Mapping EventTracker Reports and Alerts To The SANS 20 Critical Controls Consensus Audit Guidelines v3.1 Prism Microsystems, October 2012



Similar documents
Mapping EventTracker Reports and Alerts To FISMA Requirements NIST SP Revision 3 Prism Microsystems, August 2009

Fifty Critical Alerts for Monitoring Windows Servers Best practices

Upgrade Guide. Upgrading to EventTracker v6.0. Upgrade Guide Columbia Gateway Drive, Suite 250 Publication Date: Sep 20, 2007.

Integrating Juniper Netscreen (ScreenOS)

Fifty Critical Alerts for Monitoring Windows Servers Best Practices


Security Correlation Server Quick Installation Guide

GFI White Paper PCI-DSS compliance and GFI Software products

Network Security. Mike Trice, Network Engineer Richard Trice, Systems Specialist Alabama Supercomputer Authority

USM IT Security Council Guide for Security Event Logging. Version 1.1

Security Correlation Server Quick Installation Guide

Cybersecurity Health Check At A Glance

FREQUENTLY ASKED QUESTIONS

Pearl Echo Installation Checklist

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Windows Operating Systems. Basic Security

FISMA / NIST REVISION 3 COMPLIANCE

Security Management. Keeping the IT Security Administrator Busy

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

Managed Network Services

Monitoring SharePoint 2007/2010/2013 Server Using Event Tracker

Network Defense Tools

Section 12 MUST BE COMPLETED BY: 4/22

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Security Beyond the Windows Event Log Monitoring Ten Critical Conditions

Achieving PCI COMPLIANCE with the 2020 Audit & Control Suite.

Standard: Event Monitoring

8. Firewall Design & Implementation

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Netzwerkvirtualisierung? Aber mit Sicherheit!

Adjusting Prevention Policy Options Based on Prevention Events. Version 1.0 July 2006

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

ManageEngine Desktop Central Training

Locking down a Hitachi ID Suite server

The self-defending network a resilient network. By Steen Pedersen Ementor, Denmark

Kaspersky Endpoint Security 10 for Windows. Deployment guide

Sophos for Microsoft SharePoint startup guide

NEW YORK INSTITUTE OF TECHNOLOGY School of Engineering and Technology Department of Computer Science Old Westbury Campus

Patch and Vulnerability Management Program

TIBCO LogLogic. SOX and COBIT Compliance Suite Quick Start Guide. Software Release: December Two-Second Advantage

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

Industrial Security for Process Automation

Managed Antivirus Quick Start Guide

INCIDENT RESPONSE CHECKLIST

Critical Controls for Cyber Security.

AI Engine Rules June 2014

Introduction. PCI DSS Overview

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Secret Server Qualys Integration Guide

Network Security: A Practical Approach. Jan L. Harrington

PC Security and Maintenance

Client Security Risk Assessment Questionnaire

Getting started. Symantec AntiVirus Corporate Edition. About Symantec AntiVirus. How to get started

System Security Policy Management: Advanced Audit Tasks

HowTo: Logging, reporting, log-analysis and log server setup Version 2007nx Release 3. Log server version 2.0

Automate PCI Compliance Monitoring, Investigation & Reporting

74% 96 Action Items. Compliance

ViRobot Desktop 5.5. User s Guide

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

Did you know your security solution can help with PCI compliance too?

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

How To Protect Your Data From Being Stolen

ACME Enterprises IT Infrastructure Assessment

UserLock advanced documentation

SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X)

Before deploying SiteAudit it is recommended to review the information below. This will ensure efficient installation and operation of SiteAudit.

Error Codes for F-Secure Anti-Virus for Firewalls, Windows 6.20

Upgrade to Webtrends Analytics 8.7: Best Practices

WhatsUp Gold v16.3 Installation and Configuration Guide

ITPS AG. Aplication overview. DIGITAL RESEARCH & DEVELOPMENT SQL Informational Management System. SQL Informational Management System 1

Contents. Platform Compatibility. GMS SonicWALL Global Management System 5.0

Best Practice Configurations for OfficeScan (OSCE) 10.6

High Speed Data Transfer from the APS. Kenneth Sidorowicz September 27, 2006

Network Incident Report

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Global Partner Management Notice

TECHNICAL WHITE PAPER. Symantec pcanywhere Security Recommendations

VPNSCAN: Extending the Audit and Compliance Perimeter. Rob VandenBrink

Integrating Trend Micro OfficeScan 10 EventTracker v7.x

Find the Who, What, Where and When of Your Active Directory

Effective Use of Security Event Correlation

How To Protect A Network From Attack From A Hacker (Hbss)

ΕΠΛ 674: Εργαστήριο 5 Firewalls

EventTracker Enterprise v7.3 Installation Guide

Chapter 9 Firewalls and Intrusion Prevention Systems

Designing a security policy to protect your automation solution

Detecting a Hacking Attempt

OfficeScan 10 Enterprise Client Firewall Updated: March 9, 2010

Advanced Diploma In Hardware, Networking & Server Configuration

SonicWALL PCI 1.1 Implementation Guide

Technical Note. ForeScout CounterACT Endpoint Detection & Inspection Methods

Supplier Information Security Addendum for GE Restricted Data

FortKnox Personal Firewall

Networking for Caribbean Development

SQL Server Hardening

MCSA Objectives. Exam : TS:Exchange Server 2007, Configuring

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

SANS Top 20 Critical Controls for Effective Cyber Defense

Transcription:

Mapping EventTracker Reports and Alerts To The SANS 20 Critical Controls Consensus Audit Guidelines v3.1 Prism Microsystems, October 2012 Consensus Audit Guidelines Control 1 - Inventory of Authorized and Unauthorized Devices EventTracker Capability 1. Continuously ping all the systems where agent has been installed. 2. Monitor USB and other external devices added to the network EventTracker Reports 1. EventTracker: Ping Status 2. EventTracker: Device Change EventTracker Alerts Excessive ping failures system(s) are not reachable. USB insert Alert USB device disabled Control 2 - Inventory of Authorized and Unauthorized Software 1. Monitor software install/uninstall 2. Monitor USB and other external device usage 3. Monitor critical file system and registry changes 1. Operation->Software Maintenance Software install/uninstall 2. Operation ->WhatChanged Critical System Changes Summary of File Changes Summary of Registry Changes Software install/uninstall USB insert Alert EventTracker: USB device disabled 3. EventTracker: Device Change

Control 3 - Secure Configurations for Computers 1. Monitor unauthorized software install and uninstall on all servers 2. Monitor All the Agents 3. Monitor configuration changes on critical file and database servers 4. Enforce system and application policies on critical servers using Whatchanged and periodically compare policy 5. Monitor all security patches and updates to servers. 1. Compliance-> Change Management 2. EventTracker: EventTracker Agent Changes 3. Operations->WhatChanged Critical system changes Operating system changes 4. Compliance-> Business Continuity System: Patches and hotfixes System shutdown 5. Compliance-> Change Management 6. Compliance->Device Specific SQL server Oracle MS Exchange ISA Server Altiris Software Install/Uninstall EventTracker agent configuration changed. Audit log is cleared/event log full Disk space is critically low Spyware System resource exhausted System shutdown System is not reachable and it may be down USB insert Alert USB device disabled 7. Operations: Disk Maintenance Critical service could not be started 8. Operations->Disk Space Forecasting Critical service is not running 9. Operations->Veritas Backup Exec for Windows Detected Software has been installed on this system 10. Operations->Service Downtime Directory permission changed 11. Operation->Device Change Domain policy changed 12. Compliance->Asset Management Group policy processing error

Control 4 - Continous Vulnerability Assessment and Remediation 1. Monitor the status of antivirus applications, custom application logs using EventTracker log file monitor 2. Monitor anti-virus service status and restart services when required 3. Monitor all security patches and updates to servers. 4. Enforce system and application policies on critical servers using Whatchanged and periodically compare policy 5. Monitor user access to all servers, activities of administrators and other privileged accounts, and changes to active directory. 6. Monitor unauthorized software install and install on all servers 1. Operations->Antivirus 2. Operations->Service Downtime 3. Operations->EventTracker EventTracker: Service changes EventTracker: Software Install/Uninstall EventTracker : Logfile monitor 4. Compliance-> Business Continuity System: Patches and hotfixes System shutdown 5. Compliance->Acceptable use 6. Compliance->Access Control 7. Security-> Policy Changes 8. Security-> User Management 9. Security-> AD/Account Management 10. Compliance-> Change Management Critical service could not be started Critical service not running Detected software <Some S/W> has been installed on this system Software Install/Uninstall Software uninstalled from a system System is not reachable, it may be down System resource exhausted System Shutdown 7. Enforce remedial action through EventTracker agents on all monitored systems

Control 5 -Malware Defense 1. Monitor the status of antivirus applications, custom application logs using EventTracker log file monitor 2. Monitor anti-virus service status and restart services when required 3. Monitor all security patches and updates to servers. 4. Monitor unauthorized software install and install on all servers 1. Operations->Antivirus 2. Operations->Service Downtime 3. Operations->EventTracker EventTracker: Service changes EventTracker: Software Install/Uninstall 4. Compliance-> Business Continuity System: Patches and hotfixes System shutdown Critical service could not be started Critical service not running Detected software <Some S/W> has been installed on this system Software Install/Uninstall Software uninstalled from a system USB insert Alert EventTracker: USB device disabled 5. Monitor USB and other external device usage

Control 6 - Application Software Security 1. Enforce application software policies through EventTracker Change 2. Monitor changes to file and registry systems on all critical servers 3. Schedule daily policy comparison 1. Compliance->Access Control File/Resource access Success File/Resource access failure 2. Operations->WhatChanged File changes summary Registry changes summary ODBC changes Windows startup change 3. Operations->Device Specific Altiris Doubletake SQL Server Oracle MS Exchange ISA Server IIS: Logging shutdown McAfee virus scan enterprise: update failed SQL server stopped. 4. Operations->Platform specific- >Windows Application: Dr. Watson s events IIS FTP Certificate services IMAP4 File replication 5. Compliance->Business Continuity

Control 7 - Wireless Device Control 4. Monitor all USB and other external devices plugged into the network 5. Enforce remedial action to disable unauthorized USB devices in the network 1. Operations -> USB Device Report 2. Operations->USB Device Disabled Report 3. Operations->EventTracker USB or Other Device Monitoring Remedial action USB insert Alert EventTracker: USB device disabled

Control 10 Secure Configurations of Network Devices 1.Monitor configuration access to all network devices and firewalls 2. Monitor configuration changes to network devices and firewalls 1. Compliance->Incident Response Suspicious Network Activity 2. Compliance->Device Specific Checkpoint Analysis CISCO IOS CISCO PIX CISCO VPN Citrix Fortigate Netscreen Snort CISCO PIX: Access Denied CISCO PIX: Authentication failed CISCO PIX: Intrusion detection CISCO PIX: Failover Message CISCO VPN: Admin Access - Authentication Failure CISCO VPN: Admin Access - Authorization failure CISCO VPN: Memory Allocation Failed CISCO VPN: Admin Access-Access Control Lookup Failure Netscreen: Authentication failure Netscreen: IDS intrusion detection Netscreen: USB storage device attached/detached Netscreen: Security device error Netscreen: Spam found Netscreen: System configuration erased

Control 11 - Control of Ports, Protocols and Services 1. Monitor network activity. 2. Monitor new sockets created 3. Monitor all suspicious network activity 1. Operations->Network Traffic Network Connection Activity Suspicious Network Activity a. Most Active Ports b. Most Active Systems c. Open and Listening Ports d. Possible Infections e. Suspicious Ports Ports: Spoof Sites Spyware CISCO PIX: Intrusion detection ISA Server: All port - port scan detected ISA Server: Excessive Winsock application open 2. Security->Incident Response ISA Server: Failed to start service 3. Operations->Intrusion Detection System ISA Server: Land attack detected ISA Server: Network communication device may be down

Control 12 Controlled Use of Admin Privileges 1. Monitor all administrators activity 1. Compliance->Access Control 2. Security-> Policy Changes Administrative log-on Administrative log-on failure 3. Security-> User Management Domain policy changed 4. Security-> AD/Account Management 5. Compliance-> Change Management 6. EventTracker user activity viewer Admin Activity 7. Compliance->Acceptable Use 8. Operations->VPN Usage

Control 13 - Boundary Defense 1. Monitor all tcp and udp connections opened modified and closed. 3. Monitor suspicious network activity 1. Operations->Network Traffic Network Connection Activity Suspicious Network Activity a. Most Active Ports b. Most Active Systems c. Open and Listening Ports d. Possible Infections e. Suspicious Ports Ports: Spoof Sites Spyware CISCO PIX: Intrusion detection ISA Server: All port - port scan detected ISA Server: Excessive Winsock application open 2. Operations->Checkpoint ISA Server: Failed to start service 3. Operations->Checkpoint Analysis ISA Server: Land attack detected 4. Operations->Netscreen Firewall Reports ISA Server: Network communication device may be down 5. Operations->VPN Usage 6. Operations->CISCO PIX 7.Operations-Device Specific CISCO IOS Citrix Fortigate Snort ISA Server 8. Compliance->Incident Response 9. Operations->Intrusion Detection System

Control 14 Maintenance, Monitoring and Analysis of Security Audit Logs 1. Enforce audit policies on all critical servers 2. Back up Windows Event viewer logs using the EventTracker agent 3. Import all audit data (log files other than.evt) using EventTracker Direct Log Archiver 1. Operations->EventTracker Cab integrity verification Direct Archiver Windows log backup and clear 2. Operations->WhatChanged Eventlog location change Group policy change 3. Compliance->Risk Management 4. Compliance->System and Data Integrity Domain policy changed Eventlog cleared Eventlog full 5. Operations->Platform Specific- >Windows All Security Events All Audit Events 5. Operations->Platform Specific

Control 15 Controlled Access Based on Need to Know. 1. Monitor file and folder access on all servers 2. Monitor successful and failed logon attempts to all servers 3. Monitor all administrators activity 4. Monitor all user activity 1. Compliance->Access Control 2. Compliance-> Change Management 3. Security-> Policy Changes 4. Security-> User Management 5. Security-> AD/Account Management 6. EventTracker User Activity Viewer Administrative log-on Administrative log-on failure Domain policy changed Excessive user lockout in your enterprise Excessive remote connections established on a local network port 7. Compliance->Acceptable Use 8. Operations->Whatchanged 9. Operations->User Activity Excessive logon failures in your enterprise Excessive logon failures due to bad password/username 10. Operations->VPN Usage Excessive logon attempts from a particular IP address Excessive file deletes on a computer Excessive access failures on a specific computer Excessive access failures by a user

Control 16 - Account Monitoring and Control 1. Monitor all user log on and log off activity 2. Configure alerts for any activity detected for dormant accounts 3. Monitor all failed user logon attempts and failed access to files and folders 1. Operations->User Activity 2. Security->User Management 3. Operations->VPN Usage 4. Operations->User Logon Failure Report Excessive logon failures in your enterprise Excessive logon failures due to bad password/username Excessive logon attempts from a particular IP address Excessive file deletes on a computer Excessive access failures on a specific computer Excessive access failures by an user

Control 17 - Data Leakage Protection 1. Monitor network and object access 2. Secure archiving of audit logs 1. Operations -> USB Device Report 2. Compliance-> Access Control File/Resource access Success File/Resource access failure USB insert Alert EventTracker: USB device disabled Directory permission change 3. Monitor changes to windows system files and registry 4. Monitor all USB and other external devices plugged into the network 5. Enforce remedial action to disable unauthorized USB devices in the network 3. Compliance-> System and Data Integrity EventTracker: Device changes Veritas Solaris BSM: Device mount and unmount EventTracker: Cab integrity verification 4. Operations-> WhatChanged 5. Operations -> Alerts EventTracker cab integrity checksum failure Excessive file deletes on a computer Excessive access failures on a specific computer Excessive access failures in your enterprise 6. Operations->USB Device Disabled Report 7. Compliance->System and Data Integrity 8. Operations->Veritas Backup Exec 9. Operations->NetApp Data ONTAP 10. Operations->Device Specific Altiris Doubletake

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information