Combining Security Intelligence and the Critical Security Controls: A Review of LogRhythm s SIEM Platform
|
|
- Milo Stone
- 7 years ago
- Views:
Transcription
1 Combining Security Intelligence and the Critical Security Controls: A Review of LogRhythm s SIEM Platform A SANS Product Review Written by Dave Shackleford May 2014 Sponsored by LogRhythm 2014 SANS Institute
2 Introduction The Critical Security Controls for Effective Cyber Defense (CSCs) represent an established and solid set of guidelines for the government, financial, education, manufacturing and health care sectors, according to a 2013 SANS survey on the CSCs. 1 In it, 73 percent of nearly 700 respondents were adopting or planning to adopt the CSCs, mainly for the purpose of better visibility into their enterprises and to reduce security events. Only 10 percent of respondents felt they had done a complete job of implementing the controls. Respondents indicated that several obstacles hinder their implementations: 73 % Survey respondents adopting or planning to adopt the CSCs SANS had the opportunity to review numerous features of LogRhythm s security information and event management (SIEM) platform with new security intelligence features built in for compliance. In our review, we focused on LogRhythm s ability to ease some of these pain points while meeting 10 of the most valuable CSCs. These include: It could be argued that LogRhythm s approach aligns with many of the other controls although less directly. However, due to length, we are focusing on the above controls and how LogRhythm can help security teams not only meet control requirements but also actually improve the state of monitoring and response. Overall, we found the LogRhythm 6.x software easy to use, with a broad range of rules together a more comprehensive monitoring and alerting strategy that, in turn, can be used to develop baselines of events and behavior across the IT infrastructure. 1 The Critical Security Controls: the SANS 2013 Critical Security Controls Survey: 1
3 Inventory and Assess For good reason, the first of the Critical Security Controls focuses entirely on maintaining CSC 4. Some of the things to consider for this control include inventory management systems, Figure 1. Creating an Unauthorized Hosts AI Rule Description 2
4 Inventory and Assess (CONTINUED) The tool easily caught new systems we spun up to test this feature. Figure 2 depicts a and triggering a log event. Detecting a new host rapidly is important in detecting malicious behavior and quarantining affected systems to contain damage. Figure 2. Rogue Host Event The ability to detect new devices in the environment is useful for discovering rogue detecting malicious behavior and quarantining affected systems to contain damage. as users and groups set up their own infrastructure with convenience as a priority, rather than security. 3
5 Inventory and Assess (CONTINUED) vulnerabilities are associated with them. Security teams need to continually scan for as possible. They need to do this day in and day out because new vulnerabilities appear regularly. LogRhythm helps to meet CSC 4 in two ways. First, it correlates logs and events indicating what software has been installed on systems and when with vulnerability detection by scanning tools. This is useful when determining whether specific installations and software are responsible for new vulnerabilities that appear in the environment. Second, it is also useful for monitoring new vulnerabilities over time to determine if and when they are patched or remediated. We reviewed a number of vulnerability-focused events and dashboards in the LogRhythm interface, including vulnerability logs and events as both highlights from the As a part of the vulnerability management life cycle, security teams should also track vulnerabilities once they re found, and scan results should be compared to previous reports to determine what vulnerabilities have been successfully remediated. Security teams should also conduct vulnerability scans using system and application credentials that allow for deeper probes and assessment of the systems being tested. Analysts can validate the results of these tests with local system logs, which can also indicate when software was installed on the systems that may expose them to attacks. Finally, incident responders can correlate vulnerability scan results with attack attempts and other related security events to ascertain whether a targeted system is truly vulnerable. 4
6 Inventory and Assess (CONTINUED) Examples of events we noted and investigated included Windows and Linux events all of which would naturally lead to deeper investigation or remediation actions. See Figure 3. Figure 3. Top Vulnerabilities Dashboard 5
7 Defending Systems Assessment and patching of systems are strong preventive measures. However, protective measures, including malware defenses and application security, are also operate undetected. Malware has been a challenge for security and operations teams for many years. In the that generate alerts when they detect malware. limit the use of removable media and carefully filter attachments coming into domains. malware samples for analysis and reverse engineering. infections. and infected hosts, as well as the event sources themselves. In our review test bed, we saw events coming from numerous Windows systems with antimalware agents installed, 6
8 Defending Systems (CONTINUED) We reviewed numerous worm and bot detection events within this dashboard and watched the time range of malware events detected. The logging of events from host that we reviewed. An example of this dashboard is shown in Figure 4. Figure 4. Top Malware Defenses Dashboard provide actionable intelligence into the type of malware and its impact on previously applications and code, code review and testing, database security and training for developers in secure coding techniques. 7
9 Defending Systems (CONTINUED) Figure 5. Creating an AI Rule for Alerting on User Agent Strings To coincide with this type of alerting rule, lists of strings and attributes can be compiled, and LogRhythm has a number of these available out of the box. Figure 6 shows some and easy to edit. Figure 6. Application Security Lists 8
10 Defending Systems (CONTINUED) example of simple text-based pattern matching strings, which you can add to or edit as needed. Figure 7. Malicious User Agent Strings List 9
11 Defending Systems (CONTINUED) and implemented, following industry best practices such as those from the Center for Internet Security. 2 authentication when possible, and device management functions should be isolated were able to correlate changes with data from change control systems to determine whether a change is approved, and alerts can be generated when unplanned changes occur. We even examined the LogRhythm SmartResponse engine and witnessed it shutting trigger if configuration changes are made on them
12 Defending Systems (CONTINUED) Figure 8. Network Device Log for Configuration Events We also reviewed a number of charts within the main LogRhythm console for themselves and their configurations, as shown in Figure 9. Figure 9. Network Device Configuration and Behavior Monitoring 11
13 Defending Systems (CONTINUED) summary table from one of these reports is shown in Figure 10. Figure 10. Detailed Network Device Configuration Change Report them with approved change requests removed the threat of rogue changes by 12
14 Keeping a Clean Environment Many of the remaining Critical Controls that LogRhythm supports are around good hygiene, including limitation of ports and services, controlled use of administrative privilege, properly executed boundary defense, maintenance of audit logs and monitoring of account use. A DVICE: Run critical services on dedicated systems within restricted network subnets, and use VLANs and private IP addresses to isolate and restrict access to services from the Internet. IT groups can also implement so-called application firewalls to limit access to critical services and protect them from attack. control. LogRhythm helps meet the requirements of this control in two ways. First, it monitors port scanner results as well as logs and events from individual systems that indicate available and in use over time and then alerts on deviations from the baseline. As part scans, the output of which is shown in Figure 11. Figure 11. Logs of Port Scan Behavior scanned and timestamps of the data from log events. This type of report data is helpful in 13
15 Keeping a Clean Environment (CONTINUED) LogRhythm has a variety of built-in port scan detection rules and monitoring tools. One example of a rule we reviewed sets time thresholds on ports being scanned, Figure 12. Detection Rule for Stealthy Port Scanning 14
16 Keeping a Clean Environment (CONTINUED) LogRhythm also monitors hosts to determine what processes are running in a normal baseline mode and then alerts if changes are detected to that baseline. Figure 13 shows a rule we used to trigger if the list of processes running on a host is less than 80 percent similar to the process list from the previous day. Figure 13. Abnormal Process Activity Rule This rule may indicate that something significant has changed on the affected platform, warranting additional follow-up investigation, for example. 15
17 Keeping a Clean Environment (CONTINUED) LogRhythm also targets specific applications and services for monitoring, based on LogRhythm test environment and then used the LogRhythm console to review detailed log information related to a syslog event that had been triggered by the SSH rule, as shown in Figure 14. SSH is often used to hide malicious activities and sensitive information being sent out of the organization. Figure 14. SSH Event Log Although tuning the software to see the most interesting events related to services, information to be invaluable in developing behavioral baselines and detecting anomalies in the environment. 16
18 Keeping a Clean Environment (CONTINUED) privileges, CSC 12 focuses on the restriction of administrative privileges on systems and within applications. It also includes continuous monitoring of all administrative account and activities. A DVICE: Use strong passwords with complexity and aging policies in place for all administrative accounts. Log all administrator activity and logins (both successful and failed), and require multifactor authentication for administrator access, when possible. Require lowerprivilege accounts for all initial access and day-to-day activity by administrators, with greater privileges assumed only when needed. LogRhythm addresses this control by monitoring accounts defined on systems, as well as enables simplified monitoring and privileged accounts and detection of their activities, is installed by default. This module is merely one of a range of event detection options for privileged user activity, including rule-based monitoring. We reviewed several default LogRhythm rules that accomplish the goals of CSC 12. For example, we reviewed a rule that detects attempted privilege use on Linux platforms that would trigger any time someone not listed in the /etc/sudoers file attempted to run a privileged command. See Figure 15. Figure 15. Details of a Linux Privilege Use Rule 17
19 Keeping a Clean Environment (CONTINUED) A similar rule for Windows platforms is shown in Figure 16; if a nonprivileged user right- Figure 16. Details for a Windows Privilege Use Rule 18
20 Keeping a Clean Environment (CONTINUED) of privileged user activity and attempted activity. One example of this type of report is shown in Figure 17, in which we select a specified group of privileged users, grouped by login and then by common events. Figure 17. Privileged User Monitoring Report Monitoring system events related to privilege use and potential misuse helps prevent the build-up of shadow IT setups and other insider threats. It is also important for 19
21 Keeping a Clean Environment (CONTINUED) especially at the perimeter. LogRhythm supports CSC 13 in a number of ways, including the ability to: settings that may not meet enterprise standards for hardening and security profiles We observed all of this in our review, starting with the different types of threat intelligence sources and lists that LogRhythm can consume and integrate for monitoring, analysis and response rules and actions, as shown in Figure 18. By default, the list has a large number of prebuilt sources, but more can easily be added by simply editing the list. Figure 18. Third-Party Threat Intelligence Sources 20
22 Keeping a Clean Environment (CONTINUED) Figure 19. Zeus Malware Threat List Details By incorporating both internal and external intelligence sources and allowing analysts to more up-to-date monitoring and alerting. 21
23 Keeping a Clean Environment (CONTINUED) CSC 14 focuses on collection and analysis of logs, with specific control items covering of logging anomalies. This control also specifies using central log servers for all logs, The LogRhythm platform manages and monitors all types of log data and has an extensive range of log monitoring and alerting rules and dashboard reports available out of the box. We monitored and verified log sources and destinations to ensure logs were being collected properly and log data was processed and correlated with other information from the environment. Figure 20 is an example of a dashboard displaying LogRhythm s comprehensive log monitoring capabilities. Figure 20. Log Monitoring Dashboard This dashboard shows the major types of log events in the top three graphs (events by detailed lists of the alarms that were triggered related to the log data it gathered and SANS has strongly recommended leveraging log data for security monitoring for many data to build security intelligence. 22
24 Keeping a Clean Environment (CONTINUED) not properly set up, maintained and monitored. CSC 16 specifies that all accounts should have a purpose and a life cycle policy. A DVICE: Routinely monitor account use and conduct audits for dormant accounts and suspicious account activity. Log failed attempts to access accounts, store and transmit account credentials using adequate encryption and use account lockout features, where available. other related user activities on systems. It also correlates user activity to defined lists of accounts to ensure that they are legitimate and still active. Figure 21 shows a monitoring dashboard we used to review account login activity, top accounts with access changes, account life cycle activity (i.e., creation, modification and deletion of accounts) and audit events. Figure 21. Account Monitoring Dashboard 23
25 Keeping a Clean Environment (CONTINUED) within a five-minute timespan, shown in Figure 22. Figure 22. Repeat Login Detection Rule By monitoring account use and activity, LogRhythm helps detect or prevent illicit activity caused by compromised accounts or new accounts created for malicious purposes. 24
26 Conclusion Implementing the Critical Security Controls is not easy. However, the LogRhythm platform satisfies many of the CSCs, with emphasis on the 10 mentioned in this review. easy configuration rules for vulnerability and threat detection and reporting. It meets support for secure configuration, privilege user controls and more. Because this one tool meets so many of these controls, LogRhythm also helps meet the CSC goal of automating as many processes as possible to reduce human-induced tools such as LogRhythm go a long way to defining and augmenting a foundation of security controls overall. As the CSCs continue to improve, it is our hope that intelligent challenge IT security departments. 25
27 About the Author instructor and course author, and a GIAC technical director. He has consulted with hundreds Virtualization Security. Recently, Dave co- serves on the board of directors at the SANS Technology Institute and helps lead the Atlanta chapter of the Cloud Security Alliance. Sponsor SANS would like to thank this paper s sponsor: 26
SANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control
More informationScaling Analytics to Meet Real-Time Threats in Large Enterprises: A Deep Dive into LogRhythm s Security Analytics Platform
Sponsored by LogRhythm Scaling Analytics to Meet Real-Time Threats in Large Enterprises: A Deep Dive into LogRhythm s Security Analytics Platform September 2013 A SANS Analyst Program Review Written by
More informationSecurity Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2
Sponsored by McAfee Security Intelligence in Action: SANS Review of McAfee Enterprise Security Manager (ESM) 9.2 May 2013 A SANS Whitepaper Written by Dave Shackleford The ESM Interface Page 2 Rapid Event
More informationNorth American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)
Whitepaper North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5) NERC-CIP Overview The North American Electric Reliability Corporation (NERC) is a
More informationAutomation Suite for. 201 CMR 17.00 Compliance
WHITEPAPER Automation Suite for Assurance with LogRhythm The Massachusetts General Law Chapter 93H regulation 201 CMR 17.00 was enacted on March 1, 2010. The regulation was developed to safeguard personal
More informationCyberArk Privileged Threat Analytics. Solution Brief
CyberArk Privileged Threat Analytics Solution Brief Table of Contents The New Security Battleground: Inside Your Network...3 Privileged Account Security...3 CyberArk Privileged Threat Analytics : Detect
More informationCritical Security Controls
Critical Security Controls Session 2: The Critical Controls v1.0 Chris Beal Chief Security Architect MCNC chris.beal@mcnc.org @mcncsecurity on Twitter The Critical Security Controls The Critical Security
More informationTop 20 Critical Security Controls
Top 20 Critical Security Controls July 2015 Contents Compliance Guide 01 02 03 04 Introduction 1 How Rapid7 Can Help 2 Rapid7 Solutions for the Critical Controls 3 About Rapid7 11 01 INTRODUCTION The Need
More informationDefending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
More informationCompliance Guide ISO 27002. Compliance Guide. September 2015. Contents. Introduction 1. Detailed Controls Mapping 2.
ISO 27002 Compliance Guide September 2015 Contents Compliance Guide 01 02 03 Introduction 1 Detailed Controls Mapping 2 About Rapid7 7 01 INTRODUCTION If you re looking for a comprehensive, global framework
More informationHoneywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014
Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Process Solutions (HPS) June 4, Industrial Cyber Security Industrial Cyber Security is the leading provider of cyber security
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationLarry Wilson Version 1.0 November, 2013. University Cyber-security Program Controls Book
Larry Wilson Version 1.0 November, 2013 University Cyber-security Program s Book Cyber-security s Summary Council on Cyber-security Critical Security s (CSC) CSC-01 CSC-02 CSC-03 CSC-04 CSC-05 IT Asset
More informationRunning the SANS Top 5 Essential Log Reports with Activeworx Security Center
Running the SANS Top 5 Essential Log Reports with Activeworx Security Center Creating valuable information from millions of system events can be an extremely difficult and time consuming task. Particularly
More informationPCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP
solution brief PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP AWS AND PCI DSS COMPLIANCE To ensure an end-to-end secure computing environment, Amazon Web Services (AWS) employs a shared security responsibility
More informationUSM IT Security Council Guide for Security Event Logging. Version 1.1
USM IT Security Council Guide for Security Event Logging Version 1.1 23 November 2010 1. General As outlined in the USM Security Guidelines, sections IV.3 and IV.4: IV.3. Institutions must maintain appropriate
More informationLogRhythm and NERC CIP Compliance
LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate
More informationIBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer
IBM Security QRadar SIEM & Fortinet / FortiAnalyzer Introducing new functionality for IBM QRadar Security Intelligence Platform: integration with Fortinet s firewalls and logs forwarded by FortiAnalyzer.
More informationGFI White Paper PCI-DSS compliance and GFI Software products
White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption
More informationSecuring Privileges in the Cloud. A Clear View of Challenges, Solutions and Business Benefits
A Clear View of Challenges, Solutions and Business Benefits Introduction Cloud environments are widely adopted because of the powerful, flexible infrastructure and efficient use of resources they provide
More informationPCI Compliance for Cloud Applications
What Is It? The Payment Card Industry Data Security Standard (PCIDSS), in particular v3.0, aims to reduce credit card fraud by minimizing the risks associated with the transmission, processing, and storage
More informationTRIPWIRE NERC SOLUTION SUITE
CONFIDENCE: SECURED SOLUTION BRIEF TRIPWIRE NERC SOLUTION SUITE TAILORED SUITE OF PRODUCTS AND SERVICES TO AUTOMATE NERC CIP COMPLIANCE u u We ve been able to stay focused on our mission of delivering
More informationIBM Cloud Security Draft for Discussion September 12, 2011. 2011 IBM Corporation
IBM Cloud Security Draft for Discussion September 12, 2011 IBM Point of View: Cloud can be made secure for business As with most new technology paradigms, security concerns surrounding cloud computing
More informationStaying Secure After Microsoft Windows Server 2003 Reaches End of Life. Trevor Richmond, Sales Engineer Trend Micro
Staying Secure After Microsoft Windows Server 2003 Reaches End of Life Trevor Richmond, Sales Engineer Trend Micro Windows Server 2003 End of Life- Why Care? The next big vulnerability (Heartbleed/Shellshock)
More informationBreach Findings for Large Merchants. 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security
Breach Findings for Large Merchants 28 January 2015 Glen Jones Cyber Intelligence and Investigation Lester Chan Payment System Security Disclaimer The information or recommendations contained herein are
More informationSecret Server Qualys Integration Guide
Secret Server Qualys Integration Guide Table of Contents Secret Server and Qualys Cloud Platform... 2 Authenticated vs. Unauthenticated Scanning... 2 What are the Advantages?... 2 Integrating Secret Server
More informationForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)
ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM) CONTENT Introduction 2 Overview of Continuous Diagnostics & Mitigation (CDM) 2 CDM Requirements 2 1. Hardware Asset Management 3 2. Software
More informationIntel Security Certified Product Specialist Security Information Event Management (SIEM)
Intel Security Certified Product Specialist Security Information Event Management (SIEM) Why Get Intel Security Certified? As technology and security threats continue to evolve, organizations are looking
More informationCritical Controls for Cyber Security. www.infogistic.com
Critical Controls for Cyber Security www.infogistic.com Understanding Risk Asset Threat Vulnerability Managing Risks Systematic Approach for Managing Risks Identify, characterize threats Assess the vulnerability
More informationAutomate PCI Compliance Monitoring, Investigation & Reporting
Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently
More informationFive Ways to Use Security Intelligence to Pass Your HIPAA Audit
e-book Five Ways to Use Security Intelligence to Pass Your HIPAA Audit HIPAA audits on the way 2012 is shaping up to be a busy year for auditors. Reports indicate that the Department of Health and Human
More informationFIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.
1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams
More informationDescription of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014
Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability 7 Jul 2014 1 Purpose This document is intended to provide insight on the types of tools and technologies that
More informationSolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements
SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements SolarWinds Security Information Management in the Payment Card
More informationHow To Manage Sourcefire From A Command Console
Sourcefire TM Sourcefire Capabilities Store up to 100,000,000 security & host events, including packet data Centralized policy & sensor management Centralized audit logging of configuration & security
More informationPCI DSS Reporting WHITEPAPER
WHITEPAPER PCI DSS Reporting CONTENTS Executive Summary 2 Latest Patches not Installed 3 Vulnerability Dashboard 4 Web Application Protection 5 Users Logging into Sensitive Servers 6 Failed Login Attempts
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationWhat s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.
What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things. AGENDA Current State of Information Security Data Breach Statics Data Breach Case Studies Why current
More informationIBM Security QRadar Vulnerability Manager Version 7.2.1. User Guide
IBM Security QRadar Vulnerability Manager Version 7.2.1 User Guide Note Before using this information and the product that it supports, read the information in Notices on page 61. Copyright IBM Corporation
More informationFirewalls, Tunnels, and Network Intrusion Detection
Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls
More informationWhite Paper Integrating The CorreLog Security Correlation Server with BMC Software
orrelogtm White Paper Integrating The CorreLog Security Correlation Server with BMC Software This white paper describes how the CorreLog Security Correlation Server easily integrates with BMC Performance
More informationNYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011
NYS LOCAL GOVERNMENT VULNERABILITY SCANNING PROJECT September 22, 2011 Executive Summary BACKGROUND The NYS Local Government Vulnerability Scanning Project was funded by a U.S. Department of Homeland Security
More informationBUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports
BUILDING A SECURITY OPERATION CENTER (SOC) ACI-BIT Vancouver, BC. Los Angeles World Airports Building a Security Operation Center Agenda: Auditing Your Network Environment Selecting Effective Security
More informationNovaTech NERC CIP Compliance Document and Product Description Updated June 2015
NovaTech NERC CIP Compliance Document and Product Description Updated June 2015 This document describes the NovaTech Products for NERC CIP compliance and how they address the latest requirements of NERC
More informationSeven Things To Consider When Evaluating Privileged Account Security Solutions
Seven Things To Consider When Evaluating Privileged Account Security Solutions Contents Introduction 1 Seven questions to ask every privileged account security provider 4 1. Is the solution really secure?
More informationNERC CIP VERSION 5 COMPLIANCE
BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements that are the basis for maintaining
More informationHow To Secure Your System From Cyber Attacks
TM DeltaV Cyber Security Solutions A Guide to Securing Your Process A long history of cyber security In pioneering the use of commercial off-the-shelf technology in process control, the DeltaV digital
More information74% 96 Action Items. Compliance
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated
More informationCIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System
CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System Purpose CIP-005-5 R2 is focused on ensuring that the security of the Bulk Energy System is not compromised
More informationPCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014
PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor bfranklin@compassitc.com January 23, 2014 Agenda Introduction PCI DSS 3.0 Changes What Can I Do to Prepare? When Do I Need to be Compliant? Questions
More informationAPPLICATION PROGRAMMING INTERFACE
DATA SHEET Advanced Threat Protection INTRODUCTION Customers can use Seculert s Application Programming Interface (API) to integrate their existing security devices and applications with Seculert. With
More informationEffective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention
Effective IDS/IPS Network Security in a Dynamic World with Next-Generation Intrusion Detection & Prevention Your Security Challenges Defending the Dynamic Network! Dynamic threats 䕬 䕬 䕬 䕬 Many threats
More informationPreparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS
Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS CONTENTS PAGE RECONNAISSANCE STAGE 4 INCURSION STAGE 5 DISCOVERY STAGE 6 CAPTURE STAGE 7 EXFILTRATION STAGE
More informationThreat Center. Real-time multi-level threat detection, analysis, and automated remediation
Threat Center Real-time multi-level threat detection, analysis, and automated remediation Description Advanced targeted and persistent threats can easily evade standard security, software vulnerabilities
More informationThe SIEM Evaluator s Guide
Using SIEM for Compliance, Threat Management, & Incident Response Security information and event management (SIEM) tools are designed to collect, store, analyze, and report on log data for threat detection,
More informationIntroduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec
Introduction Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia jason.lawrence@ey.com Twitter: @ethical_infosec More than 20 years of experience in cybersecurity specializing
More informationVulnerability Management
Vulnerability Management Buyer s Guide Buyer s Guide 01 Introduction 02 Key Components 03 Other Considerations About Rapid7 01 INTRODUCTION Exploiting weaknesses in browsers, operating systems and other
More informationSecurity Event Management. February 7, 2007 (Revision 5)
Security Event Management February 7, 2007 (Revision 5) Table of Contents TABLE OF CONTENTS... 2 INTRODUCTION... 3 CRITICAL EVENT DETECTION... 3 LOG ANALYSIS, REPORTING AND STORAGE... 7 LOWER TOTAL COST
More informationGE Measurement & Control. Cyber Security for NEI 08-09
GE Measurement & Control Cyber Security for NEI 08-09 Contents Cyber Security for NEI 08-09...3 Cyber Security Solution Support for NEI 08-09...3 1.0 Access Contols...4 2.0 Audit And Accountability...4
More informationContinuous Network Monitoring
Continuous Network Monitoring Eliminate periodic assessment processes that expose security and compliance programs to failure Continuous Network Monitoring Continuous network monitoring and assessment
More informationCautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work
Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work Security concerns and dangers come both from internal means as well as external. In order to enhance your security posture
More informationUnder the Hood of the IBM Threat Protection System
Under the Hood of the System The Nuts and Bolts of the Dynamic Attack Chain 1 Balazs Csendes IBM Security Intelligence Leader, CEE balazs.csendes@cz.ibm.com 1 You are an... IT Security Manager at a retailer
More informationBusiness white paper. Missioncritical. defense. Creating a coordinated response to application security attacks
Business white paper Missioncritical defense Creating a coordinated response to application security attacks Table of contents 3 Your business is under persistent attack 4 Respond to those attacks seamlessly
More informationExecutive Summary Program Highlights for FY2009/2010 Mission Statement Authority State Law: University Policy:
Executive Summary Texas state law requires that each state agency, including Institutions of Higher Education, have in place an Program (ISP) that is approved by the head of the institution. 1 Governance
More informationCloudPassage Halo Technical Overview
TECHNICAL BRIEF CloudPassage Halo Technical Overview The Halo cloud security platform was purpose-built to provide your organization with the critical protection, visibility and control needed to assure
More informationStrengthen security with intelligent identity and access management
Strengthen security with intelligent identity and access management IBM Security solutions help safeguard user access, boost compliance and mitigate insider threats Highlights Enable business managers
More informationHost Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1
Host Hardening Presented by Douglas Couch & Nathan Heck Security Analysts for ITaP 1 Background National Institute of Standards and Technology Draft Guide to General Server Security SP800-123 Server A
More informationALERT LOGIC FOR HIPAA COMPLIANCE
SOLUTION OVERVIEW: ALERT LOGIC FOR HIPAA COMPLIANCE AN OUNCE OF PREVENTION IS WORTH A POUND OF CURE Alert Logic provides organizations with the most advanced and cost-effective means to secure their healthcare
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationGlobal Partner Management Notice
Global Partner Management Notice Subject: Critical Vulnerabilities Identified to Alert Payment System Participants of Data Compromise Trends Dated: May 4, 2009 Announcement: To support compliance with
More informationStay ahead of insiderthreats with predictive,intelligent security
Stay ahead of insiderthreats with predictive,intelligent security Sarah Cucuz sarah.cucuz@spyders.ca IBM Security White Paper Executive Summary Stay ahead of insider threats with predictive, intelligent
More informationTechnology Solutions for NERC CIP Compliance June 25, 2015
Technology Solutions for NERC CIP Compliance June 25, 2015 2 Encari s Focus is providing NERC CIP Compliance Products and Services for Generation and Transmission Utilities, Municipalities and Cooperatives
More informationFile Integrity Monitoring: A Critical Piece in the Security Puzzle. Challenges and Solutions
File Integrity Monitoring Challenges and Solutions Introduction (TOC page) A key component to any information security program is awareness of data breaches, and yet every day, hackers are using malware
More informationA New Perspective on Protecting Critical Networks from Attack:
Whitepaper A New Perspective on Protecting Critical Networks from Attack: Why the DoD Uses Advanced Network-traffic Analytics to Secure its Network 2014: A Year of Mega Breaches A Ponemon Study published
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches easily Allows only white-listed applications in workstations to run Provides virus protection for Ovation Windows stations Aggregates,
More informationWhite Paper: Consensus Audit Guidelines and Symantec RAS
Addressing the Consensus Audit Guidelines (CAG) with the Symantec Risk Automation Suite (RAS) White Paper: Consensus Audit Guidelines and Symantec RAS Addressing the Consensus Audit Guidelines (CAG) with
More informationINCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
More informationThe Cloud App Visibility Blindspot
The Cloud App Visibility Blindspot Understanding the Risks of Sanctioned and Unsanctioned Cloud Apps and How to Take Back Control Introduction Today, enterprise assets are more at risk than ever before
More informationSection 12 MUST BE COMPLETED BY: 4/22
Test Out Online Lesson 12 Schedule Section 12 MUST BE COMPLETED BY: 4/22 Section 12.1: Best Practices This section discusses the following security best practices: Implement the Principle of Least Privilege
More informationCA Vulnerability Manager r8.3
PRODUCT BRIEF: CA VULNERABILITY MANAGER CA Vulnerability Manager r8.3 CA VULNERABILITY MANAGER PROTECTS ENTERPRISE SYSTEMS AND BUSINESS OPERATIONS BY IDENTIFYING VULNERABILITIES, LINKING THEM TO CRITICAL
More informationFirewalls, Tunnels, and Network Intrusion Detection. Firewalls
Firewalls, Tunnels, and Network Intrusion Detection 1 Firewalls A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system.
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationLogRhythm and PCI Compliance
LogRhythm and PCI Compliance The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent
More informationAddressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense
A Trend Micro Whitepaper I February 2016 Addressing the SANS Top 20 Critical Security Controls for Effective Cyber Defense How Trend Micro Deep Security Can Help: A Mapping to the SANS Top 20 Critical
More informationwith Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief
RSA Solution Brief Streamlining Security Operations with Managing RSA the Lifecycle of Data Loss Prevention and Encryption RSA envision Keys with Solutions RSA Key Manager RSA Solution Brief 1 Who is asking
More informationEnd-user Security Analytics Strengthens Protection with ArcSight
Case Study for XY Bank End-user Security Analytics Strengthens Protection with ArcSight INTRODUCTION Detect and respond to advanced persistent threats (APT) in real-time with Nexthink End-user Security
More informationThe Critical Security Controls: What s NAC Got to Do with IT?
The Critical Security Controls: What s NAC Got to Do with IT? A SANS Product Review 2nd Edition, updated January 2015 Sponsored by ForeScout Technologies 2015 SANS Institute Introduction Although attacks
More informationEffective Threat Management. Building a complete lifecycle to manage enterprise threats.
Effective Threat Management Building a complete lifecycle to manage enterprise threats. Threat Management Lifecycle Assimilation of Operational Security Disciplines into an Interdependent System of Proactive
More informationAddressing the United States CIO Office s Cybersecurity Sprint Directives
RFP Response Addressing the United States CIO Office s Cybersecurity Sprint Directives How BeyondTrust Helps Government Agencies Address Privileged Account Management and Improve Security July 2015 Addressing
More informationMedia Shuttle s Defense-in- Depth Security Strategy
Media Shuttle s Defense-in- Depth Security Strategy Introduction When you are in the midst of the creative flow and tedious editorial process of a big project, the security of your files as they pass among
More informationCONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL
CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to
More informationIMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE
IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE Solution Brief SUMMARY New security threats demand a new approach to security management. Security teams need a security analytics architecture that can handle
More informationGuideline on Auditing and Log Management
CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius
More informationOvation Security Center Data Sheet
Features Scans for vulnerabilities Discovers assets Deploys security patches transparently Allows only white-listed applications to run in workstations Provides virus protection for Ovation Windows workstations
More information4. Getting started: Performing an audit
4. Getting started: Performing an audit Introduction Security scans enable systems administrators to identify and assess possible risks within a network. Through GFI LANguard N.S.S. this is performed automatically,
More informationUNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS ADMINISTRATION TOOLS NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY
UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS ADMINISTRATION TOOLS NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY ADMINISTRATION TOOLS Stormshield Network Security solutions simplify
More informationDetecting Threats Via Network Anomalies. Paul Martini Cofounder and CEO iboss Cybersecurity
Detecting Threats Via Network Anomalies Paul Martini Cofounder and CEO iboss Cybersecurity Why is Anomaly Detection Important? Largest enterprises with the biggest investment in prevention are still getting
More information