Information Technology Policy



Similar documents
Boosting enterprise security with integrated log management

WHITE PAPER SPLUNK SOFTWARE AS A SIEM

Clavister InSight TM. Protecting Values

LOG INTELLIGENCE FOR SECURITY AND COMPLIANCE

IBM Security Intelligence Strategy

QRadar SIEM 6.3 Datasheet

Information Technology Policy

How to Choose the Right Security Information and Event Management (SIEM) Solution

LOG MANAGEMENT AND SIEM FOR SECURITY AND COMPLIANCE

LOG AND EVENT MANAGEMENT FOR SECURITY AND COMPLIANCE

Minder. simplifying IT. All-in-one solution to monitor Network, Server, Application & Log Data

IBM Security QRadar SIEM & Fortinet FortiGate / FortiAnalyzer

IBM QRadar Security Intelligence April 2013

End-user Security Analytics Strengthens Protection with ArcSight

Find the needle in the security haystack

Extreme Networks: A SOLUTION WHITE PAPER

What is Security Intelligence?

IBM QRadar as a Service

Analyzing Logs For Security Information Event Management Whitepaper

with Managing RSA the Lifecycle of Key Manager RSA Streamlining Security Operations Data Loss Prevention Solutions RSA Solution Brief

ARS v2.0. Solution Brief. ARS v2.0. EventTracker Enterprise v7.x. Publication Date: July 22, 2014

IBM QRadar Security Intelligence Platform appliances

SP Monitor. nfx One gives MSPs the agility and power they need to confidently grow their security services business. NFX FOR MSP SOLUTION BRIEF

The SIEM Evaluator s Guide

IBM InfoSphere Guardium Data Activity Monitor for Hadoop-based systems

BlackStratus for Managed Service Providers

Critical Capabilities for Security Information and Event Management 7 May 2013 ID:G Analyst(s): Mark Nicolett, Kelly M. Kavanagh VIEW SUMMARY

Q1 Labs Corporate Overview

Analyzing Logs For Security Information Event Management Whitepaper

IBM SECURITY QRADAR INCIDENT FORENSICS

QRadar SIEM and FireEye MPS Integration

SANS Top 20 Critical Controls for Effective Cyber Defense

GE Measurement & Control. Top 10 Cyber Vulnerabilities for Control Systems

RSA envision. Platform. Real-time Actionable Security Information, Streamlined Incident Handling, Effective Security Measures. RSA Solution Brief

How To Manage Security On A Networked Computer System

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

Security Information & Event Management (SIEM)

Vendor Landscape: Security Information & Event Management (SIEM)

Cautela Labs Cloud Agile. Secured. Threat Management Security Solutions at Work

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

whitepaper The Benefits of Integrating File Integrity Monitoring with SIEM

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Trend Micro. Advanced Security Built for the Cloud

nfx One for Managed Service Providers

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

Scalability in Log Management

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Protect Your Connected Business Systems by Identifying and Analyzing Threats

UNIFIED THREAT MANAGEMENT SOLUTIONS AND NEXT-GENERATION FIREWALLS ADMINISTRATION TOOLS NETWORK SECURITY I ENDPOINT SECURITY I DATA SECURITY

QRadar Security Management Appliances

AccelOps NOC and SOC Analytics in a Single Pane of Glass Date: March 2016 Author: Tony Palmer, Senior ESG Lab Analyst

ObserveIT User Activity Monitoring

NitroView Enterprise Security Manager (ESM), Enterprise Log Manager (ELM), & Receivers

Security Operations Metrics Definitions for Management and Operations Teams

Passive Logging. Intrusion Detection System (IDS): Software that automates this process

How To Manage Sourcefire From A Command Console

TORNADO Solution for Telecom Vertical

How To Protect Your Cloud From Attack

Tivoli Security Information and Event Manager V1.0

Injazat s Managed Services Portfolio

V1.4. Spambrella Continuity SaaS. August 2

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

PCI DSS Top 10 Reports March 2011

The Purview Solution Integration With Splunk

What s New in Security Analytics Be the Hunter.. Not the Hunted

How To Buy Nitro Security

Assuria can help protectively monitor firewalls for PCI compliance. Assuria can also check the configurations of personal firewalls on host devices

Achieving SOX Compliance with Masergy Security Professional Services

PCI DSS Reporting WHITEPAPER

The Sumo Logic Solution: Security and Compliance

Securing and protecting the organization s most sensitive data

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Vulnerability Management

Palo Alto Networks and Splunk: Combining Next-generation Solutions to Defeat Advanced Threats

IBM Security IBM Corporation IBM Corporation

Leveraging innovative security solutions for government. Helping to protect government IT infrastructure, meet compliance demands and reduce costs

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

Trust but Verify: Best Practices for Monitoring Privileged Users

Safeguarding the cloud with IBM Dynamic Cloud Security

Juniper Security Threat Response Manager (STRM) Mikko Kuljukka COMPUTERLINKS Oy

Tripwire Log Center NEXT GENERATION LOG AND EVENT MANAGEMENT WHITE PAPER

Payment Card Industry Data Security Standard

An Introduction to SIEM & RSA envision (Security Information and Event Management) January, 2011

IBM Security QRadar Risk Manager

TRIPWIRE NERC SOLUTION SUITE

Tech Brief. Choosing the Right Log Management Product. By Michael Pastore

How To Sell Security Products To A Network Security Company

IBM Security QRadar Risk Manager

INCREASE NETWORK VISIBILITY AND REDUCE SECURITY THREATS WITH IMC FLOW ANALYSIS TOOLS

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

Using SIEM for Real- Time Threat Detection

Transcription:

Information Technology Policy Security Information and Event Management Policy ITP Number Effective Date ITP-SEC021 October 10, 2006 Category Supersedes Recommended Policy Contact Scheduled Review RA-ITCentral@pa.gov Annual This Information Technology Policy (ITP) establishes enterprise-wide guidelines and standards for the procurement of Security Information and Event Manager (SIEM) solutions. 1. Purpose This policy provides guidelines and standards that agencies must adhere to when procuring a Security Information and Event Managers (SIEM) solution. SIEMs are used to provide real-time analysis of security alerts which are generated by network hardware and applications. SIEMs automate the collection of event data from security devices, such as firewalls, proxy servers, intrusion-detection systems and antivirus software. The SIEM translates the logged data into correlated and simplified formats for real-time alerting and reporting capabilities. In addition to guidelines to be followed in selecting an SIEM solution, this policy provides agencies with information on how to leverage the Office of Administration, Office for Information Technology (OA/OIT) SIEM solution that can provide agencies with the following services: Log collection and consolidation. Security event collection from multiple sources (firewalls, routers, servers, etc.). Identification of security related events and incidents. Some form of automated response/alerting capability when incidents are detected. Correlation of events from multiple sources. 2. Scope This Information Technology Policy (ITP) applies to all departments, boards, commissions and councils under the Governor s jurisdiction. Agencies not under the Governor s jurisdiction are strongly encouraged to follow this ITP. 3. Definitions Event - An observable occurrence in a system or network. Events include, but are not limited to, a user connecting to a file share, a server receiving a request for a Web page, a user sending electronic mail (e-mail), and a firewall blocking a connection attempt.

Event Correlation - The process of monitoring events in order to identify patterns that may signify attacks, intrusions, misuse or failure. Incident - A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of an incident are denial of service, malicious code, unauthorized access and inappropriate usage. Incident Response - The manual and automated procedures used to respond to reported incidents (real or suspected), system failures and errors, and other undesirable events. Log - A file that lists actions that have occurred. Security Information and Event Managers (SIEM) A SIEM is a set of tools used by IT professionals and system administrators to manage multiple security applications and devices, and to respond automatically to resolve security incidents and provides real-time monitoring and historical reporting of information security events from networks, servers, systems, applications and more. 4. Policy Agencies that desire leveraging the Enterprise SIEM solution should contact the EISO Office at ra-ciso@pa.gov. Agencies that have a SIEM solution or that are looking to procure a new SIEM solution must comply with the standards identified in the following section. 5. Standards Agencies looking to procure a SIEM solution must ensure that it has the ability to provide the agency with the following critical capabilities: Scalable Architecture and Deployment Flexibility: These are derived from vendor design decisions in the areas of product architecture, data collection techniques, agent designs and coding practices. Scalability can be achieved by: A hierarchy of SIEM servers tiers of systems that aggregate, correlate and store data. Segmented server functions specialized servers for correlation, storage, reporting and display. A combination of hierarchy and segmentation to support horizontal scaling. During the planning phase, agencies should take into consideration the volume of event data that will be collected, as well as the scope of analysis reporting that will be required. An architecture that supports scalability and deployment flexibility will enable an agency to adapt its deployment in the face of unexpected event volume and analysis. Real-time Event Data Collection: SIEM products collect event data in near real time in a way that enables immediate analysis. Data collection methods include: Receipt of a syslog data stream from the monitored event source. Agents installed directly on the monitored device or at an aggregation point, such as a

syslog server. Invocation of the monitored system's command line interface. Application Programming Interfaces (APIs) provided by the monitored event source. External collectors provided by the SIEM tool. The technology should also support batch data collection for cases where real-time collection is not practical or is not needed. Filtering options at the source also are important methods of data reduction, especially for distributed deployments with network bandwidth constraints. Agent-based collection options and virtualized SIEM infrastructure options will become more important as organizations move workloads to virtualized and public infrastructure as a service cloud environments. A large percentage of organizations that have deployed SIEM technology must integrate data sources that aren't formally supported by the SIEM vendors. SIEM products should provide APIs or other functions to support user integration of additional data sources. This capability becomes more important as organizations apply SIEM technology for application-layer monitoring. Event Normalization and Taxonomy: This is a mapping of information from heterogeneous sources to a common event classification scheme. A taxonomy aids in pattern recognition, and also improves the scope and stability of correlation rules. When events from heterogeneous sources are normalized, they can be analyzed by a smaller number of correlation rules, which reduces deployment and support labor. In addition, normalized events are easier to work with when developing reports and dashboards. Real-time Monitoring: Event correlation establishes relationships among messages or events that are generated by devices, systems or applications, based on characteristics such as the source, target, protocol or event type. There should also be a library of predefined correlation rules and the ability to easily customize those rules. A security event console should provide the real-time presentation of security incidents and events. Behavior Profiling: Behavior profiling employs a learning phase that builds profiles of normal activity for discrete event sources, such as NetFlow data, users, servers and so on. The monitoring phase alerts on deviations from normal. Profiling and anomaly detection are emerging capabilities in SIEM that complement rule-based correlation. Threat Intelligence: Intelligence about the current threat environment exists in a variety of sources, including open-source lists, the threat and reputation content developed and maintained by security research teams within security vendors, and data developed by managed security and other service providers. Threat intelligence data can be integrated with an SIEM in the form of watch lists, correlation rules and queries in ways that increase the success rate of early breach detection. Log Management and Compliance Reporting: Functions supporting the cost-effective storage and analysis of a large information store include collection, indexing and storage of all log and event data from every source, as well as the capability to search and report on that data. Reporting capabilities should include predefined reports, as well as the ability to define ad hoc reports or use third-party reporting tools. Analytics: Security event analytics is composed of dashboard views, reports and ad hoc query functions to support the investigation of user activity and resource access in order to identify a threat, a breach or the misuse of access rights.

Incident Management Support: Specialized incident management and workflow support should be embedded in the SIEM product primarily to support the IT security organization. Products should provide integration with enterprise workflow systems, and should support ad hoc queries for incident investigation. User Activity and Data Access Monitoring: This capability establishes user and data context, and enables data access and activity monitoring. Functions include integration with identity and access management (IAM) infrastructure to obtain user context and the inclusion of user context in correlation, analytics and reporting. Data access monitoring includes monitoring of database management systems (DBMSs), and integration with file integrity monitoring (FIM) and data loss prevention (DLP) functions. DBMS monitoring can take three forms parsing of DBMS audit logs, integration with third-party database activity monitoring (DAM) functions or embedded DAM functions. FIM can be provided by the SIEM product directly or through integration with third-party products. Application Monitoring: The ability to parse activity streams from packaged applications enables application-layer monitoring for those components, and the ability to define and parse activity streams for custom applications enables application-layer monitoring for inhouse- developed applications. Integration with packaged applications, an interface that allows customers to define log formats of unsupported event sources, and the inclusion of application and user context are important capabilities that enable the monitoring of application activities for application-layer attack detection, fraud detection and compliance reporting. Deployment and Support Simplicity: Deployment and support simplicity is achieved through a combination of embedded SIEM use- case knowledge, and a general design that minimizes deployment and support tasks. Embedded knowledge is delivered with predefined dashboard views, reports for specific monitoring tasks and regulatory requirements, a library of correlation rules for common monitoring scenarios, and event filters for common sources. There should also be an easy way to modify the predefined functions to meet the particular needs of an organization. 6. Responsibilities Agencies are required to perform the actions outlined in this policy. 7. Authority Executive Order 2011-05, Enterprise Information Technology Governance 8. Publication Version Control It is the user s responsibility to ensure they have the latest version of this publication. Questions regarding this publication are to be directed to RAitcentral@pa.gov. This chart contains a history of this publication s revisions: Version Date Purpose of Revision Original 10/20/2006 Base Policy

ITP-SEC020 Encryption Standards for Data at Rest Revision 5/9/2013 Updated the policy to reflect current standards making it easier for agencies to implement SIEM solutions. Rescinds STD-SEC021A and incorporates elements of OPD0SEC021B 4/2/2014 ITP Reformat

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information