How ByStorm Software enables NERC-CIP Compliance

Similar documents
LogRhythm and NERC CIP Compliance

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

TRIPWIRE NERC SOLUTION SUITE

NERC CIP VERSION 5 COMPLIANCE

Standard CIP Cyber Security Systems Security Management

Cyber Security Compliance (NERC CIP V5)

Standard CIP 007 3a Cyber Security Systems Security Management

Ovation Security Center Data Sheet

Ovation Security Center Data Sheet

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

SANS Institute First Five Quick Wins

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Verve Security Center

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Using Monitoring, Logging, and Alerting to Improve ICS Security ICSJWG 2015 Fall Meeting October 27, 2015

PCI Data Security Standards (DSS)

Secret Server Qualys Integration Guide

SolarWinds Security Information Management in the Payment Card Industry: Using SolarWinds Log & Event Manager (LEM) to Meet PCI Requirements

The Comprehensive Guide to PCI Security Standards Compliance

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

EXPERT STRATEGIES FOR LOG COLLECTION, ROOT CAUSE ANALYSIS, AND COMPLIANCE

CorreLog Alignment to PCI Security Standards Compliance

Securing SharePoint 101. Rob Rachwald Imperva

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

Windows Operating Systems. Basic Security

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Honeywell Industrial Cyber Security Overview and Managed Industrial Cyber Security Services Honeywell Process Solutions (HPS) June 4, 2014

Cybersecurity Health Check At A Glance

FISMA / NIST REVISION 3 COMPLIANCE

Guideline on Auditing and Log Management

Trend Micro. Advanced Security Built for the Cloud

NERC CIP Compliance Gaining Oversight with ConsoleWorks

Critical Security Controls

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Cyber Security for NERC CIP Version 5 Compliance

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

BSM for IT Governance, Risk and Compliance: NERC CIP

AIR FORCE ASSOCIATION S CYBERPATRIOT NATIONAL YOUTH CYBER EDUCATION PROGRAM UNIT FIVE. Microsoft Windows Security.

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

SonicWALL PCI 1.1 Implementation Guide

Compliance in 5 Steps

Sarbanes-Oxley Act. Solution Brief. Sarbanes-Oxley Act. Publication Date: March 17, EventTracker 8815 Centre Park Drive, Columbia MD 21045

NERC CIP Compliance with Security Professional Services

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

USM IT Security Council Guide for Security Event Logging. Version 1.1

PCI Compliance for Cloud Applications

74% 96 Action Items. Compliance

LogRhythm and PCI Compliance

Introduction. PCI DSS Overview

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Description of Actual State Sensor Types for the Software Asset Management (SWAM) Capability. 7 Jul 2014

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

System Security Policy Management: Advanced Audit Tasks

Automating NERC CIP Compliance for EMS. Walter Sikora 2010 EMS Users Conference

GE Measurement & Control. Cyber Security for NERC CIP Compliance

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Why Encryption is Essential to the Safety of Your Business

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

Adopt a unified, holistic approach to a broad range of data security challenges with IBM Data Security Services.

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Supplier Information Security Addendum for GE Restricted Data

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

Summary of CIP Version 5 Standards

Did you know your security solution can help with PCI compliance too?

External Supplier Control Requirements

Observations from the Trenches

GE Oil & Gas. Cyber Security for NERC CIP Versions 5 & 6 Compliance

PCI DSS 3.0 Changes Bill Franklin Executive IT Auditor January 23, 2014

Lessons Learned CIP Reliability Standards

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Department of Information Technology Active Directory Audit Final Report. August promoting efficient & effective local government

Olav Mo, Cyber Security Manager Oil, Gas & Chemicals, CASE: Implementation of Cyber Security for Yara Glomfjord

Privileged. Account Management. Accounts Discovery, Password Protection & Management. Overview. Privileged. Accounts Discovery

GFI White Paper PCI-DSS compliance and GFI Software products

Patching & Malicious Software Prevention CIP-007 R3 & R4

SAQ D Compliance. Scott St. Aubin Senior Security Consultant QSA, CISM, CISSP

White Paper. PCI Guidance: Microsoft Windows Logging

CSP & PCI DSS Compliance on HP NonStop systems

BKDconnect Security Overview

Technology Solutions for NERC CIP Compliance June 25, 2015

SECURING YOUR SMALL BUSINESS. Principles of information security and risk management

October Application Control: The PowerBroker for Windows Difference

eguide: Designing a Continuous Response Architecture Executive s Guide to Windows Server 2003 End of Life

White Paper. Protecting Databases from Unauthorized Activities Using Imperva SecureSphere

MySQL Security: Best Practices

Transcription:

How ByStorm Software enables NERC-CIP Compliance The North American Electric Reliability Corporation (NERC) has defined reliability standards to help maintain and improve the reliability of North America s bulk power system. NERC has the legal authority to enforce compliance with NERC Reliability Standards, which it achieves through a rigorous program of monitoring, audits and investigations, and the imposition of financial penalties and other enforcement actions for non-compliance. The Critical Infrastructure Protection (CIP) standard is one of the NERC reliability standards. CIP-002 through CIP-009 provide a cyber security framework for the identification and protection of Critical Cyber Assets. Below you will find the CIP requirements for which ByStorm FileSure can help you to be CIP compliant: CIP-003 Access Control R5.1 Authority to grant access privileges must be known and monitored at all times R5.2 Access privileges to protected information must be controlled and access policies must be enforced Most organizations have deployed an event log monitoring system to capture privileged group changes in order to address this requirement. But if the events are not logged in the first place, they obviously are not collected and there is no way to respond. FileSure operates outside of, and in addition to, the native- Windows security model and provides both file access auditing and file access control. Having a comprehensive record of all file accesses, moves, deletes, and changes can be critical for general IT use as well as CIP compliance. FileSure also provides access control (DLP Data Loss Protection - blocking attempts to read/write/copy/move/etc.). FileSure can ensure file integrity and also ensure that even if someone is accidentally or inappropriately granted privileges via the standard Windows security model, that they cannot access files they shouldn t be accessing. FileSure can record ACL changes, but the larger issue is enforcing access policy altogether. FileSure operates outside the Windows authentication model, which means Domain Administrators don t have any inherent privileges in FileSure. So, if you set up a rule that says No one but Bob in Accounting can read an excel spreadsheet on the Accounting share, Domain Admin Sam can t read it, even if Windows says he can. FileSure DOES NOT override the native-windows security model. So if Windows determines someone does not have access, yet if FileSure rules are set such that the person should have access, they will NOT be granted access. In other words, your existing user/group permissions and ACLs will continue to do what you intended when it comes to denying access, however, FileSure will P a g e 1 ByStorm Software, LLC. www.bystorm.com +1.877.297.8676

R6 Change Control and Configuration Management All software and hardware changes must be tracked complement that and can block users and/or administrators that might have slipped through the cracks. Furthermore, FileSure can control where data can be copied and moved, which native-windows ACLs do not address whatsoever. With FileSure, all software changes are spotted and logged without having to turn on native-windows file auditing! Any change to any file can be audited; you just have to configure the appropriate rules to identify the file, folder, or even better, the type of file. There is no need to go and touch each and every file or folder ACL. Even if you did, it would get changed or altered later by another administrator. Simply by setting rules in FileSure about the types of files that can be accessed and changed or moved, or the processes or users/groups allowed to do so, FileSure can enforce the policy regardless of the ACLs. P a g e 2 ByStorm Software, LLC. www.bystorm.com +1.877.297.8676

CIP-004 Access Privileges CIP-005 Electronic Security Perimeters R4.1 Access to Critical assets Privileges to access electronic information on sensitive assets must be tracked and validated R1.5 Securing the access control and security monitoring systems Must treat the access control system and the security monitoring software/systems as extremely critical assets and must know when any changes are made to the versions or installed components, when security system user permissions change, when security policies or rules change, or when anything on a system that these components reside changes R3.2 Monitoring Electronic Access Must monitor for failed access authorization attempts and must investigate all unauthorized accesses R5.3 Electronic Access Log Retention must be kept FileSure is independent of native-windows limitations when it comes to file auditing and file access. The FileSure system both audits file access and controls file access based on defined policy via a customizable ruleset. Sensitive assets, folders, and/or shares can be identified and FileSure can audit all accesses to these assets and alert on the critical asset access (file read) or maybe just when the asset is copied, moved, changed, or deleted. This is all customizable via the rule-set and can by applied by user, process, or type of file being accessed, and much more. FileSure also provides automated alerting via email, but of course, FileSure logged events can be monitored for and responded to via SCOM or other existing event log monitoring systems in order to appropriately notify management or security personnel as desired. FileSure self-audits. All changes within FileSure are logged and can be tracked. You can also use FileSure to protect programs from being accessed by privileged users by blocking read access to the console program. For example, Bob can start RegEdit but no one else can. Sam can use FileSure, but no one else can. Sally can run MMC but no one else can; etc. This is possible because FileSure operates OUTSIDE the native-windows security model; So while Windows says Sally has the authority to run RegEdit, FileSure says she doesn t. FileSure always wins! Automated emails can be utilized to notify management or security when such changes occur, however, as mentioned above, FileSure logged events can be monitored for and responded to via SCOM or other event log monitoring systems. Authorization attempts (failures and successes) are usually logged and monitored at the domain controller and SCOM or some other event monitoring system is probably monitoring them. A larger concern would be an authorized user accessing files that they SHOULDN T be accessing. Using FileSure to monitor all sensitive file accesses would catch this for you and enable you to investigate such an unauthorized access. FileSure logs are compressed and encrypted and are NOT stored in a commercial database since a DBA could alter P a g e 3 ByStorm Software, LLC. www.bystorm.com +1.877.297.8676

CIP-007 Systems Security Management R2 for at least 90 days and ensure logs are not altered Ports and Services Must make sure only those ports and services required for normal and emergency operation are enabled; by default ports and services are disabled R4.1 Malicious Software Prevention Must use anti-virus and malware prevention where technically feasible; where not technically feasible must utilize a compensating method of some type R4.2 AV and Anti-Malware signature updates - Must them. FileSure uses SQLite whereby monthly blocks of logs are stored in separate files and in most cases never need to be groomed. FileSure can ensure that logs are not altered by only allowing the FileSure application to write to the FileSure log. When it comes to non-filesure logs from other systems, FileSure can enforce that only the system that owns the log can write to the log. All others attempts to change or alter any log will be rejected. FileSure can be utilized to collect and store not only its own logs but also any log event written to the Windows event log. FileSure can also be configured to write to the Windows security log, the Windows application log, and Syslog, for organizations that have other methods of collecting, securing, and storing various logs. FileSure can be utilized to identify when firewall rule/configuration changes occur by auditing the Firewall configuration files/folder. Additionally, FileSure can ensure that only desired services are allowed to be installed (written) as a file in the first place via its whitelisting feature. Most products accomplish this by identifying a service started event in the event log and then shutting any unapproved processes/services down. This is extremely dangerous because a worm or unapproved service could have long-since done its damage before it is detected and forced to shut down. FileSure doesn t let the unapproved application/service get installed on the computer in the first place! And even if it were to get installed, or maybe it was there before FileSure was installed, for a service to start, the executable (a file) must be read from storage. FileSure can block unapproved services from being read from the drive thus preventing unapproved applications from ever getting started. FileSure complements anti-virus and anti-malware systems in that it can prevent the zero-day attacks that signature based systems cannot. FileSure does this through the use of an executable white-list as described for the previous requirement. FileSure can also be used as a compensating method altogether. Also, as described above for CIP-007 R2, white-lists can be utilized to keep unknown or unapproved applications/services from ever getting started. FileSure can audit when signature files change. Regularly scheduled reports can be retained to prove that they P a g e 4 ByStorm Software, LLC. www.bystorm.com +1.877.297.8676

regularly update antivirus and malware prevention signatures R5.1 User account access activity Must be logged and saved for at least 90 days R6 Security Status Monitoring Automated systems must be used to monitor security events, alert on incidents, retain logs for 90 days, and review logs and retain proof of review have been updated/changed and email alerts can be utilized to notify others that these updates occurred. SCOM/ACS, or your event log monitoring system, will typically handle much of what is needed to meet this requirement, however, session changes are not logged. FileSure does detect and audit session changes for example, when a computer is connected to and remote controlled, locked or physically connected/unlocked, etc.. Of course, FileSure is also able to selectively pick out any event from the Windows event logs and will store them in with its own events in its encrypted and compressed data store for both short-term viewing and long term archival. FileSure logs to its own private secure log for long-term retention of these logs, forensic search/review, threshold alerting, and reporting. FileSure can optionally be configured to write to the Windows application log, Windows security log, and via Syslog in order to integrate with and extend the value of existing event log collection, monitoring, and archival systems. FileSure can also be used to collect specific event(s), as desired, from the Windows security event log and store them in with its own events in its encrypted and compressed data store for both short-term viewing and long term archival. FileSure is able to alert via email when specific events (incidents) occur and can be used to review these events for forensic investigations. About ByStorm Software ByStorm Software, founded in 2003, provides IT organizations with low footprint, yet comprehensive file auditing, data loss protection, and compliance enabling alerting and reporting for the Microsoft Windows platform. ByStorm Software is committed to ensuring that our solutions install and begin providing value within minutes and that our customers are empowered to meet PCI, HIPAA, NERC/CIP, NIST, SOX, and other security and compliance mandates. Some of our customers include: P a g e 5 ByStorm Software, LLC. www.bystorm.com +1.877.297.8676

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information