Digital Resilience Pays Off
Download this e-book to learn about the role of Digital Resilience across enterprises.
Rafael Marty, who I already know is a very smart guy, had the guts and insight to say what no one else wants to say about chain-of-evidence and court admissibility of log data. He points out that “unaltered” is a totally fictitious requirement for maintaining admissibility of log data as evidence. Go Raffy! He promises followon posts about the details of why he says so.
But meanwhile I’ll take my own stab at why… basically, log data is recorded by computer programs. Often these computer programs call other programs to handle the actual log output – say syslog, or log4j – which themselves add timestamps, headers, etc. If a log management system of some type does further parsing on the output, as long as the log management system is automated and the logic can be examined, the resulting output is really no less “unaltered” than syslog’s output, is it?
The real admissibility problem is if the court can’t be satisfied that the output hasn’t been intentionally altered to hide the truth, or if there’s uncertainty about how the output of a message actually ties to real activity. Any potential for crackers or malicious insiders to intercept messages in their path from original action, through various programs, across the network, via direct filesystem access, etc. is an issue. Any lack of transparency or change control on any of the programs involved in handling log processing is also a problem.
Matching some sort of signed hash on a final “unaltered” archive log record with a signed hash that can reasonably be believed to have been captured early in the process is one technique for removing some of this uncertainty – but it’s only one. And keeping “original” messages around without reasonable safeguards against unauthorized changes is basically just a waste of disk space.
(I’ll also repeat Raffy’s disclaimer about not being a lawyer, etc.)
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.