NIST Special Publication 800-92

Last updated June 17, 2024

NIST Special Publication 800-92, "Guide to Computer Security Log Management", establishes guidelines and recommendations for securing and managing sensitive log data. The publication was prepared by Karen Kent and Murugiah Souppaya of the National Institute of Science and Technology and published under the SP 800-Series;^[1] a repository of best practices for the InfoSec community. Log management is essential to ensuring that computer security records are stored in sufficient detail for an appropriate period of time.^[2]

Background

Effective security event logging and log analysis is a critical component of any comprehensive security program within an organization. It is used to monitor system, network and application activity. It serves as a deterrent for unauthorized activity, as well as provides a means to detect and analyze an attack in order to allow the organization to mitigate or prevent similar attacks in the future. However, security professionals have a significant challenge to determine what events must be logged, where and how long to retain those logs, and how to analyze the enormous amount of information that can be generated. A deficiency in any of these areas can cause an organization to miss signs of unauthorized activity, intrusion, and loss of data, which creates additional risk.^[3]

Scope

NIST SP 800-92 provides a high-level overview and guidance for the planning, development and implementation of an effective security log management strategy. The intended audience for this publication include the general information security (InfoSec) community involved in incident response, system/application/network administration and managers.^[2]

NIST SP 800-92 defines a log management infrastructure as having 4 major functions:^[4]

General - log parsing, event filtering and event aggregation;
Log Storage - rotation, archival, compression, reduction, normalization, integrity checking;
Log Analysis - event correlation, viewing and reporting;
Disposal - clearing;

NIST SP 800-92 address the following security log management challenges:

Log volume exceeding the rate of analysis;
Ensuring immutability during storage and transmission;
Inconsistent vendor log formats;
Importance of a consistent review schedule;
Retention issues involving purging, long-term storage, and cost;

NIST SP 800-92 makes the following recommendations for security log management:^[5]

Establish policies and procedures for log management;
Prioritize log management appropriately throughout the organization;
Create and maintain a log management infrastructure;
Provide proper support for all staff with log management responsibilities;
Establish standard log management operational processes;

Compliance

The following federal regulations require the proper handling and storage of sensitive log data:

HIPAA (Health Insurance Portability and Accountability Act of 1996). Requires the mandatory safeguard of personal health information.^[6]
SOX (Sarbanes-Oxley Act of 2002). Requires the mandatory record keeping of financial and IT log related data.^[7]
GLBA (Gramm-Leach-Bliley Act). Requires mandatory PII (Personal Identifiable Information) data protection.^[8]
PCI DSS (Payment Card Industry Data Security Standard). Requires the mandatory protection of consumer credit card information including storage and transmission.^[9]
FISMA (Federal Information Security Management Act of 2002). Stipulates federal requirements for managing government network systems and data. Log management guidelines include the generation, review, protection and retention of audit records, as well as the actions to be taken because of audit failure.^[4]

Related Research Articles

In cryptography, a key derivation function (KDF) is a cryptographic algorithm that derives one or more secret keys from a secret value such as a master key, a password, or a passphrase using a pseudorandom function. KDFs can be used to stretch keys into longer keys or to obtain keys of a required format, such as converting a group element that is the result of a Diffie–Hellman key exchange into a symmetric key for use with AES. Keyed cryptographic hash functions are popular examples of pseudorandom functions used for key derivation.

The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002. The act recognized the importance of information security to the economic and national security interests of the United States. The act requires each federal agency to develop, document, and implement an agency-wide program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source.

Crimeware is a class of malware designed specifically to automate cybercrime.

Security event management (SEM), and the related SIM and SIEM, are computer security disciplines that use data inspection tools to centralize the storage and interpretation of logs or events generated by other software running on a network.

In computing, off-site data protection, or vaulting, is the strategy of sending critical data out of the main location as part of a disaster recovery plan. Data is usually transported off-site using removable storage media such as magnetic tape or optical storage. Data can also be sent electronically via a remote backup service, which is known as electronic vaulting or e-vaulting. Sending backups off-site ensures systems and servers can be reloaded with the latest data in the event of a disaster, accidental error, or system crash. Sending backups off-site also ensures that there is a copy of pertinent data that is not stored on-site.

Log management is the process for generating, transmitting, storing, accessing, and disposing of log data. A log data is composed of entries (records), and each entry contains information related to a specific event that occur within an organization’s computing assets, including physical and virtual platforms, networks, services, and cloud environments.

Information technology risk, IT risk, IT-related risk, or cyber risk is any risk relating to information technology. While information has long been appreciated as a valuable and important asset, the rise of the knowledge economy and the Digital Revolution has led to organizations becoming increasingly dependent on information, information processing and especially IT. Various events or incidents that compromise IT in some way can therefore cause adverse impacts on the organization's business processes or mission, ranging from inconsequential to catastrophic in scale.

Data erasure is a software-based method of data sanitization that aims to completely destroy all electronic data residing on a hard disk drive or other digital media by overwriting data onto all sectors of the device in an irreversible process. By overwriting the data on the storage device, the data is rendered irrecoverable.

In big organizations, shadow IT refers to information technology (IT) systems deployed by departments other than the central IT department, to bypass limitations and restrictions that have been imposed by central information systems. While it can promote innovation and productivity, shadow IT introduces security risks and compliance concerns, especially when such systems are not aligned with corporate governance.

TriGeo Network Security is a United States–based provider of security information and event management (SIEM) technology. The company helps mid market organizations proactively, protects networks and data from internal and external threats, with a SIEM appliance that provides real-time log management and automated network defense - from the perimeter to the endpoint.

LogLogic is a technology company that specializes in Security Management, Compliance Reporting, and IT Operations products. LogLogic developed the first appliance-based log management platform. LogLogic's Log Management platform collects and correlates user activity and event data. LogLogic's products are used by many of the world's largest enterprises to rapidly identify and alert on compliance violations, policy breaches, cyber attacks, and insider threats.

The Log Management Knowledge Base is a free database of detailed descriptions on over 20,000 event logs generated by Windows systems, syslog devices and applications. Provided as a free service to the IT community by Prism Microsystems, the aim of the Knowledge Base is to help IT personnel make sense of the large amounts of cryptic and arcane log data generated by network systems and IT infrastructures.

NIST Special Publication 800-53 is an information security standard that provides a catalog of privacy and security controls for information systems. Originally indented for U.S. federal agencies except those related to national security, since the 5th revision it is a standard for general usage. It is published by the National Institute of Standards and Technology, which is a non-regulatory agency of the United States Department of Commerce. NIST develops and issues standards, guidelines, and other publications to assist federal agencies in implementing the Federal Information Security Modernization Act of 2014 (FISMA) and to help with managing cost effective programs to protect their information and information systems.

Database activity monitoring is a database security technology for monitoring and analyzing database activity. DAM may combine data from network-based monitoring and native audit information to provide a comprehensive picture of database activity. The data gathered by DAM is used to analyze and report on database activity, support breach investigations, and alert on anomalies. DAM is typically performed continuously and in real-time.

Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). SIEM is the core component of any typical Security Operations Center (SOC), which is the centralized response team addressing security issues within an organization.

Internet Security Awareness Training (ISAT) is the training given to members of an organization regarding the protection of various information assets of that organization. ISAT is a subset of general security awareness training (SAT).

IT risk management is the application of risk management methods to information technology in order to manage IT risk, i.e.:

File integrity monitoring (FIM) is an internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known, good baseline. This comparison method often involves calculating a known cryptographic checksum of the file's original baseline and comparing with the calculated checksum of the current state of the file. Other file attributes can also be used to monitor integrity.

In cryptography, security level is a measure of the strength that a cryptographic primitive — such as a cipher or hash function — achieves. Security level is usually expressed as a number of "bits of security", where n-bit security means that the attacker would have to perform 2ⁿ operations to break it, but other methods have been proposed that more closely model the costs for an attacker. This allows for convenient comparison between algorithms and is useful when combining multiple primitives in a hybrid cryptosystem, so there is no clear weakest link. For example, AES-128 is designed to offer a 128-bit security level, which is considered roughly equivalent to a RSA using 3072-bit key.

References

↑ "NIST Publications". NIST Computer Security Resource Center. NIST. Retrieved 26 February 2015.
1 2 Kent, Karen; Souppaya, Murugiah (2006). "Guide to Computer Security Log Management" (PDF). NIST Sp 800-92: ES-1,1-1. doi:10.6028/NIST.SP.800-92. S2CID 221183642 . Retrieved 26 February 2015.
↑ Butler, Vincent; Dorsey, Tom; Robinson, Ken (August 3, 2014). "Building a Logging Strategy for Effective Analysis": 3.{{cite journal}}: Cite journal requires |journal= (help)
1 2 Kent, Karen; Souppaya, Murugiah (2006). "Guide to Computer Security Log Management" (PDF). NIST Sp 800-92: 3-3,3-4. doi:10.6028/NIST.SP.800-92. S2CID 221183642 . Retrieved 26 February 2015.
↑ Radack, Shirley. "Editor". ITL.NIST.gov. NIST. Retrieved 26 February 2015.
↑ "Summary of HIPAA Security Rule". Summary of the HIPAA Security Rule. Health and Human Services. 20 November 2009. Retrieved 26 February 2015.
↑ "Sarbanes-Oxley Act of 2002". A Guide to the Sarbanes-Oxley Act. Addison-Hewitt.
↑ "Gramm-Leach-Bliley Act (Privacy of Consumer Financial Information" (PDF). FDIC.gov. FDIC. Retrieved 26 February 2015.
↑ "Payment Card Industry Data Security Standard" (PDF). Security Standards Council. 3. 2013. Retrieved 26 February 2015.

External links

NIST Special Publication 800-92

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[CSRC-1] "NIST Publications". NIST Computer Security Resource Center. NIST. Retrieved 26 February 2015.

[SP800-92.,_pg_1-1-2] 1 2 Kent, Karen; Souppaya, Murugiah (2006). "Guide to Computer Security Log Management" (PDF). NIST Sp 800-92: ES-1,1-1. doi:10.6028/NIST.SP.800-92. S2CID 221183642 . Retrieved 26 February 2015.

[3] Butler, Vincent; Dorsey, Tom; Robinson, Ken (August 3, 2014). "Building a Logging Strategy for Effective Analysis": 3.{{cite journal}}: Cite journal requires |journal= (help)

[SP800-92,_2.7,3-3,3-4-4] 1 2 Kent, Karen; Souppaya, Murugiah (2006). "Guide to Computer Security Log Management" (PDF). NIST Sp 800-92: 3-3,3-4. doi:10.6028/NIST.SP.800-92. S2CID 221183642 . Retrieved 26 February 2015.

[Radack-5] Radack, Shirley. "Editor". ITL.NIST.gov. NIST. Retrieved 26 February 2015.

[HHS-6] "Summary of HIPAA Security Rule". Summary of the HIPAA Security Rule. Health and Human Services. 20 November 2009. Retrieved 26 February 2015.

[SOX-7] "Sarbanes-Oxley Act of 2002". A Guide to the Sarbanes-Oxley Act. Addison-Hewitt.

[FDIC-8] "Gramm-Leach-Bliley Act (Privacy of Consumer Financial Information" (PDF). FDIC.gov. FDIC. Retrieved 26 February 2015.

[9] "Payment Card Industry Data Security Standard" (PDF). Security Standards Council. 3. 2013. Retrieved 26 February 2015.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]