LogRhythm and NERC CIP Compliance



Similar documents
LogRhythm and HIPAA Compliance

LogRhythm and PCI Compliance

North American Electric Reliability Corporation: Critical Infrastructure Protection, Version 5 (NERC-CIP V5)

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

NERC CIP Compliance with Security Professional Services

Standard CIP Cyber Security Systems Security Management

Standard CIP 007 3a Cyber Security Systems Security Management

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Automation Suite for. 201 CMR Compliance

Information Shield Solution Matrix for CIP Security Standards

Completed. Document Name. NERC CIP Requirements CIP-002 Critical Cyber Asset Identification R1 Critical Asset Identifaction Method

The first step in protecting Critical Cyber Assets is identifying them. CIP-002 focuses on this identification process.

TRIPWIRE NERC SOLUTION SUITE

North American Electric Reliability Corporation (NERC) Cyber Security Standard

Summary of CIP Version 5 Standards

ReliabilityFirst CIP Evidence List CIP-002 through CIP-009 are applicable to RC, BA, IA, TSP, TO, TOP, GO, GOP, LSE, NERC, & RE

BSM for IT Governance, Risk and Compliance: NERC CIP

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Cyber Security Compliance (NERC CIP V5)

NERC CIP Whitepaper How Endian Solutions Can Help With Compliance

Automation Suite for NIST Cyber Security Framework

Security Solutions to Meet NERC-CIP Requirements. Kevin Staggs, Honeywell Process Solutions

PCI and PA DSS Compliance Assurance with LogRhythm

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

NERC CIP VERSION 5 COMPLIANCE

How To Manage Security On A Networked Computer System

Guideline on Auditing and Log Management

SANS Top 20 Critical Controls for Effective Cyber Defense

Implementation Plan for Version 5 CIP Cyber Security Standards

Payment Card Industry Data Security Standard

How ByStorm Software enables NERC-CIP Compliance

Ovation Security Center Data Sheet

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

CIP- 005 R2: Understanding the Security Requirements for Secure Remote Access to the Bulk Energy System

Verve Security Center

SCADA Compliance Tools For NERC-CIP. The Right Tools for Bringing Your Organization in Line with the Latest Standards

FISMA / NIST REVISION 3 COMPLIANCE

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

NERC CIP Compliance Gaining Oversight with ConsoleWorks

GE Measurement & Control. Cyber Security for NERC CIP Compliance

PCI Compliance for Cloud Applications

74% 96 Action Items. Compliance

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Best Practices for PCI DSS V3.0 Network Security Compliance

Data Management Policies. Sage ERP Online

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

i-pcgrid Workshop 2015 Cyber Security for Substation Automation The Jagged Line between Utility and Vendors

CLOUD GUARD UNIFIED ENTERPRISE

ForeScout CounterACT CONTINUOUS DIAGNOSTICS & MITIGATION (CDM)

External Supplier Control Requirements

Symphony Plus Cyber security for the power and water industries

How To Achieve Pca Compliance With Redhat Enterprise Linux

1B1 SECURITY RESPONSIBILITY

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

Technology Solutions for NERC CIP Compliance June 25, 2015

Central Agency for Information Technology

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Cyber Security for NERC CIP Version 5 Compliance

CIP Cyber Security Configuration Change Management and Vulnerability Assessments

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Clavister InSight TM. Protecting Values

Supplier Information Security Addendum for GE Restricted Data

ABB s approach concerning IS Security for Automation Systems

Critical Security Controls

Overcoming PCI Compliance Challenges

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

Best Practices Report

Ovation Security Center Data Sheet

When it Comes to Monitoring and Validation it Takes More Than Just Collecting Logs

SecFlow Security Appliance Review

Document ID. Cyber security for substation automation products and systems

VA Office of Inspector General

Caretower s SIEM Managed Security Services

Current IBAT Endorsed Services

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

FairWarning Mapping to PCI DSS 3.0, Requirement 10

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

whitepaper 4 Best Practices for Building PCI DSS Compliant Networks

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

DETECT AND RESPOND TO THREATS FROM THE DATA CENTER TO THE CLOUD

The Protection Mission a constant endeavor

ForeScout CounterACT and Compliance June 2012 Overview Major Mandates PCI-DSS ISO 27002

GE Intelligent Platforms. Meeting NERC Change Control Requirements for HMI/SCADA and Control Systems

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

FormFire Application and IT Security. White Paper

CIP Cyber Security Security Management Controls

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

The President s Critical Infrastructure Protection Board. Office of Energy Assurance U.S. Department of Energy 202/

U.S. Department of Energy Office of Inspector General Office of Audits & Inspections. Evaluation Report

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Solution Brief for ISO 27002: 2013 Audit Standard ISO Publication Date: Feb 6, EventTracker 8815 Centre Park Drive, Columbia MD 21045

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

MSSTAN 1504: Supplier Security Requirements and Expectations (SSRE) Web Applications For Externally Facing (Public) Data

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Transcription:

LogRhythm and NERC CIP Compliance The North American Electric Reliability Corporation (NERC) is a nonprofit corporation designed to ensure that the bulk electric system in North America is reliable, adequate and secure. As the federally designated Electric Reliability Organization (ERO) in North America, NERC maintains comprehensive reliability standards that define requirements for planning and operating the collective bulk power system. Among these are the Critical Infrastructure Protection (CIP) Cyber Security Standards, which are intended to ensure the protection of the Critical Cyber Assets that control or effect the reliability of North America s bulk electric systems. In 2006, the Federal Energy Regulatory Commission (FERC) approved the Security and Reliability Standards proposed by NERC, making the CIP Cyber Security Standards mandatory and enforceable across all users, owners and operators of the bulk-power system. After going into effect in June 2006, initial compliance auditing began in June 2007. The collection, management, and analysis of log data are integral to meeting many NERC CIP requirements. IT environments consist of heterogeneous devices, systems, and applications all reporting log data. Millions of individual log entries can be generated daily if not hourly. The task of assembling this information can be overwhelming in itself. The additional requirements of analyzing and reporting on log data render manual processes or homegrown remedies inadequate and costly. LogRhythm has extensive experience in helping organizations improve their overall security and compliance posture while reducing costs. Log collection, archive, and recovery are fully automated across the entire IT infrastructure. LogRhythm automatically performs the first level of log analysis. Log data is categorized, identified, and normalized for easy analysis and reporting. LogRhythm s powerful alerting capability automatically identifies the most critical issues and notifies relevant personnel. LogRhythm s NERC CIP Compliance Package provides out-of-the box assistance in addressing numerous NERC CIP requirements. As part of the NERC CIP Compliance Package, the enterprise assets are categorized according to NERC CIP CIP-002-1 Critical Cyber Asset Identification standards: Electronic Security Perimeter, Incident Reporting and Planning, Critical Cyber Assets, Malware Systems, Vulnerability Detection, Disposal Logs and Patch Compliance. LogRhythm s NERC CIP Compliance Package provides specific reports designed to meet NERC CIP reporting requirements. Reports are automatically associated with the correct NERC CIP asset categories ensuring only relevant information is reported on. Reports can be scheduled for nightly generation and delivery. Reports can also be generated on demand by the security officer or other LogRhythm users. Investigations and Alarm Rules are also provided for NERC CIP compliance. This allows for immediate analysis of activities that impact the organization s Critical Cyber Assets or Electronic Security Perimeter so areas of non-compliance can be identified in real time. Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 1 of 11

The table below explains how LogRhythm and the NERC CIP Compliance Package address the nine sections of the standard. NERC CIP Section and Purpose CIP-001-1: Sabotage Reporting CIP-002-1: Critical Cyber Asset Identification CIP-003-1: Security Management Controls CIP-004-1: Personnel & Training CIP-005-1: Electronic Security Perimeter(s) CIP-006-1 and 1a: Physical Security CIP-007-1: Systems Security Management CIP-008-1: Incident Reporting and Response Planning CIP-009-1: Recovery Plans for Critical Cyber Assets LogRhythm Compliance Support LogRhythm identifies attacks in real time by monitoring, classifying, and alarming on events that support the reporting process of CIP-001-1 in requirements 2 and 3. LogRhythm provides support for identifying systems and their roles that might have otherwise been not accounted for, especially covering requirements 1.2.6 and 1.2.7 that provide support for critical assets. LogRhythm is a supporting tool for Security Management decision making. The assigned Compliance Monitor will be able to validate controls using LogRhythm. LogRhythm augments personnel training by providing additional eyes on organization activities. The 24x7 monitoring provided by LogRhythm covers areas of awareness that normally personnel cannot. LogRhythm s primary purpose is to provide direct support to monitoring the ESP and Critical Cyber Assets, organizational access controls and other security controls. LogRhythm also supports identification of configuration changes for ESP devices, which augments the strict security configuration requirements. Cyber Vulnerability Assessments are enhanced by LogRhythm s ability to collect detected vulnerabilities during regular functioning activities, providing even greater protection for the organization than a spot-check assessment could. LogRhythm augments existing physical access controls by monitoring logs generated by electronic access systems. LogRhythm provides oversight for almost all requirements of the Systems Security Management standard. LogRhythm addresses CIP-007-1 directly in order to meet many of the challenges of implementing an effective NERC CIP compliant solution. LogRhythm provides a centralized system for collecting, reporting and alarming on intrusion detection events from both network and host security systems. Centralization of intrusion reporting and response should be an objective for an effective IRR plan. LogRhythm provides an early warning system for system failures that could provide an increase in response time, diagnostic abilities, reduction of downtime and alarm on failure abilities to augment disaster recovery. The tables on the subsequent pages outline how LogRhythm directly meets requirements of the NERC CIP sections. The requirements listed come directly from the NERC CIP compliance documents located at the North American Electric Reliability Corporation s web site (http://www.nerc.com). The How LogRhythm Supports Compliance column describes the capabilities LogRhythm provides that meets supports or augments NERC CIP compliance. Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 2 of 11

CIP- 005-1 Cyber Security Electronic Security Perimeter(s) Standard CIP-005 requires the identification and protection of the Electronic Security Perimeter(s) inside which all Critical Cyber Assets reside, as well as all access points on the perimeter. Compliance Requirement How LogRhythm Supports Compliance LogRhythm can collect all electronic access point device logs such as firewalls, VPN servers, etc. LogRhythm can alert on unauthorized or suspicious activity. LogRhythm reports provide a consolidated review of internal/external activity and threats. Maintain documentation of Electronic Security Perimeter(s), all interconnected Critical and non-critical Cyber Assets within the Example Investigations: R1.6 Electronic Security Perimeter(s), all electronic access points to the Network Service Summary Electronic Security Perimeter(s) and the Cyber Assets deployed for Network Connection Summary the access control and monitoring of these access points. Example Alarms: Alarm On Attack Alarm On Compromise R2.2 R2.3 Enable only ports and services required for operations and for monitoring Cyber Assets within the Electronic Security Perimeter, and shall document, individually or by specified grouping, the configuration of those ports and services. Maintain a procedure for securing dial-up access to the Electronic Security Perimeter(s). Alarm On Malware LogRhythm detects and alerts on activity on ports and services to ensure that only required ports and services are being utilized. Example Investigations: Network Service Summary Network Connection Summary LogRhythm collects dial-up access activity providing easy and independent review of dial-up access to Electronic Security Perimeter(s) through available reports. Dial-up Access Activity by User Dial-up Access Activity by Host LogRhythm collects network device logs from access points. LogRhythm s analysis and reporting capabilities provide review of the network activity to ensure only authorized access occurs. LogRhythm alerts ensure detection of unauthorized access. R2.4 Implement strong procedural or technical controls at the access points to ensure authenticity of the accessing party. LogRhythm collects remote access activity for VPN, SSH, telnet, etc. LogRhythm reports provide easy and independent review of remote access to information systems. Example Investigations: Network Service Summary Network Connection Summary Example Report: Host Remote Access Summary Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 3 of 11

R3 R3.1 R3.2 R4 R4.2 Implement and document an electronic or manual process(es) for monitoring and logging access at access points to the Electronic Security Perimeter(s) twenty-four hours a day, seven days a week. Implement and document monitoring process(es) at each access point to the dial-up device. Detect and alert for attempts at or actual unauthorized accesses. These alerts shall provide for appropriate notification to designated response personnel. Review or otherwise assess access logs for attempts at or actual unauthorized accesses at least every ninety calendar days. Perform a cyber vulnerability assessment of the electronic access points to the Electronic Security Perimeter(s) at least annually. A review to verify that only ports and services required for operations at these access points are enabled. LogRhythm s monitoring, analysis, archiving, alerting, auditing, and reporting capabilities provide for continuous monitoring of access points across the Electronic Security Perimeter(s). For instance, LogRhythm monitors unauthorized access for auditing, logging, archiving, and alerting. User Authentication Summary Usage Auditing Event Detail By User Failed Host Access By User LogRhythm collects dial-up device logs. LogRhythm alerts can be used to monitor and detect unauthorized access through the dial-up devices. Dial-up Access Activity by User Dial-up Access Activity by Host LogRhythm provides robust alerting and notification capabilities that notify upon attacks or unauthorized accesses. LogRhythm s integrated incident management capabilities provide accountability and reporting on alarm resolution. LogRhythm s analysis & reporting capabilities provide easy and independent review of access activity. Failed File Access Failed Application Access By User Failed Host Access By User Example Alarms: Alarm On Attack Alarm On Compromise LogRhythm s log analysis and reporting capabilities provide valuable tools for cyber vulnerability assessment ensuring electronic access points meet security requirements and identify system weaknesses. Vulnerabilities Detected Top Targeted Hosts Top Targeted Applications LogRhythm detects and alerts on activity on ports and services to ensure that only required ports and services are being utilized. Example Investigations: Network Service Summary Network Connection Summary Example Report: Host Remote Access Summary Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 4 of 11

R4.4 A review of controls for default accounts, passwords, and network management community strings. LogRhythm collects all account management and account usage activity. Default accounts and password changes are easily and automatically monitored, alerted, and reported on for appropriate action. Account Management Activity Host Access Granted & Revoked User Authentication Summary User Object Access Summary LogRhythm completely automates the process and requirement of collecting and retaining access logs. LogRhythm retains logs in secure compressed archive files for cost effective, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later. R5.3 Retain electronic access logs for at least ninety calendar days. Log Summary Summary Log Count Log Volume Object Access Summary CIP- 006-1 Cyber Security Physical Security of Critical Cyber Assets Standard CIP-006 is intended to ensure the implementation of a physical security program for the protection of Critical Cyber Assets. Compliance Requirement R1.3 Processes, tools, and procedures to monitor physical access to the perimeter(s). How LogRhythm Supports Compliance LogRhythm collects log messages from physical access devices (i.e. Card Key) for monitoring, alarming, analysis, and reporting. Access Summary Authentication Summary R1.5 Procedures for reviewing access authorization requests and revocation of access authorization, in accordance with CIP-004 Requirement R4. LogRhythm reports provide easy review of access authorization requests and revocation of access authorization to compare with the authorized list required in CIP-004 Requirement R4. Logs capture actions taken when providing or revoking system access. Account Management Activity New Account Summary Host Access Granted & Revoked Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 5 of 11

R3 Document and implement the technical and procedural controls for monitoring physical access at all access points to the Physical Security Perimeter(s) twenty-four hours a day, seven days a week. Unauthorized access attempts shall be reviewed immediately and handled in accordance with the procedures specified in Requirement CIP-008. LogRhythm s monitoring, analysis, and reporting capabilities provide for continuous monitoring of physical access points across the Physical Security Perimeter(s). For instance, alerts can be used to monitor and detect unauthorized access and notify appropriate personnel for near real-time review and response. Access Summary Authentication Summary Example Alarms: Alarm On Compromise R4.1 Implement and document the technical and procedural mechanisms for logging physical entry at all access points to the Physical Security Perimeter(s) using computerized logging. LogRhythm collects log messages from physical access devices (i.e. Card Key) at all access points for monitoring, analysis, and reporting. Access Summary Authentication Summary R5 Retain Physical access logs for at least ninety calendar days. LogRhythm completely automates the process and requirement of collecting and retaining access logs. LogRhythm retains logs in compressed archive files for cost effective, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later. CIP- 007-1 Cyber Security Systems Security Management Standard CIP-007 requires Responsible Entities to define methods, processes, and procedures for securing those systems determined to be Critical Cyber Assets, as well as the non-critical Cyber Assets within the Electronic Security Perimeter(s). Compliance Requirement How LogRhythm Supports Compliance LogRhythm detects and alerts on activity on ports and services to ensure that only required ports and services are being utilized. R2 Establish and document a process to ensure that only those ports and services required for normal and emergency operations are enabled. Example Investigations: Network Service Summary Network Connection Summary Host Remote Access Summary R3 Establish and document a security patch management program for tracking, evaluating, testing, and installing applicable cyber security software patches for all Cyber Assets within the Electronic Security Perimeter(s). LogRhythm collects update information including manual installations and automated updates providing the ability to track patch deployments. Patches Applied Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 6 of 11

R3.2 R4 R5 R5.1.1 R5.1.2 The Responsible Entity shall document the implementation of security patches. In any case where the patch is not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk. Use anti-virus software and other malicious software ( malware ) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s). Establish, implement, and document technical and procedural controls that enforce access authentication of, and accountability for, all user activity, and that minimize the risk of unauthorized system access. Ensure that user accounts are implemented as approved by designated personnel. Refer to Standard CIP-003 Requirement R5. Establish methods, processes, and procedures that generate logs of sufficient detail to create historical audit trails of individual user account access activity for a minimum of ninety days. LogRhythm documents both successes and failures of patching, providing documentation and reporting needed to identify where manual intervention or compensating measures are necessary. Patches Applied LogRhythm collects logs from anti-virus software and other anti-malware tools. LogRhythm provides central analysis and monitoring of malware related activity across the Electronic Security Perimeter(s). Malware Detected LogRhythm collects all authentication and access activity. LogRhythm reports provide easy, secure, and independent review of access control settings and enforcement. Successful/Failed Host Access by User Successful/Failed Application Access by User Successful/Failed File Access by User Alarming is available to alert on accesses made between resources, enforcing quick response to unauthorized, suspicious, or threatening activities. Reports can be made to show all such activity during any period of time. LogRhythm collects all account management activities. LogRhythm reports provide easy and standard review of all account management activity ensuring user accounts are implemented by designated personnel. Account Creation Activity Account Modification Activity Disabled Accounts Summary Removed Account Summary LogRhythm collects audit logs of account access activity from a variety of sources. LogRhythm retains logs in compressed archive files for cost effective, easy-tomanage, long-term storage. Log archives can be restored quickly and easily months or years later in support of after-the-fact investigations. Successful/Failed Host Access by User Successful/Failed Application Access by User Successful/Failed File Access by User Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 7 of 11

R5.1.3 R5.2.1 R5.2.2 R5.2.3 Review, at least annually, user accounts to verify access privileges are in accordance with Standard CIP-003 Requirement R5 and Standard CIP-004 Requirement R4. The policy shall include the removal, disabling, or renaming of such accounts where possible. For such accounts that must remain enabled, passwords shall be changed prior to putting any system into service. Identify those individuals with access to shared accounts. Have a policy for managing the use of such accounts that limits access to only those with authorization, an audit trail of the account use (automated or manual), and steps for securing the account in the event of personnel changes (for example, change in assignment or termination). LogRhythm provides centralized monitoring, analysis, and reporting of audit activity across the entire IT infrastructure. LogRhythm automates the process of identifying high-risk activity and prioritizes based on asset risk. High-risk activity can be monitored in real-time or alerted on. LogRhythm reports provide easy and standard review of inappropriate, unusual, and suspicious activity. Audit Failures by User Audit Failures by Host Suspicious Activity by User Suspicious Activity by Host Top Suspicious Users Top Targeted Hosts Top Targeted Applications LogRhythm collects all account management activities. LogRhythm reports ensures policy adherence by providing easy and standard review of all account management activity. Account Creation Activity Account Modification Activity Disabled Accounts Summary Removed Account Summary LogRhythm collects all authentication and access activity. This activity can be used to identify the use of shared accounts. Successful/Failed Host Access by User Successful/Failed Application Access by User Successful/Failed File Access by User LogRhythm collects all account management activities. LogRhythm reports ensures policy adherence by providing easy and standard review of all account management activity. Account Creation Activity Account Modification Activity Disabled Accounts Summary Removed Account Summary LogRhythm completely automates the process and requirement of collecting and retaining audit logs. LogRhythm retains logs in compressed archive files for cost effective, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later in support of after-the-fact investigations. Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 8 of 11

R6 R6.1 R6.2 R6.3 Ensure that all Cyber Assets within the Electronic Security Perimeter, as technically feasible, implement automated tools or organizational process controls to monitor system events that are related to cyber security. Implement and document the organizational processes and technical and procedural mechanisms for monitoring for security events on all Cyber Assets within the Electronic Security Perimeter. The security monitoring controls shall issue automated or manual alerts for detected Cyber Security Incidents. Maintain logs of system events related to cyber security, where technically feasible, to support incident response as required in Standard CIP-008. LogRhythm provides central monitoring of system events by collecting log data from hosts, applications, network devices, etc. LogRhythm provides real-time event monitoring, alerting, and reporting on specific activity and conditions. System Critical Conditions & Errors Account Management Activity System Startup & Shutdown Summary By implementing LogRhythm, security events from IDS/IPS systems, A/V systems, firewalls, and other security devices across the Electronic Security Perimeter are centrally collected, monitored and analyzed. LogRhythm correlates activity across user, origin host, impacted host, application and more. LogRhythm can be configured to identify known bad hosts and networks. LogRhythm s Personal Dashboard provides customized real-time monitoring of events and alerts. LogRhythm s Investigator provides deep forensic analysis of security related activity. LogRhythm provides robust alerting and notification capabilities that ensure alerts of Cyber Security Incidents are routed to the appropriate personnel via SMTP, SNMP, SMS messaging or LogRhythm Dashboard view. LogRhythm s integrated incident management capabilities provide accountability and reporting on alarm resolution. Successful/Failed Host Access by User Successful/Failed Application Access by User Successful/Failed File Access by User Top Attackers Multiple Authentication Failures Suspicious Activity By User and Host Example Alarms: Alarm On Attack Alarm On Compromise Alarm On Malware LogRhythm s monitoring and alerting capability detects and notifies appropriate personnel on system event activity that may constitute an incident response. LogRhythm s analysis and reporting capability provide quick and easy analysis of activity to determine root cause and impact. LogRhythm s integrated knowledge base provides information useful in responding to and resolving incidents. Suspicious Activity By Host Suspicious Activity By User Attacks Detected Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 9 of 11

R6.4 R6.5 R7.3 R8 R8.2 Retain all logs specified in Requirement R6 for ninety calendar days. Review logs of system events related to cyber security and maintain records documenting review of logs. The Responsible Entity shall establish formal methods, processes, and procedures for disposal or redeployment of Cyber Assets within the Electronic Security Perimeter(s) as identified and documented in Standard CIP-005. The Responsible Entity shall maintain records that such assets were disposed of or redeployed in accordance with documented procedures. Perform a cyber vulnerability assessment of all Cyber Assets within the Electronic Security Perimeter at least annually. A review to verify that only ports and services required for operation of the Cyber Assets within the Electronic Security Perimeter are enabled LogRhythm completely automates the process and requirement of collecting and retaining system event logs. LogRhythm retains logs in compressed archive files for cost effective, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later in support of after-the-fact investigations. LogRhythm monitors, classifies and retains system events related to cyber security and generates reports. Example Report: Usage Auditing Event Detail LogRhythm provides a specific log source for disposed assets where lists can be imported and disposed assets tracked. LogRhythm allows for the collection of both active and passively detected vulnerabilities, as well as alarming and reporting. The collected information can be used to enhance a spot-check vulnerability assessment by providing additional awareness collected during working operations that would not otherwise be noticed. Vulnerabilities Detected LogRhythm detects and alerts on activity on ports and services to ensure that only required ports and services are being utilized. Example Investigations: Network Service Summary Network Connection Summary Host Remote Access Summary LogRhythm collects all account management and account usage activity. Default accounts can be reported and alarmed on as they are used in the organization. R8.3 A review of controls for default accounts Account Creation Activity Account Modification Activity Disabled Accounts Summary Removed Account Summary Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 10 of 11

CIP- 008-1 Cyber Security Incident Reporting and Response Planning Standard CIP-008 ensures the identification, classification, response, and reporting of Cyber Security Incidents related to Critical Cyber Assets. Compliance Requirement How LogRhythm Supports Compliance LogRhythm s inherent methodology provides automatic classification of all collected logs as security, audit, and operational events. Interesting logs are forwarded as events for immediate monitoring and/or alerting. LogRhythm reports provide summary and detail level reporting of incident based alerts. R1.1 R1.2 R1.3 R2 Procedures to characterize and classify events as reportable Cyber Security Incidents. Response actions, including roles and responsibilities of incident response teams, incident handling procedures, and communication plans. Process for reporting Cyber Security Incidents to the Electricity Sector Information Sharing and Analysis Center (ES ISAC). Keep relevant documentation related to Cyber Security Incidents reportable per Requirement R1.1 for three calendar years. Suspicious Activity by User Suspicious Activity by Host Top Suspicious Users Top Targeted Hosts Top Targeted Applications Example Alarms: Alarm On Attack Alarm On Compromise Alarm On Malware LogRhythm documents alarm and response activities such as responsible parties notified ; alarm status such as working, escalated, resolved ; and what actions were taken. LogRhythm s centralized logging capabilities provide a way to collect, analyze and forward logs to the ES ISAC that would otherwise be difficult to collect from the individual devices and/or applications. LogRhythm completely automates the process and requirement of collecting and retaining security event logs. LogRhythm retains logs in compressed archive files for cost effective, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later in support of after-the-fact investigations. LogRhythm Corporate Headquarters EMEA Headquarters LogRhythm Inc. LogRhythm Inc. 3195 Sterling Circle, Suite 100 Siena Court, The Broadway Boulder CO, 80301 Maidenhead, Berkshire SL6 1NJ United Kingdom Phone (303) 413-8745 Phone +44 (0) 1628 509 070 Fax (303) 413-8791 Fax +44 (0) 1628 509 100 Copyright 2009 LogRhythm, Inc. All Rights Reserved Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information