LogRhythm and NERC CIP Compliance

Transcription

1 LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which are intended to ensure the protection of the Critical Cyber Assets that control or effect the reliability of North America s bulk electric systems. In 2006, the Federal Energy Regulatory Commission (FERC) approved the Security and Reliability Standards proposed by NERC, making the CIP Cyber Security Standards mandatory and enforceable across all users, owners and operators of the bulk-power system. After going into effect in June 2006, initial compliance auditing began in June The collection, management, and analysis of log data are integral to meeting many NERC CIP requirements. IT environments consist of heterogeneous devices, systems, and applications all reporting log data. Millions of individual log entries can be generated daily if not hourly. The task of assembling this information can be overwhelming in itself. The additional requirements of analyzing and reporting on log data render manual processes or homegrown remedies inadequate and costly. LogRhythm has extensive experience in helping organizations improve their overall security and compliance posture while reducing costs. Log collection, archive, and recovery are fully automated across the entire IT infrastructure. LogRhythm automatically performs the first level of log analysis. Log data is categorized, identified, and normalized for easy analysis and reporting. LogRhythm s powerful alerting capability automatically identifies the most critical issues and notifies relevant personnel. LogRhythm s NERC CIP Compliance Package provides out-of-the box assistance in addressing numerous NERC CIP requirements. As part of the NERC CIP Compliance Package, the enterprise assets are categorized according to NERC CIP CIP Critical Cyber Asset Identification standards: Electronic Security Perimeter, Incident Reporting and Planning, Critical Cyber Assets, Malware Systems, Vulnerability Detection, Disposal Logs and Patch Compliance. LogRhythm s NERC CIP Compliance Package provides specific reports designed to meet NERC CIP reporting requirements. Reports are automatically associated with the correct NERC CIP asset categories ensuring only relevant information is reported on. Reports can be scheduled for nightly generation and delivery. Reports can also be generated on demand by the security officer or other LogRhythm users. Investigations and Alarm Rules are also provided for NERC CIP compliance. This allows for immediate analysis of activities that impact the organization s Critical Cyber Assets or Electronic Security Perimeter so areas of non-compliance can be identified in real time. Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 1 of 11

2 The table below explains how LogRhythm and the NERC CIP Compliance Package address the nine sections of the standard. NERC CIP Section and Purpose CIP-001-1: Sabotage Reporting CIP-002-1: Critical Cyber Asset Identification CIP-003-1: Security Management Controls CIP-004-1: Personnel & Training CIP-005-1: Electronic Security Perimeter(s) CIP and 1a: Physical Security CIP-007-1: Systems Security Management CIP-008-1: Incident Reporting and Response Planning CIP-009-1: Recovery Plans for Critical Cyber Assets LogRhythm Compliance Support LogRhythm identifies attacks in real time by monitoring, classifying, and alarming on events that support the reporting process of CIP in requirements 2 and 3. LogRhythm provides support for identifying systems and their roles that might have otherwise been not accounted for, especially covering requirements and that provide support for critical assets. LogRhythm is a supporting tool for Security Management decision making. The assigned Compliance Monitor will be able to validate controls using LogRhythm. LogRhythm augments personnel training by providing additional eyes on organization activities. The 24x7 monitoring provided by LogRhythm covers areas of awareness that normally personnel cannot. LogRhythm s primary purpose is to provide direct support to monitoring the ESP and Critical Cyber Assets, organizational access controls and other security controls. LogRhythm also supports identification of configuration changes for ESP devices, which augments the strict security configuration requirements. Cyber Vulnerability Assessments are enhanced by LogRhythm s ability to collect detected vulnerabilities during regular functioning activities, providing even greater protection for the organization than a spot-check assessment could. LogRhythm augments existing physical access controls by monitoring logs generated by electronic access systems. LogRhythm provides oversight for almost all requirements of the Systems Security Management standard. LogRhythm addresses CIP directly in order to meet many of the challenges of implementing an effective NERC CIP compliant solution. LogRhythm provides a centralized system for collecting, reporting and alarming on intrusion detection events from both network and host security systems. Centralization of intrusion reporting and response should be an objective for an effective IRR plan. LogRhythm provides an early warning system for system failures that could provide an increase in response time, diagnostic abilities, reduction of downtime and alarm on failure abilities to augment disaster recovery. The tables on the subsequent pages outline how LogRhythm directly meets requirements of the NERC CIP sections. The requirements listed come directly from the NERC CIP compliance documents located at the North American Electric Reliability Corporation s web site ( The How LogRhythm Supports Compliance column describes the capabilities LogRhythm provides that meets supports or augments NERC CIP compliance. Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 2 of 11

3 CIP Cyber Security Electronic Security Perimeter(s) Standard CIP-005 requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter. Compliance Requirement How LogRhythm Supports Compliance LogRhythm can collect all electronic access point device logs such as firewalls, VPN servers, etc. LogRhythm can alert on unauthorized or suspicious activity. LogRhythm reports provide a consolidated review of internal/external activity and threats. Maintain documentation of Electronic Security Perimeter(s), all interconnected Critical and non-critical Cyber Assets within the Example Investigations: R1.6 Electronic Security Perimeter(s), all electronic access points to the Network Service Summary Electronic Security Perimeter(s) and the Cyber Assets deployed for Network Connection Summary the access control and monitoring of these access points. Example Alarms: Alarm On Attack Alarm On Compromise R2.2 R2.3 Enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services. Maintain a procedure for securing dial-up access to the Electronic Security Perimeter(s). Alarm On Malware LogRhythm detects and alerts on activity on ports and services to ensure that only required ports and services are being utilized. Example Investigations: Network Service Summary Network Connection Summary LogRhythm collects dial-up access activity providing easy and independent review of dial-up access to Electronic Security Perimeter(s) through available reports. Dial-up Access Activity by User Dial-up Access Activity by Host LogRhythm collects network device logs from access points. LogRhythm s analysis and reporting capabilities provide review of the network activity to ensure only authorized access occurs. LogRhythm alerts ensure detection of unauthorized access. R2.4 Implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party. LogRhythm collects remote access activity for VPN, SSH, telnet, etc. LogRhythm reports provide easy and independent review of remote access to information systems. Example Investigations: Network Service Summary Network Connection Summary Example Report: Host Remote Access Summary Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 3 of 11

4 R3 R3.1 R3.2 R4 R4.2 Implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week. Implement and document monitoring process(es) at each access point to the dial-up device. Detect and alert for attempts at or actual unauthorized accesses. These alerts shall provide for appropriate notification to designated response personnel. Review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days. Perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually. A review to verify that only ports and services required for operations at these access points are enabled. LogRhythm s monitoring, analysis, archiving, alerting, auditing, and reporting capabilities provide for continuous monitoring of access points across the Electronic Security Perimeter(s). For instance, LogRhythm monitors unauthorized access for auditing, logging, archiving, and alerting. User Authentication Summary Usage Auditing Event Detail By User Failed Host Access By User LogRhythm collects dial-up device logs. LogRhythm alerts can be used to monitor and detect unauthorized access through the dial-up devices. Dial-up Access Activity by User Dial-up Access Activity by Host LogRhythm provides robust alerting and notification capabilities that notify upon attacks or unauthorized accesses. LogRhythm s integrated incident management capabilities provide accountability and reporting on alarm resolution. LogRhythm s analysis & reporting capabilities provide easy and independent review of access activity. Failed File Access Failed Application Access By User Failed Host Access By User Example Alarms: Alarm On Attack Alarm On Compromise LogRhythm s log analysis and reporting capabilities provide valuable tools for cyber vulnerability assessment ensuring electronic access points meet security requirements and identify system weaknesses. Vulnerabilities Detected Top Targeted Hosts Top Targeted Applications LogRhythm detects and alerts on activity on ports and services to ensure that only required ports and services are being utilized. Example Investigations: Network Service Summary Network Connection Summary Example Report: Host Remote Access Summary Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 4 of 11

5 R4.4 A review of controls for default accounts, passwords, and network management community strings. LogRhythm collects all account management and account usage activity. Default accounts and password changes are easily and automatically monitored, alerted, and reported on for appropriate action. Account Management Activity Host Access Granted & Revoked User Authentication Summary User Object Access Summary LogRhythm completely automates the process and requirement of collecting and retaining access logs. LogRhythm retains logs in secure compressed archive files for cost effective, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later. R5.3 Retain electronic access logs for at least ninety calendar days. Log Summary Summary Log Count Log Volume Object Access Summary CIP Cyber Security Physical Security of Critical Cyber Assets Standard CIP-006 is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. Compliance Requirement R1.3 Processes, tools, and procedures to monitor physical access to the perimeter(s). How LogRhythm Supports Compliance LogRhythm collects log messages from physical access devices (i.e. Card Key) for monitoring, alarming, analysis, and reporting. Access Summary Authentication Summary R1.5 Procedures for reviewing access authorization requests and revocation of access authorization, in accordance with CIP-004 Requirement R4. LogRhythm reports provide easy review of access authorization requests and revocation of access authorization to compare with the authorized list required in CIP-004 Requirement R4. Logs capture actions taken when providing or revoking system access. Account Management Activity New Account Summary Host Access Granted & Revoked Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 5 of 11

6 R3 Document and implement the technical and procedural controls for monitoring physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. Unauthorized access attempts shall be reviewed immediately and handled in accordance with the procedures specified in Requirement CIP-008. LogRhythm s monitoring, analysis, and reporting capabilities provide for continuous monitoring of physical access points across the Physical Security Perimeter(s). For instance, alerts can be used to monitor and detect unauthorized access and notify appropriate personnel for near real-time review and response. Access Summary Authentication Summary Example Alarms: Alarm On Compromise R4.1 Implement and document the technical and procedural mechanisms for logging physical entry at all access points to the Physical Security Perimeter(s) using computerized logging. LogRhythm collects log messages from physical access devices (i.e. Card Key) at all access points for monitoring, analysis, and reporting. Access Summary Authentication Summary R5 Retain Physical access logs for at least ninety calendar days. LogRhythm completely automates the process and requirement of collecting and retaining access logs. LogRhythm retains logs in compressed archive files for cost effective, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later. CIP Cyber Security Systems Security Management Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the non-critical Cyber Assets within the Electronic Security Perimeter(s). Compliance Requirement How LogRhythm Supports Compliance LogRhythm detects and alerts on activity on ports and services to ensure that only required ports and services are being utilized. R2 Establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled. Example Investigations: Network Service Summary Network Connection Summary Host Remote Access Summary R3 Establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). LogRhythm collects update information including manual installations and automated updates providing the ability to track patch deployments. Patches Applied Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 6 of 11

7 R3.2 R4 R5 R5.1.1 R5.1.2 The Responsible Entity shall document the implementation of security patches. In any case where the patch is not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. Use anti-virus software and other malicious software ( malware ) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s). Establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access. Ensure that user accounts are implemented as approved by designated personnel. Refer to Standard CIP-003 Requirement R5. Establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days. LogRhythm documents both successes and failures of patching, providing documentation and reporting needed to identify where manual intervention or compensating measures are necessary. Patches Applied LogRhythm collects logs from anti-virus software and other anti-malware tools. LogRhythm provides central analysis and monitoring of malware related activity across the Electronic Security Perimeter(s). Malware Detected LogRhythm collects all authentication and access activity. LogRhythm reports provide easy, secure, and independent review of access control settings and enforcement. Successful/Failed Host Access by User Successful/Failed Application Access by User Successful/Failed File Access by User Alarming is available to alert on accesses made between resources, enforcing quick response to unauthorized, suspicious, or threatening activities. Reports can be made to show all such activity during any period of time. LogRhythm collects all account management activities. LogRhythm reports provide easy and standard review of all account management activity ensuring user accounts are implemented by designated personnel. Account Creation Activity Account Modification Activity Disabled Accounts Summary Removed Account Summary LogRhythm collects audit logs of account access activity from a variety of sources. LogRhythm retains logs in compressed archive files for cost effective, easy-tomanage, long-term storage. Log archives can be restored quickly and easily months or years later in support of after-the-fact investigations. Successful/Failed Host Access by User Successful/Failed Application Access by User Successful/Failed File Access by User Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 7 of 11

8 R5.1.3 R5.2.1 R5.2.2 R5.2.3 Review, at least annually, user accounts to verify access privileges are in accordance with Standard CIP-003 Requirement R5 and Standard CIP-004 Requirement R4. The policy shall include the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service. Identify those individuals with access to shared accounts. Have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination). LogRhythm provides centralized monitoring, analysis, and reporting of audit activity across the entire IT infrastructure. LogRhythm automates the process of identifying high-risk activity and prioritizes based on asset risk. High-risk activity can be monitored in real-time or alerted on. LogRhythm reports provide easy and standard review of inappropriate, unusual, and suspicious activity. Audit Failures by User Audit Failures by Host Suspicious Activity by User Suspicious Activity by Host Top Suspicious Users Top Targeted Hosts Top Targeted Applications LogRhythm collects all account management activities. LogRhythm reports ensures policy adherence by providing easy and standard review of all account management activity. Account Creation Activity Account Modification Activity Disabled Accounts Summary Removed Account Summary LogRhythm collects all authentication and access activity. This activity can be used to identify the use of shared accounts. Successful/Failed Host Access by User Successful/Failed Application Access by User Successful/Failed File Access by User LogRhythm collects all account management activities. LogRhythm reports ensures policy adherence by providing easy and standard review of all account management activity. Account Creation Activity Account Modification Activity Disabled Accounts Summary Removed Account Summary LogRhythm completely automates the process and requirement of collecting and retaining audit logs. LogRhythm retains logs in compressed archive files for cost effective, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later in support of after-the-fact investigations. Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 8 of 11

9 R6 R6.1 R6.2 R6.3 Ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. Implement and document the organizational processes and technical and procedural mechanisms for monitoring for security events on all Cyber Assets within the Electronic Security Perimeter. The security monitoring controls shall issue automated or manual alerts for detected Cyber Security Incidents. Maintain logs of system events related to cyber security, where technically feasible, to support incident response as required in Standard CIP-008. LogRhythm provides central monitoring of system events by collecting log data from hosts, applications, network devices, etc. LogRhythm provides real-time event monitoring, alerting, and reporting on specific activity and conditions. System Critical Conditions & Errors Account Management Activity System Startup & Shutdown Summary By implementing LogRhythm, security events from IDS/IPS systems, A/V systems, firewalls, and other security devices across the Electronic Security Perimeter are centrally collected, monitored and analyzed. LogRhythm correlates activity across user, origin host, impacted host, application and more. LogRhythm can be configured to identify known bad hosts and networks. LogRhythm s Personal Dashboard provides customized real-time monitoring of events and alerts. LogRhythm s Investigator provides deep forensic analysis of security related activity. LogRhythm provides robust alerting and notification capabilities that ensure alerts of Cyber Security Incidents are routed to the appropriate personnel via SMTP, SNMP, SMS messaging or LogRhythm Dashboard view. LogRhythm s integrated incident management capabilities provide accountability and reporting on alarm resolution. Successful/Failed Host Access by User Successful/Failed Application Access by User Successful/Failed File Access by User Top Attackers Multiple Authentication Failures Suspicious Activity By User and Host Example Alarms: Alarm On Attack Alarm On Compromise Alarm On Malware LogRhythm s monitoring and alerting capability detects and notifies appropriate personnel on system event activity that may constitute an incident response. LogRhythm s analysis and reporting capability provide quick and easy analysis of activity to determine root cause and impact. LogRhythm s integrated knowledge base provides information useful in responding to and resolving incidents. Suspicious Activity By Host Suspicious Activity By User Attacks Detected Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 9 of 11

10 R6.4 R6.5 R7.3 R8 R8.2 Retain all logs specified in Requirement R6 for ninety calendar days. Review logs of system events related to cyber security and maintain records documenting review of logs. The Responsible Entity shall establish formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP-005. The Responsible Entity shall maintain records that such assets were disposed of or redeployed in accordance with documented procedures. Perform a cyber vulnerability assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. A review to verify that only ports and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled LogRhythm completely automates the process and requirement of collecting and retaining system event logs. LogRhythm retains logs in compressed archive files for cost effective, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later in support of after-the-fact investigations. LogRhythm monitors, classifies and retains system events related to cyber security and generates reports. Example Report: Usage Auditing Event Detail LogRhythm provides a specific log source for disposed assets where lists can be imported and disposed assets tracked. LogRhythm allows for the collection of both active and passively detected vulnerabilities, as well as alarming and reporting. The collected information can be used to enhance a spot-check vulnerability assessment by providing additional awareness collected during working operations that would not otherwise be noticed. Vulnerabilities Detected LogRhythm detects and alerts on activity on ports and services to ensure that only required ports and services are being utilized. Example Investigations: Network Service Summary Network Connection Summary Host Remote Access Summary LogRhythm collects all account management and account usage activity. Default accounts can be reported and alarmed on as they are used in the organization. R8.3 A review of controls for default accounts Account Creation Activity Account Modification Activity Disabled Accounts Summary Removed Account Summary Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 10 of 11

11 CIP Cyber Security Incident Reporting and Response Planning Standard CIP-008 ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. Compliance Requirement How LogRhythm Supports Compliance LogRhythm s inherent methodology provides automatic classification of all collected logs as security, audit, and operational events. Interesting logs are forwarded as events for immediate monitoring and/or alerting. LogRhythm reports provide summary and detail level reporting of incident based alerts. R1.1 R1.2 R1.3 R2 Procedures to characterize and classify events as reportable Cyber Security Incidents. Response actions, including roles and responsibilities of incident response teams, incident handling procedures, and communication plans. Process for reporting Cyber Security Incidents to the Electricity Sector Information Sharing and Analysis Center (ES ISAC). Keep relevant documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three calendar years. Suspicious Activity by User Suspicious Activity by Host Top Suspicious Users Top Targeted Hosts Top Targeted Applications Example Alarms: Alarm On Attack Alarm On Compromise Alarm On Malware LogRhythm documents alarm and response activities such as responsible parties notified ; alarm status such as working, escalated, resolved ; and what actions were taken. LogRhythm s centralized logging capabilities provide a way to collect, analyze and forward logs to the ES ISAC that would otherwise be difficult to collect from the individual devices and/or applications. LogRhythm completely automates the process and requirement of collecting and retaining security event logs. LogRhythm retains logs in compressed archive files for cost effective, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later in support of after-the-fact investigations. LogRhythm Corporate Headquarters EMEA Headquarters LogRhythm Inc. LogRhythm Inc Sterling Circle, Suite 100 Siena Court, The Broadway Boulder CO, Maidenhead, Berkshire SL6 1NJ United Kingdom Phone (303) Phone +44 (0) Fax (303) Fax +44 (0) Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 11 of 11