Why Are Logs Important?

Logs are the primary source of information we use when we want to know what has happened in the systems and networks of an organisation. It is a very valuable knowledge that is not only used for troubleshooting and performance optimisation, but serves purposes like capturing user activity and discovering (and proving) malicious actions.

When logs are so valuable and are being used as evidence, their own availability and integrity becomes crucial. Consider the following questions:

  • If there has been a security incident, how confident can one be that the log records have not been tampered with or removed in order to cover up the tracks of unauthorised activity?
  • How could an organisation convince a 3rd party - would it be another company, an individual or a court - that the particular log records were indeed created 6 months or 4 years ago and not fabricated last week?

It has been difficult if not impossible to tell the difference between authentic and modified log records, and organisations often find themselves relaying solely at the word of their systems administrators when it comes to establishing what happened, when. Relying on insiders is always a sub-optimal security practice, and tends to be inconvenient also for the insiders themselves.

How Can KSI Blockchain Help?

KSI is a blockchain technology built to irrefutably prove the time and integrity of any piece of data - from a reading from an IoT device to a VM image - at massive scale. 

KSI does not rely on any entity or process, but utilizes cryptographic hash functions, widely witnessed electronic blockchain and events such as physical newspaper publications for trust anchors.

In the same way KSI blockchain can be used to prove the time and integrity of log records. Guardtime has developed and implemented a dedicated approach for efficient record-level log signing, bringing the following benefits:

  • Log-wide integrity: records are linked together during signing so that no records can be removed / order changed.

  • Low storage overhead: log records are signed as blocks which reduces the number of KSI signatures to be persisted.

  • Record-level verification: the blocks are built so that whenever needed, an individual KSI signature can be still efficiently extracted for a particular log record only

  • Confidentiality: Blinding masks are applied to log records to eliminate any brute force attack based on the knowledge of the neighbouring entries.

  • High-performance: Extremely low CPU and memory overhead enabling to sign as many records as could be logged and to verify as fast as data can be read from the disk.

The whole approach including the algorithms is backed by a formal security proof, fully documented and available for any custom implementations and integrations. 

As the KSI blockchain was designed to process billions of data items every second, the volume of records to be signed will never be an issue.

Blockchain Backed Log Integrity is Simple to Implement

Logging has become a standard function of all components of the information system: firmware, OS, database, enterprise application, etc. Establishing KSI blockchain backed log integrity will require minimal design and integration work, some testing and validation. 

The KSI blockchain is already implemented in Rsyslog and can be used out of the box. Adding support for other logging tools is also simple and  common tools are available for tasks like recovery signing, signature verification, extraction of individual signatures for log entries.