Security begins with Compliance (Right?)
Compliance Is Key
Are compliance standards a subset of security concerns, or is security basically a subset of compliance? Is it enough to create the security systems needed to achieve all compliance regulations? The first part of answering that question starts with a review of how SIEM/Log Management, database monitoring, and application monitoring can satisfy most, if not all of the following standards:
- NERC CIP
Then we can digress a little on why log management and/or SIEM solutions.
The PCI Security Standards Council provides the Data Security Standards Overview. PCI-DSS provides highly specific guidance for the credit card industry as to a minimum required set of security controls.
In the credit card industry, Qualified Security Auditors (QSA’s) assess and determine where the organization is in compliance, and where there are issues and gaps to be resolved. These findings are communicated in the QSA’s Report on Compliance (ROC).
Identifying applicable security controls and technologies that can address specific requirements in PCI DSS is important for organizations in the credit card industry.
At a minimum, PCI-DSS compliance requires, among other things:
- A firewall and Intrusion Prevention System (IPS). Note that most modern IPS devices will provide firewall functionality as well.
- A Database Monitoring system (DBM) and/or an Application Monitoring system (ADM) to monitor, protect, and log all access to sensitive data.
- A Log Management system to store all logs in a secure manner, for audit purposes.
- A Security Information & Event Management system (SIEM) to bring all the required event and asset data together, for log event correlation, incident detection, response, and reporting purposes.
Build and Maintain a Secure Network
When constructing or upgrading your (now borderless) network, you need to consider how you:
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
These requirements can be addressed using the active monitoring and defense capabilities of your IPS solution. Several database transaction monitoring and application content monitoring solutions (see APM vs. BTM) supplement intrusion prevention and firewall capabilities to secure the network from outside attacks, internal threats, unintentional data loss, and can even detect the presence of default or weak passwords.
Protect Cardholder Data
Then you need to have specific systems in place which:
- Protect stored cardholder data
- Protect transmission of cardholder data across open, public networks (e.g. Encryption)
Database monitors can detect the presence of cardholder data within your database, letting you know where sensitive data resides, and alerting you when it is accessed. Application monitors analyze all application traffic, and can detect the presence of cardholder data within the contents of emails, web forms, documents, and more (as they are processed). Correlating this information against network flows and other events is then done using SIEM tools lets you know if that data was sent over an untrusted network.
Maintain a Vulnerability Management Program
Once you the above basics are in place, your security staff focuses on constantly identifying and locking down the vulnerabilities:
- Using and regularly updating anti-virus software
- Developing and maintaining secure systems and applications
Some database monitors not only ensure security, but also assess servers and workstations to ensure that anti-virus software has been installed and processes are running, detects & alerts when a process is stopped, and even restart it automatically.
SIEM solutions (see Gartner’s 2011 Magic Quadrant for Security Information and Event Management) integrate these activity alerts with attack events, flows, and information from leading Vulnerability Assessment (VA) and Antivirus (AV) solutions, providing easy analysis and reporting on system patches, security levels, and anti-virus software updates, and the relevant risk of threat activity.
Implement Strong Access Control Measures
Security teams must govern the user privileges, minimizing access by:
- Restricting access to cardholder data by business need-to-know
- Assigning a unique ID to each person with computer access
- Restricting physical access to cardholder data
Database monitoring solutions identify events related to user account provisioning, privilege escalation, and other account- or user- anomalies. SIEM solutions then correlate these events with other security events, network flow and log activity that are associated with the user/accounts in question, and provides comprehensive reporting on user and account activity. While physical access restrictions are typically beyond the scope of a security management system, some solutions can support these efforts through the collection and reporting of events from physical security systems.
Regularly Monitor and Test Networks
It is core to have policies/procedures which are constantly checking and double-checking by:
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
Database monitoring solutions view all data access, and also provide continuous monitoring of critical system files and database tables to ensure their integrity. Application monitoring solutions can monitor and track cardholder data once it’s been accessed, to detect policy violations and unauthorized or abnormal behavior — such as production data being accessed by test networks or applications, or broken business processes that could expose cardholder information. SIEM is again able to correlate and analyze this data with other security data from logs, flows, and other security events for comprehensive analysis and reporting.
Maintain an Information Security Policy
- Maintain a policy that addresses information security
In addition to collecting, signing and storing logs, a combination of database monitoring, log management, and SIEM solutions satisfy PCI policy requirements by ensuring that the necessary logs exist in the first place: by providing the necessary IPS events, logging all monitored database activity, and tracking how all accessed data is being used by applications within the network. Visibility into the access and use of cardholder data provides the additional level of context required to produce comprehensive reports using the included PCI-DSS compliance report templates.
Side note: An interesting report from Thales, a leader in information systems and communications security, “What [QSA] Auditors Think about Crypto Technologies” which was based on research conducted by The Ponemon Institute – reveals that crypto technologies play a crucial role in data protection and compliance activities across a wide range of industry sectors, in both private and public organizations.
Privacy and security are tightly intertwined (with privacy being broader than security). So treating privacy monitoring and security information management separately is inefficient and exploitable by insiders and outside threats.
Privacy officers and security officers are both mandated by the same regulations and have a stake in ensuring patient privacy and integrity of systems. However, they typically lack a common set of tools to identify and isolate threats and, thus, have no way to correlate clinical application events with IT infrastructure events. Their teams aren’t able to share information or collaborate effectively and they often waste time and resources working on the same problems in parallel.
The compliance landscape for healthcare organizations has changed significantly since the passage of the legislation creating HIPAA, including security rules and privacy rules. In 2009, the passage of the HI-TECH Act as a part of the American Recovery and Reinvestment Act of 2009 (ARRA) ushered in changes in what kinds of organizations are considered covered entities, and changes in scope for compliance requirements for healthcare organizations. In addition, regulators tasked with enforcing the requirements of HIPAA and HITECH have become more aggressive in audits of healthcare organizations.
Under HIPAA, the federal government developed privacy principles (the Privacy Rule) and security guidelines (the Security Rule) for healthcare patients, healthcare organizations, and service providers (“entities”). The HIPAA Privacy Rule introduced the concept of protected healthcare information (PHI), and electronic PHI (ePHI), while the HIPAA Security Rule defines the controls and safeguards (described in Standards and Specifications) which are required in order to guard against unauthorized use and modification of ePHI.
The HIPAA Security Rule instructs the healthcare entity to build its information security around four General Rules, constructed from eighteen Standards and forty-two Specifications. Rules are based on Standards, and Standards are based on Specifications (also known as Safeguards), which may be Administrative, Physical or Technical.
The Security Rule requires the healthcare entity to implement all Standards and Specifications including “Required” and “Addressable” Specifications, unless the Addressable Specifications are not “reasonable” and “appropriate”.
By integrating privacy monitoring and SIEM systems, healthcare providers can address application security and IT infrastructure security in a unified fashion. With an integrated solution, privacy officers and security officers can:
- Improve communications and collaboration
- Eliminate duplication of efforts
- Identify & contain threats more quickly and efficiently
- Recognize and remedy security gaps and business process deficiencies
- Improve compliance with government regulations
CIOs and CSOs need systems that monitor and log all access to sensitive information, and can use that information to detect risks and threats to the confidentiality and privacy of electronic medical records. In addition, they need advanced correlation of users, privileges, patients, and policies in order to detect privacy breaches (see FairWarning Privacy Breach Detection Solutions).
Note: Beware of SIEM vs. HIPPA-focused security systems (like FairWarning). According to FairWarning, the “we-will-build-it” approach to auditing and monitoring clinical applications has resulted in “lengthy, expensive, and one-off engagements in which the SIEM-log vendor has found that working with myriad of clinical application audit sources is very different than working with infrastructure audit sources”. With a smart hybrid, privacy alerts from FairWarning can be correlated against other network, user and application security events to provide improved risk management, using SIEM.
The result is improved visiblity into the security, access, and use of patient records that CXOs to produce pertinent HIPAA compliance reports, using the included HIPAA report templates. In addition, the enterprise directly satisfies several HIPAA requirements, including:
- 164.306 (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
- 164.306 (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
- 164.306 (3) Protect against any reasonably anticipated uses or disclosures of such informa- tion that are not permitted or required under subpart E of this part.
- 164.308 Administrative (1)(i) Standard: Security management process
- 164.308 Administrative (4)(ii) (a) Standard: Information access management
- 164.312 (a) (1) Technical Standard: Access control
- 164.312 (b) Technical Standard: Audit controls
- 164.312 (e) (1) Technical Standard: Transmission security
As with many state data breach laws, HITECH provides an exclusion for encrypted data, so that breaches involving data which has been encrypted do not have to be disclosed, while those involving unencrypted ePHI data do have to be disclosed.
IPS and application monitoring solutions can identify ePHI being communicated on a network unencrypted, providing audit detail necessary to identify sources and destinations, and allow for remediation.
Database monitors can track traffic to/from databases, and can identify ePHI data coming from databases in unencrypted form, providing audit detail necessary to identify sources and destinations, and allow for remediation.
The ideal solution for operators of critical infrastructure including electric utilities, water, gas, chemical, and nuclear facilities, involves the ability to cover the cyber security requirements of NERC CIP, CFATS, and HSPD-7, monitoring and protecting the assets and operations of SCADA and Industrial Control System environments.
NERC CIP (Critical Infrastructure Protection) standards are comprised of eight specific standards each of which are mandatory for electric power and utility companies and must be completed within very specific timeframes over a predefined multi-year implementation schedule. Those eight standards are:
- CIP-002-1 Cyber Asset Identification
- CIP-003-1 Security Management Controls
- CIP-004-1 Personnel & Training
- CIP-005-1 Electronic Security Perimeters
- CIP-006-1 Physical Security
- CIP-007-1 System Security Management
- CIP-008-1 Incident Reporting and Response
- CIP-009-1 Recovery Plan for Critical Cyber Assets
The purpose of the NERC CIP standards is to ensure that all of the affected electric utilities which are responsible for the consistent and continued reliability of the US’ electrical grid are properly protecting their critical cyber assets.
NERC, like many compliance standards, requires Incident Response Planning and rapid response to events. Proper IT security/compliance solutions need to enable utility companies to drastically reduce response times through faster analysis of larger sets of relevant security information.
As the migration to IP-based systems continues to grow, it permeates areas such as industrial control systems that formerly used proprietary network technologies. Besides being proprietary these systems were also not connected to the outside world. The transition to IP-based networking brings risks such as opportunities for interconnection of formerly isolated networks with non-industrial control system networks. The US Government Accountability Office (GOA) has described a dramatic new escalation in security risks to industrial control systems, citing four areas of concern:
- Adoption of standardized technologies with known vulnerabilities.
- Control networks being connected to other networks
- Having insecure connections, which exacerbate vulnerabilities
- Having information about infrastructures and control systems easily available to the public.
Specifically, there are eight areas of consideration for security/compliance solutions:
- CIP-001 — Sabotage Reporting: Need to make incident reporting easy, using pre-defined reports that can be automatically distributed to key personnel when an incident occurs.
- CIP-002 — Critical Cyber Asset Identification: Need to identify which systems are using SCADA or DCS specific protocols, to help discover and identify cyber assets, identify cyber assets to be used within, monitor and enforce policies, and filter reports to specific groups of cyber assets or enclaves.
- CIP-003 — Security Management Controls: Need to integrate new security systems with legacy authentication systems and be configured to identify protected information assets, monitor and alert on access violations.
- CIP-004 — Personnel & Training: Need to maintain lists of users and corresponding access authorizations to assist in the monitoring (and exception notification) of personnel activity, and integrating with an existing central authentication/ integrated access management solutions
- CIP-005 — Electronic Security Perimeter(s): Need all security systems to be full integrated with Intrusion Prevention Systems — an IDS/IPS and firewall that can be used to establish and enforce an ESP.
- CIP-006 — Physical Security of Critical Cyber Assets: Need ability to provide or integrate with physical security (e.g. collect and analyze syslog events, analyze network flow information collected from network switches and routers; monitor, notify and report on physical access). This information can then also be correlated against other security events to isolate security events physically within a facility.
- CIP-007 — Systems Security Management: Need to monitor system events that are related to cyber security, including the review of all security events and logs from cyber assets, user interaction with assets, and application use within the control system enclave; monitor all ports and services that are in use, collect and analyze vulnerability and patch information, and monitor asset configurations.
- CIP-008 — Incident Reporting & Response Planning: Ideally, solutions produce NERC CIP reports out-of- the-box. Every report is also represented within a fully interactive dashboard with real-time responsiveness.
Sarbanes-Oxley compliance requires that you supplement log management with direct monitoring of stored data, as well as inspecting all application traffic to detect data in motion. This addresses the primary event monitoring and review challenges of Sarbanes-Oxley by providing deeper visibility into your compliance activity (beyond basic SIEM), while also providing real-time, operational tools to quickly detect, react and resolve incidents.
Sarbanes-Oxley requires internal control structures and procedures that can be audited using control frameworks like COBIT. Centralized log collection and monitoring systems are the most effective solution to meeting this requirement. However, logs often don’t contain the level of detail required to address the real concerns of SOX, which requires an audit trail of all access and activity to sensitive information as it relates to business operations.
Security/Complicance considerations include the following:
- 302, 404 — The ability to reconstruct what actually happened to specific data, including time sequences for processing and related activities: Database monitoring is used to provide protected audit trails of all database activity, including that of privileged users. SIEM performs data analytics for database activity, as well as user and system activity seen elsewhere in network, server logs, and other events.
- 304, 306, 308 — Monitor login failures to financial data-sources, and monitor activity by user when logins are successful, provide reports of account activity including new and disabled accounts: Database monitoring covers critical data-sources directly either via an agent or network-based appliance. All user activity, account creation, authentication, and database activity performed on the database is logged for reporting and auditing purposes, an events are generated for further correlation and analysis of this activity. SIEM provides the ability to correlate all database activity events, network activity events, and security events — providing reports for Admin Access to Financial Systems, Login Failures, and related activity both before Login (network activity) ad after login (database activity).
- 404, 409 — Create and monitor controls of systems that can impact the ability to faithfully report financial status (extensive attack alert and audit trail storage): This can also involve cross-referencing observed behavior in support of forensic analysis. Combined with database activity monitoring, the system needs to monitor both the network and the database itself, clearly indicating when financial systems are compromised, as well as who compromised the system, when, and in many cases how.
- 404, 409, 802 — Continuous monitoring of database activity, especially high risk activities including privileged user behavior, direct access to sensitive data stores, user privilege escalation, failed login and failed database operations: This begins with database access monitoring — either host-based on as a non-intrusive network appliance. The database monitor includes secure “audit the auditor” capabilities to ensure accurate detection and logging of privileged user behavior, account changes, schema changes, database table access, etc. SIEM performs real-time monitoring, logging, and auditing of user activity., based upon database events as well as additional data collected from security devices, logs, and the network itself. Using Policy based access, the data collected in the system is not accessible to the users being monitored and therefore provides a clear demarcation to sensitive data.
- 409 — Reporting: Solutions must support the creation of reports across a wide range of Sox requirements, including those items highlighted here, and any other requirement involving network activity, information access, database activity, user activity, etc.
- ISO 17799, Section A.9 — Monitor and report on foreign domain activity and password events (i.e., activity across the trusted network perimeter): SIEM must provide correlation and reporting of foreign domain activity (from firewalls, IPS, network activity, and server logs) and password events (from server logs). The Database monitor must provide core password event monitoring, at the database itself.
- ISO 17799, Section A.10 — Control of operational software, system test data, etc: Database monitoring must provide continuous monitoring of critical system files, database tables, and software to ensure their integrity. The monitor must be able to track user & administrator sessions, detect out-of-process database changes, policy violations & anomalies, and ensure that required operational processes are running. Detects & alerts when a process is stopped, and even restart it automatically Additionally, a framework should be provided for executing scripts on target servers for assessing, reporting and enforcing corporate policies. SIEM must provide analysis an correlation, and reporting of these events, which may be sourced from database and/or from object-level auditing on the operational software itself.
- ISO 17799, Section A.12 — Control of Financial data and Human Resources data. Provide control of system audit data and collected data, including control of source code to prevent control bypass: Monitoring must provide core control over database processes, operation, access and data, as discussed above, with further analysis being provided by SIEM to provide context around events — such as: the attack vector of the unauthorized access to Financial or HR data; related security violations; and other patterns useful for forensic security operations. The solution must provide proper encryption and storage of this audit data, providing the necessary control of collected evidence.
- Role / User based identity: SIEM must integrate with popular authentication systems, helping ease the complexity associated with appropriately tracking and accounting for user authentication across the system. This includes the correlation of event, flow and log information to database activity events created, perimeter security events created by IPS, and internal system-, host- and network- activity collected from routers, switches, and logs.
- Create policies and procedures that identify prevention and timely detection of unauthorized acquisition, use or disposal of assets: The security systems, in total, provide a complete view of user activity from the network perimeter to the database itself, resulting in a clear and concise detection, prevention, and forensic examination of asset activity.
The Federal Information Security Management Act (FISMA) Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications 800-53, 800-59, and 800-60. Additional security guidance documents include NIST Special Publications 800-37, 800-53, and 800-53A. This covers many aspects of security including physical security, personnel security, contingency planning and others. Of particular importance to Security Information Managers are those FISMA controls that specifically relate to network and data security: AC (access Control); AU (Audit and Accountability); SC (System and Communications Protection); IR (Incident Response); and SI (System and Information Integrity).
FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. The requirements of FISMA include:
- Determining the Boundaries of the System
- Categorize Information Types in accordance with FIPS-199
- Documenting the System
- Performing a Risk Assessment
- Selecting and Implementing a Set of Security Controls for the System
- Certification & Accreditation of the System
- Continuous Monitoring of the Systems
The requirements of FISMA present extensive data collection and analysis, potentially requiring the management of billions of events, data flows, and other data points. Further strain is imposed by requiring responsive, real-time analysis as well as historical, forensic analysis of these massive data stores, as well as the correlation of these events to defined users, roles, and policies.
Periodic assessments of risk
This includes the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization.
Enterprises complying with FISMA need to be able to analyze user and system activity by correlating network device logs, security events, and network data. This provides valuable audit trails, and is often critical for preventing, detecting, responding to, and remediating security breaches.
Log management needs to include risk assessment capabilities to see exactly how each of its systems is configured, if policy settings are in place or if configuration vulnerabilities are present. Additionally, a risk assessment allows for automated scanning, management and reporting.
Risk assessments policies and procedures
These must cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system.
Log management solutions need to be able to perform risk assessment with automated scanning and reporting features, to help reduce the cost of compliance risk assessment.
SIEM then combines vulnerability assessment data and known asset data with log and event data from many sources within the infrastructure, reducing risk through the reduction of false positives, and more efficient mitigation and remediation.
This invovles plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate.
The overall security system needs reporting capability that distributes security information throughout the organization. Topology (including device- and host- discovery) features further facilitate this process through the accurate presentation of systems and assets.
Periodic testing and evaluation
This provides visibility into the effectiveness of information security policies, procedures, practices, and controls to be performed with a frequency depending on risk, but no less than annually.
The solution needs the ability to store and retrieve vast histories of security information data and to present this data for evaluation — including historical data analysis and audit trails for periodic evaluation.
Procedures for detecting, reporting, and responding to security incidents.
The entire solution must be designed to detect, prevent, analyze and report on security incidents. Database and application monitoring tools protects core databases and applications; IPS protects the network perimeter (and/or other critical network junctions); SIEM provides advanced correlation and analytics fro mitigation and remediation of incidents; and Log management provides log storage and management features for audits and “proof of compliance.”
Lets look at a few of the specific security standards.
AC-3 Access Enforcement
The combination of IPS, database monitoring, and SIEM provides identity-based, role-based and rule-based policies and access enforcement mechanisms and application level monitoring to control access between users and organizations using user permissions, groups, virtual IPS instances and custom views.
AC-4 Information Flow Enforcement
SIEM correlates log and event data with network activity, tracking information flow and providing notification and enforcement mechanisms. The IPS performs native collection of network flows in addition to intrusion prevention functions, and can proactively block a flow if a policy violation occurs.
AC-17 Remote Access
SIEM Allows the organization to document, monitor, and control all methods of remote access (e.g., dial-up, Internet) to the information systems. Each remote access method can be classified and only authorized for the necessary users for each access method.
AC-18 Wireless Access Restrictions
SIEM Allows the organization to establish usage restrictions and tracking for wireless technologies and documents, monitors, and controls wireless access to the information system.
AU-2 Auditable Events
Log management provides universal log collection, archiving, encryption, and validation for audit purposes and proof of compliance.
SIEM provides further analysis of collected log data and log-generated events from LogCaster, including real-time forensic and correlation capabilities.
The checklists and configuration guides at http://csrc.nist.gov/pcig/cig.html provide recommended lists of auditable events.
AU-3 Content of Audit Records
Log management is capable of filtering on the contents of log text and producing actionable events, either for audit or analysis purposes.
SIEM is capable of correlating log data with user identity and network activity, to provide additional, detailed reports for audit events identified by type, location, or subject. Also, provides the capability to centrally manage the content of audit records generated by individual components throughout the system.
AU-4 Audit Storage Capacity
Here we need to provide sufficient audit record storage capacity and configures auditing to prevent such capacity being exceeded. Data may be stored locally on appliances, or remotely using NAS or SAN technology. Ideally, we want to move to a cloud storage/delivery model. Records are not pruned or summarized for compression purposes, maintaining data granularity and information integrity even over long periods of time.
CA-7 Continuous Monitoring
Database/application monitors keep track of database and application activity, while the IPS monitors the network for intrusion attempts and suspicious behavior. SIEM provides an additional layer of monitoring through the unified correlation and analysis of database, IPS, firewall, log, and network data.
This allows the organization to monitor the security controls in the information system on an ongoing basis including continuous monitoring activities as security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting. NIST Special Publication 800-53A provides guidance on the assessment of security controls.
IR-4 Incident Handling
The enterprise’s solution needs to offer a direct monitoring and correlated detection of a variety of incidents, allowing the organization to implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery.
IR-5 Incident Monitoring
Overall you need to track all activity collected from logs, network flows, and monitoring devices such as the IPS. This provides for the organization to automatically track and document information system security incidents on an ongoing basis and produce information to create an analysis of the incident.
IR-6 Incident Reporting
Both Log management and SIEM allow the organization to promptly report incident information to appropriate authorities. The types of incident information reported, the content and timeliness of the reports, and the list of designated reporting authorities or organizations are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance.
SC-5 Denial of Service Protection
The IPS protects against the effects of denial of service attacks, including distributed, service level, application, and exploit-based attacks through correlating network traffic and filtering rogue traffic without the need for increased capacity and bandwidth.
SI-3 Malicious Code Protection
The IPS implements malicious code protection that includes a capability for automatic updates. Employs virus protection mechanisms at critical information system entry and exit points on the network.
SI-4 Intrusion Detection Tools and Techniques
Database monitors detect suspicious activity within the database itself, while the IPS detects attacks at the network perimeter (and/or at strategic junctions within the network), monitoring outbound communications for unusual or unauthorized activities indicating the presence of malware (e.g., malicious code, spyware, adware). Individually or together, these systems identify unauthorized use of systems and employ automated tools to support real-time analysis of events in support of detecting and preventing system-level attacks.
The IPS is able to directly block attacks: by dropping or resetting sessions. This supports rapid response to attacks. For more complex attacks, such as correlated incidents involving multiple vectors, SIEM is able to detect and mitigate these sophisticated threats: including the further ability to remediate if necessary.
SI-5 Security Alerts and Advisories
The enterprise needs to collect events form all security devices, including third party devices, and provides notification of security alerts/advisories on a regular basis, to appropriate personnel, and takes appropriate actions in response.
SI-6 Security Functionality Verification
The database monitor is able to verify the correct operation of security functions, with appropriate notification and remediation capabilities. Log management is able to perform a risk assessment as well to ensure that logs are being collected appropriately.
SI-8 Spam and Spyware Protection
The IPS provides protection against spam and spyware at critical information system entry points. In addition, SIEM provides the correlation and analysis of IPS and other data (e.g., firewalls, electronic mail servers, remote-access servers) to determine root cause and “patient zero.”
SI-12 Information Output Handling and Retention
Log management allows for retention output that is in accordance with most organizational policy and operational requirements. This includes archival, encryption and validation capabilities which ensure that raw log files have not been altered or tampered.
The expanding challenges associated with cloud-based data is broad. As a maybe simpler but still important example of security and compliance, the Family Educational Rights and Privacy Act (FERPA) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
The act has 2 main aspects, ensuring that students can access their educational records while still maintaining the privacy of those records:
- Providing students with access to their educational data – parents or eligible students have the right to inspect and review the student’s education records maintained by the school.
With the transition of many schools and universities to Google Apps and the adoption of Google Docs, for example, student educational records are now being stored in the cloud. The same FERPA guidelines apply both on-premise and in the cloud, and require the IT staff of these institutions to maintain adequate access controls to ensure that student records are not exposed. Also, in the case where unauthorized access is made to student records, audit trails become important.
This example can extend to enterprise use of Google Apps as well, where all the same functions of change log capture and SIEM become a core component to compliance and security.
Log Management vs. SIEM?
Why can’t an enterprise just deploy a sophisticated SIEM solution which incorporates log management?
Many organizations have deployed log management (I think of Splunk, or Loggly, or LogLogic to name a few) and have successfully optimized their investigative and response procedures. As a result, they have managed to react faster to security and availability incidents as well as to auditor requests. Having reached this stage, some hope to graduate to the next level of near-real-time security monitoring. This is where SIEM is suppose to come in. There are several criteria that indicate that you need SIEM (in addition to log management). In brief, these criteria are:
- Response capability: The organization must be ready to respond to alerts soon after they are produced (e.g. instantly…in real-time).
- Monitoring capability: The organization must have or start to a build security monitoring capability such as a Security Operations Center (SOC), or at least a team dedicated to ongoing periodic monitoring.
- Tuning and customization ability: The organization must tune and customize.
SIEM products typically provide many of the features required for log management but add event-reduction, alerting and real-time analysis capabilities. They provide the layer of technology that allows one to say with confidence that not only are logs being gathered but they are also being reviewed. SIEM also allows for the importation of data that isn’t necessarily event-driven (such as vulnerability scanning reports) – hence the “Information” portion of SIEM.
You don’t have to necessarily graduate from one to the other, but even organizations that have no immediate plans to migrate from, say, compliance-focused log management to SIEM should still consider a logging tool that allows them to make the step later. Many SIEM and log management deployments follow a so-called “compliance+” model which means that the tool is purchased for a particular regulatory framework as discussed above, but is utilized for many other security and IT challenges.
SIEM effectively provides direct threat reduction benefits via its advanced security-focused analysis, such a “compliance+” and allows the organization to move closer to that mythical “single-pane of glass” for security management.
If you take a look at an enterprise IT arsenal, you’ll likely see both log management and SIEM. Log management tools often assume the role of a log data warehouse that filters and forwards the necessary log data to SIEM solutions for correlation. This combination helps optimize the return on investment while also reducing the cost for implementing SIEM.
In these tough economic times it’s likely we’ll see IT trying to stretch its logging technologies to solve even more problems. It will expect its log management and SIEM technologies to work closer together and reduce overlapping functionalities.
Can You Respond in Real-Time?
While claims that “modern business works in real-time and security should too” are often heard from vendors, few organizations are able to achieve this in reality. One might think that most security indeed happens in real-time, or very close to it: network intrusion detection systems (NIDS) pick up attacks off the wire within microseconds; firewalls block connections as they happen; and anti-virus technology makes the best effort to catch the viruses as soon as they arrive. For this simple reason, few people would agree to buy a NIDS system that only alerted them 2 hours after an attack.
Monitoring and Response
If you want to take advantage of advanced alerting and stateful correlation rules that can deliver sub-second responses, you need to be prepared to deal with them quickly. An organization’s ability to respond to security events depends on their ability to regularly monitor their systems.
Tuning and Customization
In addition to responding in a timely manner and continuous (or at least continually periodic) monitoring, the organization must be able to assume responsibility for tuning and customizing. This might mean creating alerts, writing correlation rules, or customizing reports in order to gain insight about the security or compliance posture of the organization.