20 February 2009

Security Logging Requirements

In How Much Logging, Monitoring and Alerting? I suggested logging implementations are often incorrect for most web sites and web applications.

The logging should be defined in terms of its intended use. We're talking here specifically about information security, so what might the uses and logging be?

  1. To confirm data and process integrity and availability:
    • completeness and consistency
    • response times
    • function/process abandonment
    • session timeout
    • up-time
    • data changes
    • data mirroring, back-ups and archiving
  2. To identify and provide enough information for investigation of:
    • errors and unexpected conditions
      • code errors
      • database access and performance
      • web server errors
      • third party services
      • lack of storage space
    • data breaches
    • use and mis-use
      • authentication successes and failures
      • access (authorisation) failures
      • excessive use
      • data validation failures
      • fraud and other criminal activities
      • suspicious, unacceptable or unexpected behaviour
    • modifications to configuration
    • security reports from users and third parties
  3. To provide data:
    • subject access requests
    • freedom of information requests
    • litigation document requests
    • police and other regulatory investigations
  4. To monitor content changes:
    • database fields
    • file contents
    • generated web page content
  5. To demonstrate compliance:
    • internal policies and standards (e.g. information security policy, quality standards)
    • contractual obligations (e.g. PCI DSS)
    • change control
    • use of other's intellectual property
    • legislation (e.g. Data Protection Act)
    • regulation (e.g. Financial Services Authority)
    • external standards (e.g. Web Content Accessibility Guidelines [WCAG] 2.0 conformance claim)

It's important the logging is centralised so that alerts and reporting can be drawn from across all sources (web, application, file and database servers, network devices, etc). The scope and extent of logging ought to be be determined by business needs and the threats. For a typical e-retail site, the payment, check-out and any registration facilities will require greater logging than other parts. In some cases it may be appropriate to set particular thresholds for additional logging (e.g. transactions above a certain value, requests from particular clients, users in some geographic locations). This is easier if the requirements can be built into projects at an early stage.

The logging then needs to be tied in with appropriate monitoring, alerting and reporting. If you want alerts raised automatically, you'll have to think of what conditions initiate these. Referring back to specifications, threat models and test cases can be of use with this.

Posted on: 20 February 2009 at 08:45 hrs

Comments Comments (0) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Security Logging Requirements
http://www.clerkendweller.com/2009/2/20/Security-Logging-Requirements
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/2/20/Security-Logging-Requirements
Requested by 38.107.191.108 on Friday, 10 September 2010 at 17:19 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2010 clerkendweller.com