1 / 25

OWASP Logging Project

OWASP Logging Project. Presentation by Marc Chisinevski. Objectives of this presentation. Explain the goals of the OWASP Logging Project Discuss how to integrate application logs into a Security Information Management system (SIM). Live demo 1.

luann
Download Presentation

OWASP Logging Project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. OWASP Logging Project Presentation by Marc Chisinevski

  2. Objectives of this presentation • Explain the goals of the OWASP Logging Project • Discuss how to integrate application logs into a Security Information Management system (SIM). Live demo 1. • Discuss SIM common issues and present a multidimensional solution prototype. Live demo 2.

  3. Goals of the OWASP Logging Project 1) Provide tools for software developers in order to help them define and provide meaningful logs. 2) Provide code audit tools to ensure that log messages are consistent and complete (content, format, timestamps). 3) Integrating application logs into a Security Information Management configuration. 4) Facilitate attack reconstruction. 5) Facilitate information sharing around security events.

  4. 1) Provide tools for software developers in order to help them define and provide meaningful logs IDE integration: • auto-completion • templates • logging policy definition support.

  5. IDE (Integrated Development Environment) Templates can provide checks/hints/defaults.Examples defined by the OWASP Enterprise Security API:- hashed value of the session ID, identity of the user that caused the event, description of the event (supplied by the caller)- whether the event succeeded or failed (indicated by the caller), severity level of the event (indicated by the caller)- that this is a security relevant event (indicated by the caller)- hostname or IP where the event occurred (and ideally the user's source IP as well), a time stamp

  6. 2) Provide code audit tools to ensure that log messages are consistent and complete Code audit tools s.a. OWASP yasca can be easily adapted in order to ensure that: - logging standards are respected - and log messages are consistent and complete (content, format, timestamps).

  7. 3) Integrating application logs into a Security Information Management configuration OSSIM (http://www.ossim.net/) has numerous plugins for parsing: webserver, appserver, WAF, IPS, IDS logs and generating/storing events in its standard format.

  8. Adding a plugin for parsing custom application logs is as easy as finding the correct regular expression providedthat: • developersincluded all relevant information in the log message • and thatthey have doneso in a consistent way.

  9. Current problems • Difficult to obtain relevant views of consolidated data Examples: Alarms concerning Client1 in December Alarms in Datacenter1 in January • Difficult to calculate indicators Example: Annual Loss Expectancy for Asset1

  10. Current problems • Difficult to compare with historical data • Performance issues

  11. Live Demo 1 - Ossim A « click and play » virtual appliance containing a full OSSIM installation is provided

  12. OSSIM executive dashboard

  13. Currentdaydetailsfrom the previousExecutive Dashboard: verytechnical information, clearly not useful for CFO/CEOs, with all due respect

  14. Functional benefits of a multidimensional solution • Presenting risk assessments and safeguard cost-effectiveness scenarios to CFO/CEO • Different views: Client, Asset, Data Center, Time • Indicators: Loss Expectancy, Risk …

  15. Functional benefits of the multidimensional solution Aggregation levels are clearly defined: • Raw data: Event, Server • Consolidated data: Alarm, Asset, Client, Data Center, Time, Geography

  16. Technical benefits of the multidimensional solution • Reporting queries no longer run on the production SIM database • Drill-down, roll-up, slice without writing SQL • Integrate data from different sources

  17. Live Demo 2 - Multidimensional solution Essbase example

  18. Essbase outlines

  19. Essbase outlines

  20. Demo data feed

  21. Assetview Data Center view

  22. Client view

  23. Questions

  24. Acknowledgments • OSSIM team • Wojtek Janeczek, friend and multidimensional DB expert

  25. Thank you!

More Related