking for major “tip-offs” – that is, abnormalities in log entries that could reveal an intrusion or unauthorized use of data.
Inadequate or nonexistent logging may contribute to the need to notify in the event of an intrusion. Kroll’s forensics experts have seen several cases where an intrusion occurred, but the lack of log evidence made it impossible to determine whether the intruder was able to access sensitive PII.
Infrequently, an organization is forced to make a decision to notify based upon circumstantial evidence and a desire to protect its constituents – a decision that might have been different had the proper log records been available. In cases like these, log analysis reveals more than just clues about a security incident; they can also provide vital information for breach response as well.
In summary, it might be wise for companies to think of log maintenance and analysis, as they do their corporate finances. You would never think of not logging your company expenses, lest you become the subject of an IRS audit. Why should data be any different?
Author: Alan Brill, Senior Managing Director at Kroll.