NIST: Digital Identity Requires Secure Audit Trail

Digital Identity is a hot topic and is applicable to a wide range of scenarios. Virtually any organization has some form of digital identity in order to authenticate its employees, and some organizations, like banks and governments, have been identity providers to millions of people for a while now. Two years ago, the US National Institute of Standards and Technology (NIST) published its Digital Identity Guidelines document which outlines the best practices and de-facto requirements for credential service providers. A Credential Service Provider is any component that provides digital identity means (tokens or credentials) to other people – be it internal users or the public at large.

We have previously addressed the use case for secure audit trail for Identity and Access Management (IAM), and as all CSPs are reliant on some sort of IAM. Now we want to focus on the specific recommendations of NIST:

The CSP SHALL maintain a record, including audit logs, of all steps taken to verify the identity of the applicant and SHALL record the types of identity evidence presented in the proofing process.

At the same time, NIST recommends that an audit log shouldn’t be simply a text file or a database table, but a data structure with integrity protections:

Because logs contain records of system and network security, they need to be protected from breaches of their confidentiality and integrity. [..] Logs that are secured improperly in storage or in transit might also be susceptible to intentional and unintentional alteration and destruction. This could cause a variety of impacts, including allowing malicious activities to go unnoticed and manipulating evidence to conceal the identity of a malicious party. For example, many rootkits are specifically designed to alter logs to remove any evidence of the rootkits’ installation or execution.

The NIST Guide to Computer Security Log Management was developed in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347. The publication seeks to assist organizations in understanding the need for sound computer security log management. It provides practical, real-world guidance on developing, implementing, and maintaining effective log management practices throughout an enterprise. The guidance in this publication covers several topics, including establishing log management infrastructures, and developing and performing robust log management processes throughout an organization. Organizations also may store and analyze certain logs to comply with General Data Protection Regulation (GDPR), Revised Payment Service Directive (PSD2), the Payment Card Industry Data Security Standard (PCI DSS), the Federal Information Security Management Act of 2002 (FISMA), the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Sarbanes-Oxley Act of 2002 (SOX), the Gramm-Leach-Bliley Act (GLBA), California Consumer Privacy Act (CCPA)

In the Guide to Computer Security Log Management NIST states several recommendations to identifying, authenticating, and authorizing individuals to access organizational assets and systems, which can be addressed with LogSentinel’s product solutions.

regulations-logs-compliance-nist

NIST Recommendations and LogSentinel Audit Trail Solution Mapping

As per NIST recommendations, there are five main areas to cover when protecting information assets, which LogSentinel has also developed:

NIST Recommendation LogSentinel Functionality
Configure the log sources

System-level administrators need to configure log sources so that they capture the necessary information

in the desired format and locations

Log Generation

System-level administrators need to consider the likely effect of the log source configuration not only on the logging host, but also on other log management infrastructure components

LogSentinel can store securely any log types critical to your business. Our agent can collect any logs that you have.
Log Storage and Disposal

System-level administrators need to determine how each log source should store its data. (see NIST Examples of Logging Configuration Settings below)

LogSentinel stores logs securely on the blockchain – searchable for up to 12 months and archived for another up to 24 months, which is even longer than the NIST recommended settings for high impact systems. 
Log Security

Infrastructure and system-level administrators need to protect the integrity and availability of log data, and to protect its confidentiality as well.

The access to logs can be limited and protected by two-factor authentication.

Once created, the log file cannot be deleted, so even privileged users can’t tamper with the records.

All logs are being encrypted, including the archived records. This ensures that they won’t be exported in bulk. The encrypted search feature allows searching of logs into the encrypted environment.

Analyze Log Data Gaining an Understanding of Logs

The key to performing log analysis is understanding the typical activity associated with each system.

Once collected, logs are being stored in a structured format and visualised on the dashboard for better understanding of the events and processes
Prioritizing Log Entries

Organizations should consider assigning their own priorities to log entries based on a combination of factors, such as entry type, newness, log source, destination IP, time of day of ray of week, frequency of the entry

Log priorities are displayed on the dashboard. Rules can be configured for each log level and critical log levels can trigger alerts.
Comparing System-Level and Infrastructure-Level Analysis

System-level and Infrastructure-Level  administrators should usually perform their reviews and analysis using a variety of tools and techniques. They should be regularly sharing the highlights of reports with management, particularly the problems that were identified and corrected as a result of analysis efforts

LogSentinel allows adding such log entries to its centralised repository and makes them easy to access and analyse,co-relating between different logs.
Respond to Identified Events

Infrastructure and system-level administrators may identify events of significance, such as incidents and operational problems, that necessitate some type of response.

LogSentinel supports real-time alerting of security incidents, detected by the rules engine or the AI anomaly detection tool.The real time alert notifications allow shorter incident response periods.
Manage Long-Term Log Data Storage Log data archives

Administrators should be aware of the organization’s requirements and guidelines for log data storage, so that logs are retained for the required period of time.

LogSentinel keeps archives of log data for up to 24 months
Provide Other Operational Support Monitor logging status

The logging status of all log sources should be monitored to ensure that each source is enabled, configured properly, and functioning as expected.

Alerts can be configured based on the typical activity for a given log source. Additionally, LogSentinel’s intuitive dashboard allows aggregated log monitoring per user, day, hour, entity, etc. This can help your team detect if there are logging status changes
Monitor rotation

The log rotation and archival processes should be monitored to ensure that logs are archived and cleared correctly and that old logs are destroyed once they are no longer needed.

Log archival is performed automatically and TTL is set for the archives so that they can expire after the predefined period
Check for software upgrades

Check for upgrades and patches for logging software; acquire, test, and deploy the updates.

The LogSentinel Agent can report when new versions are available for download.
Ensure clock synchronization

Ensure that each system’s clock is synched to a common time source so that its timestamps will match those generated by other systems.

All logs are being timestamped upon ingestion not simply by properly synced NTP, but also cryptographically. Additionally, logs can have a custom timestamp field for the log generation time if it is not sent to LogSentinel immediately.
Document anomalies detected in log settings

Document anomalies detected in log settings, configurations, and processes. Such anomalies might indicate malicious activity, deviations from policy and procedures, and flaws in logging mechanisms. System-level administrators should report anomalies to infrastructure administrators.

LogSentinel’s advanced AI can detect anomaly activities in log settings and alert in time.Customers can reinforce that with a robust set of rules for detecting anomalies.
Perform Testing and Validation Create security events

Create security events on a representative sampling of systems through vulnerability scanning, penetration testing, or routine actions (e.g., logging onto a system remotely), and then ensure that the log data those activities should generate exists and is handled according to the organization’s policies and procedures.

The event logs of the mentioned security events – vulnerability scanning, penetration testing, or routine actions (e.g., logging onto a system remotely) – can be securely logged by LogSentinel and kept as evidence which can be used by security auditors.

The recommendations of NIST provide basic guidelines how to setup your event logs in terms of ensuring information security. 

Based on the above guidelines NIST has also developed an example of logging configuration settings. The systems being tracked are divided into three groups based on their impact:

  • Low impact systems
  • Moderate impact systems
  • High  impact systems

As you will see in the table below, LogSentinel’s functionalities provide an even higher level of security than the NIST recommended settings for high impact systems. 

NIST Examples of Logging Configuration Settings

Category Low impact systems Moderate impact systems High impact systems LogSentinel Coverage
How long to retain log data 1 to 2 weeks 1 to 3 months 3 to 12 months In terms of data retention, LogSentinel has flexible solutions, mainly focused on high impact systems. We can retain logs for up to 12 months, and archived for another 18-month period
How long to rotate logs Optional (if performed, at least every week or every 25 MB) Every 6 to 24 hours, or every 2 to 5 MB Every 15 to 60 minutes or every 0.5 to 1.0 MB LogSentinel does not rotate logs centrally as they are not stored in text files.. After a period of time, however, the operational logs are being archived.
If the organisation requires the system to transfer log data to the log management infrastructure, how frequently that should be done Every 3 to 24 hours Every 15 to 60 minutes At least every 5 minutes LogSentinel’s agent can be set up to listen to logs in real-time or in whatever time-span required by the business
How often log data needs to be analyzed locally (through automated or manual means) Every 1 to 7 days Every 12 to 24 hours At least 6 times a day LogSentinel’s automated reporting allows real-time overview on logs critical to the business. Logs can be filtered by systems for a better visibility
Whether log file integrity checking needs to be performed for rotated logs Optional Yes Yes LogSentinel ensures complete log integrity of all log types. The blockchain-inspired technology protects from log tampering. The log validation is being performed in every 30 minutes, reporting any log tampering attempts.
Whether rotated logs need to be encrypted Optional Optional Yes Our log storage is fully encrypted at rest. We also support client-side encryption and search in encrypted data.
Whether log data transfers to the log management infrastructure need to be encrypted or performed on a separate logging network Optional Yes, feasible Yes LogSentinel encrypts all logs in transit, we also support IPSec tunneling if needed.

To cover these recommendations, LogSentinel’s secure audit trail solution offers a flexible API and state-of-the-art integrity protection using, among other things, blockchain. Our solutions are focused on information security and data protection and ensure full compliance with various security standards such as NIST. The integration of LogSentinel is made easy and straightforward, using the mentioned RESTful API.

If you are interested to see how it works,test our DEMO environment  or try our solutions free.You can also request a demo from our team.