Data breaches & log management: A lawyers view

I stumbled upon an interesting article on the ReedSmith blog with the title “Log File Management & Retention Programs: Put the Systems in Place to Turn Static Logs into Active Real-Time Intelligence“. The author is summarizing reasons why (if i may add – correctly implemented) log management and retention is one of the things organisations should get right asap. He highlights –

In the event of a data breach, law enforcement, regulators, payment card auditors, clients and others will ask about your log file management and your alerting protocols. Don’t be caught unaware.

and goes on to provide a list of things to tackle. What intrigues me most is the fact that this is not your usual Information Security consultant or vendor advise but comes from a law firm. It is unlikely that this content carries a hidden agenda to sell SIEM, SEM or other gadgets. The most interesting bit is the 25 minute video linked at the bottom of the post in which one of Reed Smiths lawyers talks about this topic in more detail. I expected to hear pipe dreams about what organisations are able to do and how log management should be done but instead Amy Mushahwar provided very grounded insights and practical advice. Some of the points which stood out to me are –

She advises not to expect that you can log each and every source, but should rather focus on your high risk/high value assets and services.

Ensure that log management is clearly defined in policies and procedures.

Ensure those policies and procedures are harmonized across the organisation (“Having the appropriate policies can help keeping you out of hot water”). Deviating policies and procedures between business units or departments can be held against the organisation by investigators.

She recommends to not only do system level logging but also focus on application and service level log data. Having this level of log information will help identifying what happened on application level and thus allow to precisely pinpoint which customers/records have been compromised. This helps to limit the fallout in terms of breach response & notifications.

Be prepared for the situation when a breach occurs and Law Enforcement agencies (LEA), regulators, payment card auditors, etc. are asking questions on your log management policies and procedures.

Do not assume you’re off the hook for services outsourced to a hosting provider. It is your job to proactively test whether the log management is at the level it should be as the provider will abide by the strict word of the contract i.e. unless you specifically defined the hosting providers responsibilities in terms of log management at application or server level they’ll claim not to be responsible. Even if it is defined in the contract you’re probably better off testing it on a regular basis anyway (or have them do the test and provide the results).

 She also covers a lot of material which is very basic (e.g. making sure your MSSP [or internal SOC] is not only contracted to monitor your logs during your 9-5 business hours) but all in all i found the video to be rather insightful and well worth the time.

Securitiy Options with a Focus on Event and Log Management (sic)