Managing and Maintaining Logging Security in Gaming Environments
July 23, 2012
One of the criteria for security in Gaming requires the logging and monitoring/management of log files that record every event that happens on critical software, operating systems, servers or system files, and the network. While logs can be used for troubleshooting network and system errors and issues, security logs -- and the management of those logs -- will give Gaming operators valuable insight into the security of their devices, help to identify and provide the ability to investigate security events and can be used to identify gaps in the overall security strategy (encompassing technologies and processes) for the company.
What should you log? In particular, log anything that accesses your critical data or is needed by compliance requirements to include, but not limited to:
- Operating System Logs - such as changes to operating systems, patching, event logs, access to OS level files, account changes and login success/failure.
- Application and Software Logs - You should be logging all software that runs on the system, including anti-malware, start- up/shut-down, client requests and server responses, granted/failed system attempts, usage information, application errors and system failures.
- Network System Logs – such as routers, switches and wireless controllers/access points
- Security Software or System logs - such as firewalls, IPS, FIM (File Integrity Monitoring), AV/AM logs, remote access systems, proxy servers, authentication servers, DNS servers, patching servers. Logs should include all access (success and failure), system changes and requests.
- Access logs – This should include information that identifies who (or what) accessed the systems, when the access took place, for how long, and what action took place, such as changing of files, update and patching of systems and requests.
What you want to log and monitor should be guided by:
- All compliance requirements for your organization
- Corporate policies and processes that at a minimum dictate:
- Identification of systems and applications to log
- Criteria for what to log
- Log protection mandates
- Online and offline storage
- Log access controls and technologies
- Log analysis and review requirements
- Corporate Security Strategy
- Logging requirements and goals
- Logging and logging support technologies
- Outsourced management and/or analysis
- Personnel and training, and support staff roles and responsibilities
Challenges to Log Management
- What to log – Prior to logging, it is essential that Casino Security and IT management determine what is essential to log. Logging everything on a system may be essential to certain critical systems, while other systems or software may require only some security and system log types to be saved. Your security strategy, policies and compliance requirements will help you determine this. It is also essential that time stamping, particularly across an organization with multiple time zones, is synched with log (system) times. Without this, it is very difficult and increases the analysis and response time for an organization to identify and react to a security event.
- Size of logs – Log sizes can quickly become unwieldy, and a strategy should be formulated for offline storage along with policies created that dictate how long log files will be available. PCI DSS, for instance, requires one year of offline storage and 90 days of online (readily accessible) storage. You need to plan on log servers that will have the capacity to store and be able to retrieve this information accordingly.
- Log Protection – All compliance mandates and good security practices require that logs be protected from manipulation and overwriting, and protected via encryption. Not only do attackers frequently try to cover their tracks by editing or deleting log files, but log files may inadvertently contain sensitive user information (e.g., userid, password, social security number, credit card number, etc.). The ability to protect logs from accidental overwrites and to have the capacity to continue to log (and ability to access logs), even during peak times, requires a good architecture design.
- Log Analysis and Staffing – Security log analysis requires that the staff understand different log formats, are able to thoroughly analyze log entries and are able to determine false positives from real events. Analysis should include the ability to associate and correlate events across the different systems. Additionally, log analysis is a very time-consuming undertaking by staff and -- depending on your compliance requirements, corporate policies and security strategy, may require one or more dedicated staff members for this task. Most Casino security analysts will require automated tools, experience with manual searches and the ability to understand the logs and roles of different systems on the network. Understanding the log events, and what they mean, requires experience and training.
- Technologies – There are many ways to store and analyze logs. From simple syslog servers to SIEM technologies or managed services, these may be the route for your organization's needs. And, while syslog servers are a good starting point and inexpensive, they can become unwieldy and unmanageable quickly and may not meet your compliance and corporate security requirements. So take the time to really review your options for in-house SIEM to outsourced monitoring to determine what the best fit is for your Casino. If you are looking for more info in selecting your SIEM, check out FishNet Blog “SIEM Selection Guidance."