Publication Date: Aug 12, 2014 Solution Brief EventTracker Enterprise v7.x EventTracker 8815 Centre Park Drive, Columbia MD 21045
About EventTracker EventTracker delivers business critical solutions that transform high-volume cryptic log data into actionable, prioritized intelligence that will fundamentally change your perception of the utility, value and organizational potential inherent in log files. EventTracker s leading solutions offer Security Information and Event Management (SIEM), real-time Log Management, and powerful Change and Configuration Management to optimize IT operations, detect and deter costly security breaches, and comply with multiple regulatory mandates. With this, it ensures successful monitoring and complies with the NERC requirements. NERC Compliance The NERC CIP (North American Electric Reliability Corporation Critical Infrastructure Protection) plan is a set of requirements designed to secure the assets required for operating North America s bulk electric system. The NERC CIP plan consists of 9 standards and 45 requirements covering the security of electronic perimeters and the protection of critical cyber assets as well as personnel and training, security management and disaster recovery planning. EventTracker believes that it is crucial to monitor for compliance in a manner as close to real-time as possible. EventTracker s efficient and powerful alerting capability automatically identifies the most critical issues and notifies relevant personnel. It also gives an excellent option to generate on-demand or scheduled reports in various formats. EventTracker Offers Full View of Entire IT Infrastructure EventTracker improves security, maintains compliance and increases operational efficiency. EventTracker can be deployed On-Premises for customers who prefer their equipment to reside in their data center. EventTracker is a software-based SIEM and log management solution that resides in a Windows Server environment. EventTracker may also be deployed in a virtual environment using VMware. In both cases, On-Premises installation implies that the EventTracker software resides at the customer s location in some form or fashion. For some customers, the space requirements, manpower issues, or lack of technical expertise make a cloudhosted solution more attractive, and EventTracker is deployed in a Tier 1 EventTracker data center. EventTracker will manage the following: Secure Virtual Private Cloud (single tenant) environment Installation Server disk space Platform management Antivirus installation and updates Windows updates Back-up/restore 2
EventTracker Enterprise enables your organization to be aware of potential security risks and internal/ external threats that can be identified and eliminated before they are exploited. It guarantees your organization the ability to respond to a security incident and have the necessary data and tools for forensic analysis. The total time required to investigate and mitigate a security incident can be reduced by up to 75 percent, minimizing the potential exposure and costs. SIEM Simplified is our professional services engagement to enhance the value of the EventTracker Enterprise and EventTracker Security Center products. Our experienced staff assumes responsibility for all SIEM related tasks including daily incident reviews, daily/weekly log reviews, configuration assessments, incident investigation support and audit support. We augment your IT team, allowing you to focus on the unique requirements of your enterprise, while actively leveraging our expertise. Powerful Log Collection and Management Capabilities EventTracker Enterprise enables automatic, unattended consolidation of millions of events in a secure environment along with incrementally scalable to meet the needs of any size organization. It also supports an infinite number of collection points, with each collection point able to process over 100,000 events per second. All this data is identified by the product based Knowledge Base, which contains detailed information on over 20,000 types of events, and automatically determines which logs are alerts, which are incidents, and which can be ignored. EventTracker is a proven, scalable log management solution that provides network and system administrators with early threat detection, operational awareness and the ability to demonstrate compliance with industry regulations and internal security policies. Log Collection includes a flexible, agent-optional architecture providing managed real-time and batch aggregation of all system, event and audit logs. EventTracker Enterprise supports UDP and TCP (guaranteed delivery) log transport and is FIPS 140-2 compliant for transmission of events from agent/collection point to console. It then compresses and stores all the logs generated within an organization into a secure, central location. Hundreds of pre-configured reports can be scheduled or run on demand. No back-end database is required for log archiving which will save the users money on licensing and administrative effort. EventTracker monitors all administrators and users activities for all critical file and folder access on all servers. It monitors successful and failed logon attempts to all servers either locally or remotely. Each EventTracker user has specific user credentials and permissions. With the authentication and authorization mechanism implemented by EventTracker, access privileges are controlled. EventTracker provides complete log collection and management, as well as the monitoring capabilities needed to ensure your organization is secure from inside and outside threats. It is designed to be deployed and monitored by the IT security department or smaller organizations not burdened by multiple compliance requirements to protect and monitor the IT infrastructure. 3
Entire System Assets Monitoring EventTracker has a centralized location to discover and mange the systems that are present in an enterprise domain. This automatically discovers enterprise domains and systems and manages logical system groups. StatusTracker is a robust, reliable, proactive and easy to handle tool developed by EventTracker. It monitors and manages the TCP/IP networks, Web sites, applications, and ports in mission critical environment with ease and comfort. StatusTracker is added in EventTracker to monitor the status of all the systems running within an Enterprise. Status Tracker helps users in: Monitor, consolidate, generate and analyze reports about the availability status, downtime, on the TCP/IP networks configured in Windows (NT/XP/2003/VISTA/7/2008/2008 R2/8/2012) platform, Web sites (http, https), applications, and ports. Audit requirements suggested by NERC along with HIPAA, GLBA, Sarbanes/Oxley, California Senate Bill 1386, the USA Patriot Act and NISPOM. Ease of NERC Reporting and Alerting EventTracker has developed specific reports, rules and dashboards to help meet the Security controls detailed within NERC. These reports, rules and dashboards can be easily and intuitively customized for specific environments. Real-time Monitoring, Account and Configuration Management The file system and registry of every Windows system is ever-changing. This change may be voluntary or involuntary and happens quickly and often without the user s knowledge. Under the current Windows OS architecture there is no easy way for the user to understand change, identify change and recover from change. Change Management is a concept by which all system changes are intelligently tracked and reported on demand for the user to analyze, understand, and if needed, recover from change. EventTracker Enterprise alerts you to the critical changes you need to know. EventTracker monitors unauthorized software install / uninstall on all servers. It monitors all the Agents and configuration changes on critical file and database servers. Also enforces system and application policies on critical servers using Change Audit and periodically compare policy. It monitors all security patches and updates to servers. EventTracker Enterprise Change Audit is fully integrated into the EventTracker Enterprise architecture. EventTracker Enterprise stores all the change audit data as both system snapshots for later comparisons and as events in EventVault. Change events can have rules written against them to trigger alerts or any other action available in EventTracker Enterprise. 4
Protect Data and Information As security with it s first and foremost priority, EventTracker monitors network connections on all windows servers and firewall activity. Also monitors for changes or unauthorized access to routers and switches. EventTracker Enterprise is capabilities-rich, with key features that expand its competences beyond SIEM and log management. These include File Integrity Monitoring, Change Audit, Config Assessment, Cloud Integration, Event Correlation, and writeable media monitoring. EventTracker safeguards data by ensuring stringent rules against unknown authentication and authorization. EventTracker monitors access to file and database servers. Also it monitors configuration changes on critical file and database servers and alerts the responsible to take further action. EventTracker Enterprise also has an optimized, high performance event warehouse that is designed for efficient storage and retrieval of event logs. It reliably and efficiently archives event logs from across the enterprise without the need for any DBMS licenses or other overhead costs. And these logs are compressed and sealed with a SHA-1 signature to prevent potential tampering. 5
Statement of Compliance EventTracker NERC/CIP Requirements Description EventTracker Capability Reports & Alerts CIP-002 Critical Cyber Asset Identification Identify critical assets and critical cyber assets using a risk-based assessment methodology. NERC has proposed new guidelines that will require entities to identify and categorize the Bulk Electric System (BES) Cyber Systems that support the functions critical to the reliable operation of the BES as a basis for applying security controls commensurate with the potential impact (i.e., High, Medium, or Low Impact) those BES Cyber Systems have on the reliability of the BES. Develop and implement security management controls to protect critical cyber assets with: Information protection. Access controls to critical cyber asset information. Change control and configuration management. Control and backup control centers require a robust, comprehensive decision support solution. EventTracker monitors all activities and critical assets and provides real-time insight into your security posture. Real-time risk scores provide invaluable guidance and notify you where specific types of data reside, what data may be at risk, and retains event logs for archive and further research. EventTracker can also perform a comprehensive discovery of assets and physical devices assets. CIP-003 Cyber Security Management Controls With EventTracker s roles based management system; organizations can effectively control security and compliance responsibilities. Using role-based authenticated access, EventTracker provides extensive flexibility on what data, analysis and controls are available to users, managers and administrators. This functionality is also required by CIP-003 R4 and R5, which mandates the protection of data and control over information access. EventTracker can provide management with a list of all personnel granted access to critical cyber assets, including the specific electronic and physical access rights to the security perimeter(s) for a period of 7 years, as required by CIP-004. CIP-004 Personnel and training Verify the identity and perform criminal background checks on personnel with access to critical cyber assets. Train employees on cyber-security responsibilities. Include: Quarterly security awareness reinforcement. Annual cyber-security training. Personnel risk assessments. Authorized cyber or physical access to critical cyber assets. Identify and protect electronic security perimeters and access points with: Electronic security perimeter(s). Electronic access controls. Logging and monitoring electronic access. Cyber vulnerability assessment of electronic access points. Updates, as needed. CIP-005 Cyber Electronic Security Perimeter(s) (ESP) As required by CIP-005 which mandates the identification and location of critical cyber assets, EventTracker can detect critical information by identifying specific types of data within databases. EventTracker features robust management, and can map all network and security devices to determine their specific location within the network. EventTracker also address the remainder of CIP-005, regarding monitoring and access control. EventTracker helps organizations address the CIP-005 R4 requirement for vulnerability assessment by being able to map results from vulnerability assessment scans to events that could affect critical cyber assets. 6
EventTracker NERC/CIP Requirements Description EventTracker Capability Reports & Alerts CIP-006 Physical security of critical cyber assets Create and maintain a physical security plan that ensures that all cyber assets within an electronic security perimeter are kept in an identified physical security perimeter. Include: Physical security plan. Physical access controls, e.g., card key, special locks, security personnel, other authentication devices such as biometrics, keypad, token, etc. Monitoring physical access. Logging physical access, e.g. computerized or manual logging. Access log retention. Maintenance and testing. Define methods, processes, and procedures for securing the systems identified as critical cyber assets, as well as the non-critical cyber assets within an electronic security perimeter. Include: Testing procedures. Ports and services limited to normal and emergency operations, only. Security patches management. Malicious software prevention. Account management. Security status monitoring. Disposal or redeployment or cyber assets. Cyber vulnerability assessment of all cyber assets. Updates, as needed. <Should there be a here?> EventTracker can collect and correlate information from physical security systems. CIP-007 Systems Security Management EventTracker can address CIP-007 R3 s security patch management requirement via seamless integration with most leading vulnerability assessment products. CVE, OS patch level and vendor severity levels are tracked and reported over time and baselines can be created based on current tolerance level or timelines. EventTracker s unique vulnerability correlation technology can match attacks or threats to specific critical assets based on operating system, services, vulnerability and exposure, and produces vulnerability conclusion scores for powerful decision support. EventTracker ensures seamless data integration with ITIL framework s Configuration Management process, assures that your system is up-to-date, and provides a real-time comprehensive view of security posture. EventTracker employs active fingerprinting of detected hosts and servers to provide information such as OS type; OS patch level, ports / services information and other asset information. For critical cyber assets such as database servers, EventTracker can provide in-depth real-time information about who is touching critical data, and if it has been modified or stolen. R4 (Malicious Software Protection) EventTracker collects and correlates data from most security products and alerts you to viruses, Trojans, and other forms of malware across the entire organization. R6 (Security Status Monitoring) EventTracker delivers state-of-the-art centralized event monitoring, reporting, analysis and provides real-time insight into security posture. R8 (Cyber Vulnerability Assessment) EventTracker collects data from VA scanners and lets you know which assets are susceptible to threats. 7
EventTracker NERC/CIP Requirements Description EventTracker Capability Reports & Alerts CIP-008 Cyber Incident Reporting and Response Planning Identify, classify, respond to, and report cyber-security incidents related to critical assets. EventTracker solutions create and deliver NERC reports based on CIP-007 criteria. A fully integrated incident remediation system can maintain the required three years of data, enabling in-depth analysis and full demonstration of proper remediation for audit and compliance. EventTracker delivers reports that address the R1 mandate requiring that the handling of security incidents comply with the NIPC s IAW (Indications, Analysis and Warnings procedure) Standard Operating Procedure (SOP). EventTracker has the capability to monitor the backup application logs and reporting or alerting on those logs. CIP-009 Recovery Plans for Critical Cyber Assets Establish recovery plans for critical cyber assets using established business continuity and disaster recovery techniques and practices. Include recovery plans, annual exercises, change control, backup and recovery, and testing of backup media. References http://www.nerc.com/pa/stand/pages/cipstandards.aspx 8