Audit Integrity Pattern

Posted: March 6, 2013 in Uncategorized

We work in an environment that rarely allows security reality to match aspiration. It is still far too common to find even security focused software making basic and fundamental errors; often in the arena of authentication, authorisation and audit. Role separation on security critical tasks is rarely enforced and generic administrator accounts are frequently in common use.

This has particular impact for auditing; the organisation needs to be sure its logs are tamper free, collected consistently by the SIEM and archived for potential investigations. If the SIEM or log management tool does not provide adequate authentication and authorisation then the organisation will fail most kinds of security audit and compliance activity. Unfortunately this is often the case and the admins mantra of if “I can Administer it I can break it will come to haunt you.”

The following logging design pattern aims to control for these vulnerabilities. 


The principle concept here is the Audit Integrity Zone (AIZ). This zone comprises several important logical elements:-

The first of these is the relay. This relay sits in series between the IT equipment generating the logs and the SIEM (or log management tool) that is ultimately collecting and acting upon the information generated. The relay passes the logs onto the SIEM and most importantly is administrated by a different group than the SIEM.

The second of these logical elements is the archive. The relay passes the logs to an archive, within the AIZ, where the logs are stored and an integrity function is performed e.g. a signed hash is also stored. Again the principle here is you have a separated archive of the logs to the one associated with the SIEM which enables the logs to be kept under different permission and personnel.

Using this pattern you can be assured that no one administrator can delete and interfere with your logging, ensuring that you are more secure, and your systems more compliant.




  1. An optional additional element I have seen in a number of high-secure networks is the link between AIZ and SIEM is a one way data flow, using technology such as a data diode. This is particularly useful when the SIEM is monitoring more than one network, and you want to reduce the risk of cross-intection.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s