S 2.499 Planning the logging procedures

Initiation responsibility: IT Security Officer, Head of IT

Implementation responsibility: Administrator, Head of IT

Security-relevant events are logged on many IT systems within an information system generating large amounts of logged data. This data contains important information helpful in determining and finding hardware and software problems, as well as resource bottlenecks. Furthermore, logged data is also used in order to be able to detect security problems and attacks early on and so increase the level of information security. In order to be able to log securely, an appropriate amount of planning must be conducted in advance. For example, a logging concept should be drawn up and it should be clarified whether logging is to be performed locally or in a centralised manner. Moreover, administration, application, early warning, and retention of evidence must be specified.

Logging concept

A logging concept defines how, where, and what is to be logged for which protection requirements. This also includes the decision as to whether local or centralised logging is to be implemented and what happens to the logged events. The logging concept is described in detail in S 2.500 Logging IT systems.

Positioning of the centralised logging server within the network

The position of the centralised logging server must be thoroughly thought through, since the server must be available from all IT systems on the one hand, but must not allow for any unauthorised access from untrustworthy networks on the other hand. An example of this is a perimeter router upstream of the security gateway (firewall) which is directly connected to the internet and whose logged data is also to be managed in a centralised manner.

For positioning, it is important that no additional vulnerabilities are created, e.g. the option of bypassing security components. Logging servers should be positioned in a separate logging and administration network in the event of increased protection requirements of the logged data in particular. For this, every IT system to be logged must dispose of a separate connection for the logging and administration network, e.g. a network card. In this case, the logged data should only be transmitted using the dedicated network (network separation, out-of-band).

Secure transmission when using a centralised logging server

If the logged data is transmitted from the individual IT systems to the centralised logging server, the integrity and confidentiality must be ensured particularly (see also S 5.171 Secure communication with a centralised logging server). Logged data should be protected against unauthorised access (reading, changing, deleting) by means of encryption, for example.

Mechanisms increasing the integrity of the information during transmission are also conceivable. Transmission within a separate LAN (network separation, out-of-band) which no further information is transmitted on and which is not available from insecure networks is an example of this.

Administration

Logged data is not only used for error finding and monitoring purposes, but also for controls, e.g. within the framework of an audit or a computer-forensic analysis. In order to maintain the validity of the logged information, it must be protected against being changed by negligent or deliberate acts. Therefore, only authorised persons should have access to this information.

A trustworthy administrator (see S 3.10 Selection of a trustworthy administrator and his substitute) must be selected for system administration. This is particularly relevant in the event of high protection requirements of the logged data, because it may contain personal data.

It is recommendable to also monitor the activities performed by the administrators, particularly in the event of increased protection requirements. Since personal data is used during logging in most cases, it should be ensured that the collection of local and centralised logged data meets the data protection requirements. The data must only be captured for data protection control, for data backup, and in order to ensure proper operation in accordance with data protection guidelines (see S 2.110 Data protection guidelines for logging procedures). The logging procedure and the criteria for log analysis must be documented within the framework of an application register.

Operation

The purpose of the logged data within an information system must already be decided on during the planning phase. Data from all data sources required for the defined purpose must be captured. For example, the logged data of the following IT systems plays a role regarding the monitoring of an information system, amongst other things:

• active network components (such as routers, switches),
• operating systems,
• applications and services (such as web server, email server, file server),
• security components in the network (such as firewall, proxy, IDS),
• security components on hosts (such as security gateways, virus scanners),
• physical access systems.

In order to comprehensively monitor the information system, the logged data of these systems can be collected at a central location.

Early warning

Logged data collected in a centralised manner is perfectly suitable for complementing an early-warning system. It is important to supply the data continuously and preferably in real-time and to analyse the data regularly. For this, the logged data must be aggregated and correlated.

Aggregation means to summarise the log messages with redundant content; redundant information is summarised to one entry. Different logged data is linked within the framework of correlation. Attacks to the information system can often only be detected by combining different logged data. In this way, attackers try to erase their traces. If logged data from different sources is compared to each other, the chance of the attacker not having been able to remove all entries possibly exposing him/her increases. The data can only be linked and summarised at a central location where the different information merges.

In order to allow for reasonable analysis and early warning building upon the aforementioned, aggregation and correlation must be used to determine when the integrity of the logged data is no longer guaranteed. Additionally, an anomaly component should be integrated into the early-warning system triggering an alarm if the monitored information system deviates from the normal state (see also S 6.151 Alarm concepts for the logging function).

Retention of evidence

Logged data can be used in an information system in order to investigate security incidents (computer forensics). In this case, the logged information is used for the retention of evidence. Within the framework of these investigations, the log files are used in order to try to reconstruct an security incident which already occurred in order to determine the damage sustained.

Review questions:

• Is a logging concept drawn up?
• Was the integration of the logging server into the network of the information system planned carefully?
• If centralised logging is used, is it ensured that the logging server is available from all IT systems to be logged and that no unauthorised access options are provided?
• Is the logged data of the individual systems transmitted to the centralised logging server maintaining the integrity and confidentiality?
• Are the data protection requirements met regarding the collected logged data?
• Is there documentation regarding the logging procedure and the analysis criteria?
• Is the logged data monitored in real time and analysed at regular intervals?