OWASP Logging Project

1
OWASP Logging Project

• Presentation by Marc Chisinevski

2
Objectives of this presentation

• Explain the goals of the OWASP Logging Project
• Discuss how to integrate application logs into a
  Security Information Management system (SIM).
• Live demo 1.
• Discuss SIM common issues and present a
  multidimensional solution prototype.
• Live demo 2.

3
Goals of the OWASP Logging Project

• 1) Provide tools for software developers in
  order to help them define and provide meaningful
  logs.
• 2) Provide code audit tools to ensure that log
  messages are consistent and complete (content,
  format, timestamps).
• 3) Integrating application logs into a
• Security Information Management configuration.
• 4) Facilitate attack reconstruction.
• 5) Facilitate information sharing around
  security events.

4
1) Provide tools for software developers in order
to help them define and provide meaningful logs

• IDE integration
• auto-completion
• templates
• logging policy definition support.

5
IDE (Integrated Development Environment)
Templates can provide checks/hints/defaults.Examp
les defined by the OWASP Enterprise Security
API- hashed value of the session ID, identity
of the user that caused the event, description
of the event (supplied by the caller)- whether
the event succeeded or failed (indicated by the
caller), severity level of the event (indicated
by the caller)- that this is a security relevant
event (indicated by the caller)- hostname or IP
where the event occurred (and ideally the user's
source IP as well), a time stamp
6
2) Provide code audit tools to ensure that log
messages are consistent and complete

• Code audit tools s.a. OWASP yasca can be easily
  adapted in order to ensure that
• - logging standards are respected
• - and log messages are consistent and complete
  (content, format, timestamps).

7
3) Integrating application logs into a Security
Information Management configuration

• OSSIM (http//www.ossim.net/)
• has numerous plugins for parsing
• webserver, appserver, WAF, IPS, IDS logs
• and generating/storing events in its standard
  format.

8

• Adding a plugin for parsing custom application
  logs is as easy as finding the correct regular
  expression provided that
• developers included all relevant information in
  the log message
• and that they have done so in a consistent way.

9
Current problems

• Difficult to obtain relevant views of
  consolidated data
• Examples
• Alarms concerning Client1 in December
• Alarms in Datacenter1 in January
• Difficult to calculate indicators
• Example
• Annual Loss Expectancy for Asset1

10
Current problems

• Difficult to compare with historical data
• Performance issues

11
Live Demo 1 - Ossim

• A  click and play  virtual appliance containing
  
• a full OSSIM installation is provided

12
OSSIM executive dashboard
13
Current day details from the previous Executive
Dashboard very technical information, clearly
not useful for CFO/CEOs, with all due respect
14
Functional benefits of a multidimensional
solution

• Presenting risk assessments and safeguard
  cost-effectiveness scenarios to CFO/CEO
• Different views Client, Asset, Data Center, Time
• Indicators Loss Expectancy, Risk

15
Functional benefits of the multidimensional
solution

• Aggregation levels are clearly defined
• Raw data Event, Server
• Consolidated data Alarm, Asset, Client, Data
  Center, Time, Geography

16
Technical benefits of the multidimensional
solution

• Reporting queries no longer run on the production
  SIM database
• Drill-down, roll-up, slice without writing SQL
• Integrate data from different sources

17
Live Demo 2 - Multidimensional solution

• Essbase example

18
Essbase outlines
19
Essbase outlines
20
Demo data feed
21
Asset view

• Data Center view

22
Client view
23
Questions
24
Acknowledgments

• OSSIM team
• Wojtek Janeczek, friend and multidimensional DB
  expert

25
Thank you!