- Share
- Favorite
- Request download ?Message the author to enable downloading file.
-
Also on LinkedIn
- More...
Loading...
Flash Player 9 (or above) is needed to view slideshows. We have detected that you do not have it on your computer.To install it, go here
- All Comments (0)
- Notes on Slide 1
- Here is a reminder of what you will be covering.E-discoveryTrouble shooting the health of your database, Database audit activitiesUser Activity tracking via Proxy logs
- http://www.enterprisestorageforum.com/continuity/features... About to Change in e-Discovery GameNovember 7, 2006By Jennifer SchiffNew federal rules will take effect next month requiring corporations to produce documents in legal cases or face stiff penalties, raising yet another regulatory compliance issue for IT departments. On December 1, several amendments to the Federal Rules of Civil Procedure regarding a company's duty to preserve and produce electronically stored information (ESI) in the face of litigation — or pending litigation — are scheduled to take effect. The rules (specifically Civil Rules 16, 26, 33, 34 and 37) have already been adopted in some states, like New Jersey, and other states, including Texas and California, have already implemented some of the new rules. As with most new compliance rules, there is some confusion and hand-wringing on the part of enterprises as to what the amendments really mean. In this case, the big question companies are asking of their attorneys, IT people, vendors and compliance officers is: Do the new rules mean we have to drastically alter the way we preserve, retrieve and produce electronic data? The answer to that question: It depends. It depends on what practices, procedures and technology you already have in place (if any), and how susceptible your enterprise is to a lawsuit. If your company has clearly stated, consistent, across-the-board policies and procedures in place on ESI preservation and production in the event of litigation, you may be protected. If your company doesn't, you could be vulnerable to crippling sanctions and fines. Not sure where you stand? Keep reading. First, Save All the E-mails […]Size Doesn't Matter Many companies that don't make close to $1 billion may be reading this and thinking that the new Federal Rules of Civil Procedure don't apply to them. But they would be wrong. Even small companies are susceptible, though the likelihood of them spending tens or hundreds of thousands of dollars to prevent potential sanctions or fines is small. […]Is Any of This Good News for Enterprises? For enterprises that do act in good faith, there is a \'safe harbor\' provision, Civil Rule 37, \'that protects a party from sanctions for failing to provide electronically stored information lost because of the routine operation of the party's computer system.\' While that is definitely good news, it is not a \'Get out of Jail Free\' card, says Whetstone. \'In other words, it will not work for lawyers or companies to continue to delete or overwrite consistent with their standard document retention or management policy after the duty to preserve arises,\' he says. \'If you have a 30-day recycling policy in place with respect to e-mail, when the duty to preserve arises, or when you're served with a complaint and you have to lock down data, you can't hide behind Rule 37 and say, oh, the data was lost in good faith because the system kept overwriting data for the next 30 days and someone forgot to turn that off. That's not going to work very well.\' The bottom line: \'It's hard to say that these types of things are great, because they require organizations to change a little bit, but it's just about standard operating procedures and policies and then buying the technology to support them, as opposed to forcing companies to go down a specific path and buy specific things,\' says Babineau. \'There's enough guidance, but it's not specific enough to be a burden.\' Mike Kinnaman, vice president of marketing at Attenex, agrees. \'The good news about these amendments is they're taking the best practices that already exist and making them more widespread,\' he says. \'It really comes down to understanding where all the data is and then the bigger piece is using a document retention policy. If you do those two things, then the courts are going to look upon you favorably.\'
- Make an example here: discovery for wrongful termination; what systems did the employee access? What web sites?
- Why use them?SecurityEfficiency and controlComplianceUser activity audit and monitoring
- More details on LogBlog (Tip #12)http://blog.loglogic.com/2007/08/ant on_logging_tip_of_the_day_12_proxy_log_ fun_proxy_log_analysis_for_possible_inf ormation_leakage_de Following the new tradition of posting a tip of the week (mentioned here, here ; SANS jumped in as well), I decided to follow along and join the initiative. One of the bloggers called it \'pay it forward\' to the community.So, Anton Logging Tip of the Day #12: Proxy Log Fun - Proxy Log Analysis for Possible Information Leakage DetectionYou probably know that web proxies (such as Squid, Blue Coat SG and others) produce a lot of detailed logs, that record all web traffic flowing through the proxy as well as pass/block decisions made by the proxy's content filters and possibly embedded anti-malware tools. Proxy logs can be used for a whole range of things, from routine monitoring for Acceptable Use Policy (AUP) compliance to malware detection as well as possibly looking for security scourge of 2007 - web browser attacks by malicious or compromised web servers.Specifically, in this tip we will learn how proxy logs can be used for detection of file uploads and other outbound information transfers vie the web. First, think what is the legitimate use of file upload functionality in your environment. For example, if using web-based mail services is allowed, then sending an attachment will include an upload. What else? The rest will be considered at least suspicious...In addition to file uploads, some malicious or commonly unauthorized applications will use similar methods to steal or transfer data, that will be reflected in proxy logs. Looking for HTTP methods (such as POST) and content-type in combination with either known suspicious URL or user-agent (i.e. web client type) can often reveal spyware infections, actively collecting data. Admittedly, a well-written spyware can certainly fake the user-agent field so it is clearly not reliable, but still useful to add to our query above. So, here are some of the criteria we will use to look for information uploads in Squid and Blue Coat SG proxy logs:HTTP method (logged as \'cs-method\' by Blue Coat) = POST (as opposed to the usual GET, used to retrieve web content). For information uploads: content type (logged as \'RS(content-type)\' by Blue Coat) = pretty much anything but \'html/text\' (which is the type used for uploading web form contents) - especially try content types \'application/octet-stream\', \'application/msword\', \'application/powerpoint\', \'application/vnd.ms-excel\', \'application/pdf\' and a few others to look for common file uploads. For spyware and application data transfers: user-agent set to anything but the common ones (i.e. not Mozilla, iTunes, LiveUpdate, etc) or even to \'unknown.\' One can also try user-agent containing your favorite messaging app (e.g. \'MSN Messenger\', etc) and see which such applications are in use.(if you feel adventurous, other interesting content-types to try are \'application/x-javascript\' and \'text/javascript\')Here are the examples found in proxy logs using the above query, including some \'classics\' (while spyware specimen are a bit dated, this method of detecting them via logs is still relevant and useful):1124376766.026 RELEASE -1 FFFFFFFF 4734C557F9315105CA6BE0FA56B94D55 200 1124276674 -1 -1 unknown -1/0 POST http://reports.hotbar.com/reports/hotbar/4.0/HbRpt.dll 1124392388.975 RELEASE -1 FFFFFFFF 810FFBF233584C330353CF0A8C31F5D2 503 -1 -1 -1 unknown -1/813 POST http://log.cc.cometsystems.com/dss/cc.2_0_0.report_u 2007-05-19 03:55:12 160 10.1.1.3 - - - OBSERVED \'Spyware/Malware Sources;Spyware Effects;Web Advertisements\' - 200 TCP_NC_MISS POST text/html;%20charset=utf-8 http bis.180solutions.com 80 /versionconfig.aspx ?did=5342&ver=1.0 aspx - 10.1.1.2 273 175 - - none - - 2007-05-21 03:10:40 4 10.1.1.3 Joanna- authentication_redirect_to_virtual_host PROXIED \'Search Engines/Portals\' - 307 TCP_AUTH_REDIRECT POST - http storage.msn.com 80 /storageservice/schematizedstore.asmx - asmx \'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; MSN Messenger 7.5.0324)\' 10.1.1.2 791 2566 - - none - - 2007-05-22 21:35:09 215 10.1.2.237 200 TCP_NC_MISS 217 8122 POST http kenobi.example.com /exchange/john.smith/Drafts1/RE:%2520Cus tomerList.xls-2.EML - - DIRECT kenobi.example.com - \'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)\' PROXIED none - 10.1.170.42 SG-HTTP-Service - none –The first three are traces of spyware (one was even identified by a Blue Coat content filter as \'Spyware/Malware\', the fourth is MSN Messenger-based activity while the fifth is emailing the Excel file via web mail.Here are some other signs that will make the above log entry extra-suspicious is:A dead giveaway: upload happens to a \'known bad\' URL (e.g containing \'gator\' and others above) Upload happens to an unresolved IP address (do a \'whois\' on it!) Uploads happens to a port not equal to 80 (i.e. the URL contains a port such as http://10.1.10.10:31337) Upload has confidential file name in the log entry (e.g. somebody dumb emailing a sensitive file to himself - as discussed here)Overall, this log analysis method is good for casting a broad net to catch not just spyware-infected systems, but also unauthorized applications (e.g. method=POST and user-agent=iTunes), instant messaging (e.g. method=POST and then by user-agent, content or URL), simple forms of data theft and document handling policy violations (emailing files to self via web mail: method=POST and sensitive file name present in the entry; also content-type set to popular Office file types) as well as other abuses of web access. As a result, proxy logs provide an extremely rich AND readily available source of data about threats that users face!To top it off, one promising direction of future research is using web proxy logs to detect client-side exploits by malicious web servers (more on this in the near future!)
- Common db theft method
SlideShare is now available on LinkedIn. Add it to your LinkedIn profile.
Log Management For e-Discovery, Database Monitoring and Other Unusual Uses
Log Management For e-Discovery, Database Monitoring and Other Unusual Uses
514 views | 0 comments | 0 favorites | 0 downloads | embeds (Stats)
Slideshow Transcript
- No transcript available.
