Automation Suite for NIST Cyber Security Framework

Similar documents
Cybersecurity Framework Security Policy Mapping Table

NIST CYBERSECURITY FRAMEWORK COMPLIANCE WITH OBSERVEIT

CRR-NIST CSF Crosswalk 1

Happy First Anniversary NIST Cybersecurity Framework:

Applying IBM Security solutions to the NIST Cybersecurity Framework

Improving Critical Infrastructure Cybersecurity Executive Order Preliminary Cybersecurity Framework

NIST Cybersecurity Framework & A Tale of Two Criticalities

Critical Manufacturing Cybersecurity Framework Implementation Guidance

Appendix B: Mapping Cybersecurity Assessment Tool to NIST

Framework for Improving Critical Infrastructure Cybersecurity

NIST Cybersecurity Framework Sean Sweeney, Information Security Officer 5/20/2015

Framework for Improving Critical Infrastructure Cybersecurity

Welcome! Designing and Building a Cybersecurity Program

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

Framework for Improving Critical Infrastructure Cybersecurity

Weak (1.0) Limited (2.0) Effective (3.0) Strong (4.0) Very Strong (5.0)

Framework for Improving Critical Infrastructure Cybersecurity

HITRUST Common Security Framework Summary of Changes

LogRhythm and HIPAA Compliance

LogRhythm and NERC CIP Compliance

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

CRR Supplemental Resource Guide. Volume 5. Incident Management. Version 1.1

IT ASSET MANAGEMENT Securing Assets for the Financial Services Sector

Automation Suite for. 201 CMR Compliance

Discussion Draft of the Preliminary Cybersecurity Framework

State Agency Cyber Security Survey v October State Agency Cybersecurity Survey v 3.4

Designing & Building a Cybersecurity Program. Based on the NIST Cybersecurity Framework (CSF)

ACCESS RIGHTS MANAGEMENT Securing Assets for the Financial Services Sector

Applying Framework to Mobile & BYOD

DATA INTEGRITY. Reducing the impact of an attack BUILDING BLOCK WHITE PAPER

The NIST Framework for Improving Critical Infrastructure Cybersecurity - An Executive Guide

Creating an Integrated Business Continuity / Disaster Recovery (BC/DR) Program. A Hands on Workshop

TRIPWIRE NERC SOLUTION SUITE

Summary of CIP Version 5 Standards

LogRhythm and PCI Compliance

C Y B E R S E C U R I T Y INSIDER THREAT BEST PRACTICES GUIDE JULY 2014

Sarbanes-Oxley Compliance for Cloud Applications

Attachment A. Identification of Risks/Cybersecurity Governance

How To Manage Security On A Networked Computer System

Logging In: Auditing Cybersecurity in an Unsecure World

The President issued an Executive Order Improving Critical Infrastructure Cybersecurity, on February 2013.

Enterprise Security Tactical Plan

Wireless Infusion Pumps: Securing Hospitals Most Ubiquitous Medical Device

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

FACT SHEET: Ransomware and HIPAA

Click to edit Master title style

Building Security In:

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Standard CIP Cyber Security Systems Security Management

Framework for Improving Critical Infrastructure Cybersecurity

FairWarning Mapping to PCI DSS 3.0, Requirement 10

PCI Compliance for Cloud Applications

Into the cybersecurity breach

Data Breach Response Planning: Laying the Right Foundation

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

Big Data, Big Risk, Big Rewards. Hussein Syed

OCIE CYBERSECURITY INITIATIVE

7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008

FFIEC Cybersecurity Assessment Tool

Introduction. Jason Lawrence, MSISA, CISSP, CISA Manager, EY Advanced Security Center Atlanta, Georgia

Sample CDC Certification and Accreditation Checklist For an Application That Is Considered a Moderate Threat

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Intel Security Professional Services Leveraging NIST Cybersecurity Framework (CSF): Complexity is the enemy of security

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

SOFTWARE ASSET MANAGEMENT

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Supplier Information Security Addendum for GE Restricted Data

Department of Management Services. Request for Information

Data Management Policies. Sage ERP Online

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

SANS Top 20 Critical Controls for Effective Cyber Defense

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

MOBILE DEVICE SECURITY FOR ENTERPRISES

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Leveraging Regulatory Compliance to Improve Cyber Security

PCI and PA DSS Compliance Assurance with LogRhythm

CITY UNIVERSITY OF HONG KONG Information Security Incident Management Standard

Verve Security Center

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Cloud security architecture

Standard CIP 007 3a Cyber Security Systems Security Management

DIVISION OF INFORMATION SECURITY (DIS) Information Security Policy Threat and Vulnerability Management V1.0 April 21, 2014

Overcoming PCI Compliance Challenges

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

GEARS Cyber-Security Services

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

Transcription:

WHITEPAPER NIST Cyber Security Framework Automation Suite for NIST Cyber Security Framework NOVEMBER 2014

Automation Suite for NIST Cyber Security Framework The National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) establishes information security standards and guidelines for critical infrastructure as defined within Executive Order 13636 from the President of the United States. NIST-CSF guides critical infrastructure agencies in documenting and implementing controls for information technology systems that support their operations and assets. These published guidelines cover many areas surrounding access control, audit and accountability, incident response, and system and information integrity. Each agency is responsible for implementing the minimum security requirements as outlined by NIST. Agencies are periodically scored to determine their compliance level. Although compliance is currently voluntary, the government is likely to pursue passing law to enforce legal ramifications for noncompliance. Given the origin of the bill s creation, it is likely that some form of enforcement or incentive will be established. The collection, management, and analysis of log data is integral to meeting many NIST-CSF requirements. The use of LogRhythm satisfies some requirements and decreases the cost of complying with others. IT environments consist of heterogeneous devices, systems, and applications - all reporting log data. Millions of individual log entries can be generated daily if not hourly and the task of organizing this information can be overwhelming in itself. The additional requirements of analyzing and reporting on log data render manual processes or homegrown remedies inadequate and costly. LogRhythm can help. Log collection, archiving, and recovery are fully automated across the entire IT infrastructure. LogRhythm automatically performs the first level of log analysis. Log data is categorized, identified, and normalized for easy analysis and reporting. LogRhythm s powerful alerting capability automatically identifies the most critical issues and notifies relevant personnel. With the click of a mouse, LogRhythm s out-of-the box NIST-CSF reporting packages ensure you meet your reporting requirements. NIST-CSF require organizations implement and perform procedures to effectively capture, monitor, review, and retain log data. The remainder of this paper lists the applicable NIST-CSF control requirements and enhancements, that LogRhythm helps address. For each requirement, an explanation of how LogRhythm supports compliance is provided. Learn how LogRhythm s comprehensive log management and analysis solution can help your organization meet or exceed NIST-CSF guidelines. PAGE 1

The following tables provide a summary of how LogRhythm supports the NIST-CSF control requirements and enhancements. In the specific control requirements or enhancements where a control is directly met, a specific LogRhythm feature (such as alarming, correlating, or reporting) actually provides the required functionality to meet the control objective. In the specific control requirements or enhancements which are designated as being augmented, LogRhythm features provide specific functionality which supports the process to meet the control objective, but does not directly meet the control objective. The control requirements listed in the table below come directly from the NIST Special Publication CSF documentation located at the NIST Computer Security Division web site (http://csrc.nist.gov/). NIST CSF Control Requirement Directly Meets Requirement Augments Control Requirement ID.AM (Identify Asset Management) N/A ID.AM-3, ID.AM-4, ID.AM-6, ID.BE (Identify Business Environment N/A N/A ID.GV (Identify - Governance) N/A ID.GV-1, ID.GV-2, ID.GV-3, ID.RA (Identify Risk Assessment) N/A ID.RA-1 ID.RM (Identify Risk Management Strategy) N/A N/A PR.AC (Protect Access Control) N/A PR.AC-1, PR.AC-2, PR.AC-4, PR.AC-5 PR.AT (Protect Awareness & Training) N/A PR.AT-3 PR.DS (Protect Data Security) PR.DS-1 PR.DS-4, PR.DS-5, PR.DS-6 PR.IP (Protect Information Protection Processes & Procedures) N/A PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-7, PR.IP-8, PR.IP-11, PR.IP-12 PR.MA (Protect Maintenance) N/A PR.MA-1 PR.PT (Protect Protective Technology) N/A PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4 DE.AE (Detect Anomalies & Events) DE.AE-3, DE.AE-5, DE.AE-1, DE.AE-2, DE.AE-4, DE.CM (Detect Security Continuous Monitoring) DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-6, DE.CM-7 DE.CM-5, DE.CM-2, DE.CM-3, DE.CM-4, DE.CM-5, DE.CM-6, DE.CM-7, DE.CM-8 DE.DP (Detect Detection Processes) DE.DP-4 DE.DP-1, DE.DP-2, DE.DP-3, DE.DP-4, DE.DP-5 RS.RP (Respond - Response Planning) N/A RS.RP-1 RS.CO (Respond - Communications) N/A RS.CO-3, RS.CO-4 RS.AN (Respond - Analysis) N/A RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4 RS.MI (Respond Mitigation) N/A RS.MI-1, RS.MI-2, RS.MI-3 RS.IM (Respond Improvements) N/A RS.IM-1, RS.IM-2 RC.RP (Recover Recovery Plan) N/A RC.IM (Recover Improvements) N/A RC.IM-1, RC.IM-2 RC.CO (Recover Communications N/A RC.CO-3 The tables on the subsequent pages outline how LogRhythm supports requirements and enhancements of the NIST-CSF sections. The column describes the capabilities LogRhythm provides that directly meet or augment support for NIST-CSF compliance. PAGE 2

Identify Asset Management (ID.AM-3, ID.AM-4, ID.AM-6) Governance (ID.GV-1, ID.GV-2, ID.GV-3) Risk Assessment (ID.RA-1) The data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to business objectives and the organization s risk strategy. The policies, procedures, and processes to manage and monitor the organization s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of cybersecurity risk. The organization understands the cybersecurity risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals. CSF control requirements ID.AM-3, ID.AM-4 and ID.AM-6 by collecting and analyzing all account management, access granting/revoking, and access/authentication logs. LogRhythm correlation rules provide alerting on account authentication failures. LogRhythm investigations, reports, and tails provide evidence of system account management activity (account creation, deletion, and modification), access granting/revoking activity, and account access/authentication activity. Lastly, LogRhythm investigations provide evidence of authorized/unauthorized network access. CSF control requirement ID.GV-1, ID.GV-2, and ID.GV-3 by collecting and analyzing all account management and access/authentication logs. LogRhythm correlation rules provide alerting on account authentication failures. LogRhythm investigations, reports, and tails provide evidence of account management activity (account creation, deletion, and modification) and account access/authentication activity to support efforts of enforcing security policies within the organization. CSF control requirements ID.RA-1 by collecting and analyzing all suspicious network activity or activities indicative of cybersecurity risks. LogRhythm correlation rules provide alerting on events indicative of potential cybersecurity threats or attacks on the network. LogRhythm investigations, reports, and tails provide evidence of cybersecurity events in support of early detection and incident response. PAGE 3

Protect Access Control (PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.AC-5) Awareness and Training (PR.AT-3) Data Security (PR.DS-1, PR.DS-4, PR.DS-5, PR.DS-6) Information Protection Processes and Procedures (PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-7, PR.IP-8, PR.IP-11, PR.IP-12) Maintenance (PR.MA-1) Protective Technology (PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4) Access to assets and associated facilities is limited to authorized users, processes, or devices, and to authorized activities and transactions. The organization s personnel and partners are provided cybersecurity awareness education and are adequately trained to perform their information security-related duties and responsibilities consistent with related policies, procedures, and agreements. Information and records (data) are managed consistent with the organization s risk strategy to protect the confidentiality, integrity, and availability of information Security policies (that address purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures are maintained and used to manage protection of information systems and assets. Maintenance and repairs of industrial control and information system components is performed consistent with policies and procedures. Technical security solutions are managed to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. requirements PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.AC-5 by collecting and analyzing all account management, network access/ authentication logs, remote and physical access. LogRhythm correlation rules provide alerting on account authentication failures. LogRhythm investigations, reports, and tails provide evidence of account access/authentication activity. requirement PR.AT-3 by collecting and analyzing all third-party accounts or process activities within the environment to ensure third-parties are performing activities according to defined roles and responsibilities. LogRhythm correlation rules provide alerting on account authentication failures. LogRhythm investigations, reports, and tails provide evidence of vendor account management and authentication (success/failures) activities. LogRhythm provides direct support for NIST-CSF control requirements PR.DS-1 and supplemental support for NIST-CSF control requirements PR.DS-4, PR.DS-5, PR.DS-6 by collecting and analyzing all system logs relating to the protection of data integrity, availability, and mobility. LogRhythm s File Integrity Monitor (FIM) tracks file changes, while Data Loss Defender (DLD) independently monitors and logs the connection and disconnection of external data devices to the host computer where the Agent is running. DLD also monitors and logs the transmission of files to an external storage device. DLD can be configured to protect against external data device connections by ejecting specified devices upon detection. External USB drive storage devices include Flash/RAM drives and CD/DVD drives. LogRhythm correlation rules provide alerting on remote account authentication failures. LogRhythm investigations, reports, and tails provide evidence of remote account access/authentication activity. requirements PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-7, PR.IP-8, PR.IP-11, PR.IP-12 by collecting and analyzing all logs relating to change management, backups, and those in support of incident response plans. LogRhythm correlation rules provide alerting on account management activities. LogRhythm investigations, reports, and tails provide evidence of account management and authentication (success/failures) activities. requirement PR.MA-1 by collecting and analyzing all logs relating to critical and error conditions within the environment. LogRhtyhm correlation rules provide alerting on critical and error conditions within the environment. LogRhythm investigations, reports and tails provide evidence of environment conditions as well as process and system start-ups/shut-downs. requirement PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4 by collecting logs relating to technical security solution access management and authentication activities. Further, with the use of LogRhythm s (FIM) and (DLP) allows for monitoring of removable media and other audit logging events. LogRhythm correlation rules provide alerting on audit logging events (log cleared, stopped), DLD, FIM, software installations, access provisioning and authentication activities. Lastly, LogRhythm investigations, reports and tails provide evidence around the aforementioned activities. PAGE 4

Detect Anomalies and Events (DE.AE-1, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5 ) Security Continuous Monitoring (DE.CM-5, DE.CM-2, DE.CM-3, DE.CM-4, DE.CM-5, DE.CM-6, DE.CM-7, DE.CM-8) Detection Processes (DE.DP-1, DE.DP-2, DE.DP-3, DE.DP-4, DE.DP-5) Anomalous activity is detected in a timely manner and the potential impact of events is understood. The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures. Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events. LogRhythm provides direct support of NIST-CSF control requirements DE.AE-3 and DE.AE-5, while providing supplemental support for NIST-CSF control requirement DE.AE-1, DE.AE-2, DE.AE-4 by collecting and analyzing logs related to security events throughout the network. An inherent function to LogRhythm is the ability to correlate and aggregate event data across the environment. LogRhythm s log analysis, investigations, tails and reporting capabilities can be leveraged during a security assessment to help ensure implemented controls are functioning as intended and to potentially identify any weaknesses. LogRhythm provides direct support of NIST-CSF control requirements DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-6, and DE.CM-7 as well as supplemental support for NIST-CSF control requirements DE.CM-4, DE.CM-4 AND DE.CM-4 by providing continuous monitoring, analysis, and reporting of network, physical access and other events indicative of malicious cyber activities. LogRhythm provides direct support of NIST-CSF control requirement DE.DP-4 and supplemental support of NIST-CSF control requirement DE.DP-1, DE.DP-2, DE.DP-3, DE.DP-5 by logging and monitoring around process and procedures in the environment. Further, LogRhythm correlation engine provides alerting on activities to assigned individuals. LogRhythm reporting, investigations and tails provide evidence around these activities as well to support maintenance of processes and procedures. PAGE 5

Respond Response Planning (RS.RP-1) Communications (RS.CO-3, RS.CO-4) Analysis (RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4) Mitigation (RS.MI-1, RS.MI-2, RS.MI-3) Improvements (RS.IM-1, RS.IM-2) Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events. Response activities are coordinated with internal and external stakeholders, as appropriate, to include external support from law enforcement agencies. Analysis is conducted to ensure adequate response and support recovery activities. Activities are performed to prevent expansion of an event, mitigate its effects, and eradicate the incident. Organizational response activities are improved by incorporating lessons learned from current and previous detection/response activities. LogRhythm provides supplemental support for NIST-CSF control requirement RS.RP-1 by collecting and analyzing all cybersecurity events and providing notifications to assigned personnel. LogRhythm correlation rules provide alerting on cybersecurity events while investigations, reports, and tails provide evidence behind cybersecurity events. LogRhythm provides supplemental support for NIST-CSF control requirement RS.CO-3 and RS.CO-4 by collecting and analyzing all cybersecurity events and providing notifications to assigned personnel. LogRhythm correlation rules provide alerting on cybersecurity events while investigations, reports, and tails provide evidence behind cybersecurity events. LogRhythm provides supplemental support for NIST-CSF control requirements RS.AN-1, RS.AN-2, RS.AN-3 and RS.AN-4 by collecting and analyzing logs to categorize events and allow for forensics to be performed. LogRhythm correlation engine provides alerts and notifications to assigned personnel. LogRhythm investigations, reports, and tails provide evidence of security and other events of interest throughout the environment. CSF control requirements RS.MI-1, RS.MI-2, RS.MI-3 by collecting and analyzing logs related to incident response. LogRhythm correlation engine provides alerting on vulnerabilities within the environment. LogRhythm investigations, reports and tails provide evidence to support incident analysis and remediation of exposure or vulnerabilities. CSF control requirements RS.IM-1, RS.IM-2 by collecting and analyzing logs related to incident response. LogRhythm reports provide evidence to support incident analysis and remediation of exposure or vulnerabilities. PAGE 6

Recover Improvements (RC.IM-1, RC.IM-2) Recovery planning and processes are improved by incorporating lessons learned into future activities. LogRhythm provides supplemental support of NIST-CSF control requirements RC.IM-1 and RC.IM-2 by collecting and analyzing logs relating to recovery operations. LogRhythm reports provide evidence around the recovery operation events. Communications (RC.CO-3) Restoration activities are coordinated with internal and external parties, such as coordinating centers, Internet Service Providers, owners of attacking systems, victims, other CSIRTs, and vendors. LogRhythm provides supplemental support of NIST- CSF control requirement RC.CO-3 by collecting and analyzing logs relating to recovery operations. LogRhythm reports provide evidence around the recovery operation events. INFO@LOGRHYTHM.COM PAGE 7 2014 LogRhythm Inc. Whitepaper - NIST 800-53 Compliance

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information