One thing that every developer and IT professional can agree on is the incredible value that log files provide when performing root cause analysis or other post-incident reviews. This holds true for identifying all types of application vulnerabilities, including those involving security and compliance shortfalls.
To identify the source of any problem, data and context are absolute necessities. In this case, the data are often log events. Log files often consist of thousands of entries, with each entry representing an individual event that has occurred within a system. Each event contains critical information about the action that was taken. A human being can only learn so much by simply scanning hundreds or thousands of log events in a text editor. Through log analysis (often with the assistance of log analysis software), log data can be contextualized to provide useful insights that can be leveraged to assist in identifying and resolving issues involving system security.
One way in which log analysis can prove useful for improving system security is in its ability to help development teams identify alarming patterns, such as repeated failed login attempts or repeated requests to a web application from geographic locations in which nobody should have access. When an incident occurs, the quick discovery of these trends can prove critical for closing the gap in system security before significant damage is done.
Modern applications are often highly distributed, making it more difficult than ever to look at a log file and determine the path taken by a particular request. With modern log analysis tooling, organizations can enable their development teams to trace specific requests to identify the root cause of an issue within their system quickly, including finding requests in which information was accessed in an unauthorized manner. Headers and full-functionality search systems help immensely in tracing events across one or more systems.
Log analysis tools like LogDNA allow organizations to centralize their logs from across their entire infrastructure. In addition, they provide more advanced search and query capabilities than you’ll find in a simple text editor. Thus, it’s easy to see how development teams can leverage this functionality to identify problematic entries in logs that account for all instances of their application. These issues include events that indicate severe security deficiencies such as successful cross-site scripting attempts or SQL injection attacks with the potential to lead to data breaches or malicious takeovers of user accounts.
While system security is always important to maintain from a logical and moral standpoint, it is also critical that devops organizations maintain compliance with the standards set for the protection and usage of personal data. In some cases, this is impossible to do without logging.
For example, let’s consider the case of HIPAA compliance. Applications must be HIPAA compliant if they manage or utilize electronic protected health information (ePHI). This application could have the employees of a dental practice access patient information, for instance. HIPAA dictates, in section § 164.312(b), that the organization must have audit controls in place to “record and examine activities in information systems that contain or use” electronic protected health information, and it also requires that these logs must be “regularly reviewed (section § 164.308(a)(1)(ii)(D)).”
In other words, actions taken within these types of applications must be logged, and the logs should be regularly analyzed to help identify activity that is suspicious or simply out of the ordinary. Such activity may include multiple failed login attempts (indicating an effort to gain unauthorized access via another’s user account), instances of an employee accessing their user account at peculiar times, and much more.
By securely logging application activity and efficiently analyzing these logs, an organization can ensure that their application remains in compliance with HIPAA requirements while putting themselves in the best possible position to remediate any misuse of ePHI data in a time-efficient manner.
Many standards not only require event and audit logging to be put in place, but also that these logs be retained for a specified amount of time. HIPAA, for instance, states that documentation recording actions and activities be retained for six years (section § 164.316(b)(2)(i)). And audit logs serve to document actions taken by users and the systems themselves.
For applications that accept, process, store, or transmit credit card data, PCI DSS standards dictate that an audit trail history must be available for one year (requirement 10.7).
Log entries provide an audit trail, and maintaining this audit trail for the time specified by applicable standards is critical to remaining prepared for a potential audit. These entries are also important when conducting reviews of security-related incidents that were not immediately identified by the organization. Log entries, like all other pieces of valuable incident data, help to remove the guesswork from the remediation process, ensuring that the fix thoroughly and permanently addresses the issue.
LogDNA offers plans for different needs, both our Oak and HIPPA plans retain 30 days of searchable log data. For longer retention, LogDNA provides an archiving service that automatically exports older logs to your preferred cloud storage service. In addition, LogDNA recommends to request a Business Associate Agreement (BAA) from your preferred cloud storage provider and secure your storage bucket before enabling archives.
Cloud-based log management solutions like LogDNA can drastically simplify the process of managing logs in a manner that is consistent with the various standards that are relevant to many of the applications being developed today.
As mentioned above, frameworks such as HIPAA and PCI DSS require regular analysis and review of various log data to ensure that the personal data being processed and stored by these applications is being adequately protected and appropriately utilized.
Cloud-based log management platforms improve this process through log centralization, alerting, and enhanced log search capabilities that provide devops organizations with all the tools they need to identify and remediate security-related issues in a time-efficient manner.
It’s important to note that the log data itself should be stored and accessed in a secure manner. With LogDNA, logs are encrypted when they are stored, and granular access to these logs can be restricted using role-based access controls (RBAC).
For instance, when reviewing access or event logs for a specific application, it’s likely that particular IT folks only require access to certain logs and that their access should be restricted to read-only. LogDNA helps restrict user access to only the appropriate levels by following the principle of least privilege.
Overall, a log management system can help you identify the gaps in your application’s security and help you ensure compliance with various requirements out there. Whether you’re looking to improve your security, get or maintain compliance, or otherwise audit your stack, logs are crucial to getting you where you want to be.