Event Log Management Options for Sarbanes-Oxley Compliance

Sweeping US privacy and corporate governance regulation has given rise to two compliance facts of life with which IT departments are going to have to live:

• Many organizations will have more than one compliance requirement, and

“SOX in a Box” offerings simply cannot address the variety of needs in the log management market. With the wide range of factors in the compliance equation, a “one size fits all” approach is unwise for organizations seeking compliance.
• Legislation guidelines and industry practices will change.

Compliance is defined as being in accordance with authoritative requirements. That creates a duty to be up-to-date on guidelines, processes, and practices. Because each network configuration and its applicable regulations is different, a true state of compliance is up to the auditors and compliance professionals working in any given scenario. However, common requirements among those affected by regulatory compliance include:

• Only authorized user/systems can access and modify specific information they require,

• The privacy and integrity of the information and systems must be maintained and assured,

• Audit records are maintained and indisputable, and

• Operational best practices are in place and improved.

And, though regulations may differ in name or substance, common and best practices among “compliant” IT infrastructures include:

• Event collection and retention,

• Activity review and assessment,

• Data integrity and chain-of-custody,

• Audit reduction tool use,

• Investigation and forensic analysis, and

• Reporting of forensic data to appropriate personnel.

HIPAA and the Sarbanes-Oxley Act represent, by far, the biggest regulatory compliance concerns for today’s IT departments. There is a great deal of overlap in terms of both requirements and best practices between these two and even other lesser known regulatory acts. For our purposes here, we’re going to explore Sarbanes-Oxley specifically, but keep in mind that much of what is true for Sarbanes-Oxley is true in other compliance scenarios as well.

Log Files Hold All the Clues

Inside attackers may be able to elude perimeter and layered defenses because their transactions smack of legitimacy, but they do leave data fingerprints behind. Virtually every application, system, and device in the enterprise network produces logging information for every action. Called the event log or simply “events” in the Microsoft Windows based network infrastructure, this data was originally used as a way to troubleshoot and audit system operation. But, log data is also irrefutable evidence of anyone’s activity – authorized or unauthorized – if the data is collected and retained appropriately.

SOX in a Box and Pre-Configured Log Management: A False Sense of Security

Systems-based solutions help ensure consistency in both processes and controls. These tools enable organizations to prove control on the basis of rules-based workflow, forcing everyone to use the same process in the same automated form. These tools also capture data automatically, providing comprehensive audit trails and reports. Proving control can be much more difficult when using a manual process, because it is difficult to prove the process is always followed.

While the event log entries are the same for everyone, the type of data collected and reported will vary among users based on the industry, network infrastructure, security needs, and compliance goals. Therefore, system-based solutions, pre-configured software, or “SOX in a Box” offerings simply cannot address the variety of needs in the log management market. With the wide range of factors in the compliance equation, a “one size fits all” approach is unwise for organizations seeking compliance.

True, the appeal of such a solution on the surface is great, and it is often too tempting for IT departments to avoid. In reality, such an approach leads to either simply delaying the burden of true compliance until caught by the auditors or caught by a security breach. Until that time, such a “one size fits all” product provides only a false sense of security.

As one analyst with the Burton Group stated in a recent SC Magazine article (October, 2005) on compliance and SIM, “There is no such thing as buying a ‘SOX in a Box’ and, like magic, you’re compliant.”

In addition to that false sense of security are the technical consequences of such an approach. Many of these products lock end users into a proprietary database for storage needs or serve as a gateway product to larger financial commitments in training, support, maintenance, hardware, or storage needs. As with an investment in any type of proprietary system, your compliance is directly tied to the life of the technology, company, and price providing it.

One specific point to consider is the increasing availability of proprietary databases – often marketed simply as an integrated “back end” – for event log management products. Convenience in setup is the primary selling point of these packages. But, when years’ worth of log files must be ready to be called upon, the first 90 days of an implementation is not the focus – availability and usability of the data in 5-7 years is. Vendors know this, and that recurring revenue is integral to their business models. Log data held captive in proprietary storage is years’ worth of nearly guaranteed revenue.

In order to avoid long-term problems associated with quick fix “one size fits all” or “SOX in a Box” products, the most effective software solution for addressing regulatory compliance must be flexible and configurable to allow users to meet individual and unique requirements. This also ensures the scalability and survivability of compliance and compliance strategy.