[logs] Re: on database logging

From: Fenwick, Wynn (wynn.fenwick@private)
Date: Thu Mar 22 2007 - 06:12:36 PST


I think that your statement is true for most commercial organizations
whose drivers are related to finances and regulatory issues.
Unfortunately, security risk management activities seem to take a back
seat to this. It seems this is The Way, for the objectives of each camp
are less instersecting than I would like on seeing some of the results
of a recent SAS-70 Type II audit.

The root seems that few are practicing business-level risk management on
IT assets and safeguards because the risks are difficult to quantify and
express in dollar units as they do in the physical realm. 

The policies ask for it but the control objectives beat-around-the-bush.
Quantifying probabilities and loss expectancies from IT security risk in
dollars actually requires monitoring in the first place. Add a certain
amount of eye-of-newt and ear-of-bat, and you could come up with an ALE
that might point out that some increased vigilance, increased precision
of monitoring could result in lower operational cost (from the risk
component). If the risk component is not too large, risk acceptance and
monitoring of the risk level is an equally good practice. 

My issue is that most organizations accept unquantifiable risk without
even attempting to measure it. This is not good risk management. Others
many have sized the potential $risk by eyeball, and are afraid to
actually put the $numbers to slide decks because of the $safeguards
required to demonstrate $effective risk management.

Government departments in Canada are working toward compliance of a
different sort. Communications Security Establishment has laid out
control objectives in "a series of Baseline Security Requirements" that
are prescribed by Canadian Government Security Policy. These control
objectives are prescriptive, if unrealistic, for zones of the network.
ie: "Continuous" monitoring is prescribed for most network zones. A
database often resides in a zone that requires continuous monitoring.

The next step is to define what are the attributes of a effective
monitoring system. What is the point of an exception monitoring and
handling system if it does not generate and handle exceptions? We often
talk of monitoring but that's only part of the process. Business types
are too literal. Why monitor without identifying exceptions, determining
if they are sufficient risk to contain and if necessary eradicate? 

Too often management are afraid of extra unscoped costs that a
investigating the exceptions a monitoring system will inevitably
generate. Estimate a reasonable budget we IT security gurus should say
"we can start with $x in monitoring and response, and we will measure
how much risk we would not manage". 

For databases specifically, the reports that the control objectives that
are inducing are fundamentally misaligned with many web application
designs that drive today's business. Few web applications map the
application-layer user instance back to the database-layer user
instance. However, many current control objectives assume that is true.
That's just one instance of the misalignment.

Many other objectives are oversimplified and rules-based so the rest of
the world can put complex systems into simple little tick-boxes. As an
omnibus safeguard, they actually get in the way of practical risk
management. IT systems often do not fit into simple little boxes and
that is part of the problem. We build cloverleafs at dirt-road
intersections to avoid teaching people about the 4-way stop.

Wynn Fenwick, 
Chief Techincal Architect, 
CGI Managed Security Services

-----Original Message-----
From: loganalysis-bounces+wynn.fenwick=cgi.com@private
[mailto:loganalysis-bounces+wynn.fenwick=cgi.com@private] On
Behalf Of Marcus J. Ranum
Sent: Wednesday, March 21, 2007 2:25 PM
To: Anton Chuvakin; LogAnalysis@private
Subject: [logs] Re: on database logging

Anton Chuvakin wrote:
>Ouch, how about security? I guess we are dealing with some case of 
>mental inertia here

All the current trend toward legislating compliance has accomplished is
setting the bar very low, and encouraging companies to look only at
meeting that standard. I've had senior IT managers tell me "We are going
to do the exact minimum, wherever possible."

In log analysis terms, that means that the logs to to a big bucket which
is periodically dumped into the compost heap. Nobody'll look in the
bucket until someone passes legislation requiring people to LOOK at it.
And, of course, when that happens, they'll do the exact minimum, &c...


LogAnalysis mailing list
LogAnalysis mailing list

This archive was generated by hypermail 2.1.3 : Thu Mar 22 2007 - 09:14:20 PST