Opinion: Making the case for an audit standard

Editor’s note: As NIST gathers this spring to ponder a common event-logging format, the pressure on vendors to hew to at least basic common event-logging and audit structures makes itself plain throughout the industry. Mary Ann Davidson, chief security officer at Oracle Corp., shares her thoughts on what’s at stake.

When it comes to IT security, it often seems that vendors would rather build and sell a point solution to customers -- solving just one problem in a proprietary way -- than play nicely with other vendors to improve the security landscape for all. This is painfully apparent in the area of event logging and auditing (or eventing).

There’s an old maxim, “For want of a nail, the shoe was lost; for want of a shoe, the horse was lost,” culminating in “… the kingdom was lost.” The lack of common event logging and auditing requirements -- and a common format for that data when collected -- may well result in our collective network kingdoms being indefensible. Furthermore, a kingdom that can’t be defended can indeed be lost.

Nowhere is the need for a common requirement more apparent than in the U.S. Department of Defense. The DOD’s Global Information Grid (GIG) program seeks to connect physically separate networks (for classified, unclassified and war-fighter information) so that selected intelligence information can flow in real time to a combatant accessing information wirelessly in a battle zone.

However, removing the physical barriers to network connectedness heightens the risk profile for the collective DOD network. The network itself becomes the battlefield, since the DOD’s entire war-fighting capability is based on an IT backbone. Just as combatants need “situational awareness” on the physical battlefield – Where are my forces? Where are the enemy’s forces? – they will need situational awareness for the IT backbone on which their capabilities depend. Opposing forces might not be able to muster superiority of arms, but they’re likely to find it worthwhile to attack the network, thereby disrupting the DOD’s ability to wage war.

The DOD’s prospects for situational awareness of that IT backbone are severely hampered by the fact that the off-the-shelf software on which much of its systems depend – commercial operating systems, routers, firewalls, databases, directories and applications – often have little or no auditing. Moreover, what auditing data exists is not expressed in a common format. While third-party software can parse and redact multiple log file formats, consolidate them and “connect the dots” to show related activity, their job would be markedly simpler if at least some core data were both collected and expressed in the same way across products. (And of course, if no data exists, these products cannot correlate data at all.) The value these vendors add is largely not in their ability to perform the network security equivalent of translating Coptic, Koinic Greek and Hebrew into English, but in being able to correlate information, which is a data warehousing problem. Translation in that situation is just the cost of correlation.