Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy and guiding set of metrics. Developed by the International Organization for Standardization () and the International Electrotechnical Commission (IEC), /IEC provides a code of practice for information security professionals. Simply and automate information security compliance When looking to manage security and compliance programs, many organizations turn to, or Security Information and Event tools. Unfortunately, products don t come with all of the essential security detection capabilities, so organizations spend months implementing and then integrating all of these disparate feeds and functions into their engine. This takes time, money, and expertise that many organizations simply don t have. Unlike traditional tools, AlienVault s Unified Security (USM ) delivers all of the essential security capabilities you need to be ready to start an compliance program right out of the box. There is no need for purchasing, deploying, and integrating asset discovery, threat detection, vulnerability assessment, network analysis and reporting tools. These capabilities are already builtin. Building in these essential security controls saves you the time, cost, and complexity of purchasing, configuring, and integrating those disparate data feeds and managing disparate management consoles. All you need to be ready for your audit is instantly on when you deploy the solution, and managed via a unified console. Additionally, AlienVault s security intelligence capability is backed by global threat research collected and analyzed by the AlienVault Labs and the AlienVault Open Threat Exchange (OTX ), which benefits from the shared security intelligence of all of AlienVault s global clients and partners. We ve provided the following table of the key requirements, and how USM can help you achieve cost-effective and continuous compliance with these requirements.
Unified Security Compliance 5.1 Security Policy 5.1.2 Information Security Policy Policy Review & Evaluation (wireless, network, Situational Awareness 6.1 Organization of : Internal Organization 6.1.1 Commitment to 6.1.2 Coordination 6.1.3 Allocation of Responsibilities 6.1.4 Authorization Process for Information Processing Facilities 6.1.5 Confidentiality Agreements 6.1.8 Independent Review of Information Security Compliance Reporting Dashboards Dynamic Incident Response templates Role-based Access Control 6.2 Organization of : External Parties 6.2.1 Identification of Risks Related to External Parties 6.2.2 Addressing Security when Dealing with Customers (wireless, network, Built-in essential security controls provide a complete and unified view into information security and compliance posture. Find, fix, and report on security threats in a single view to garner executive support for security and compliance programs. Manage all security controls from a single unified workflow. Dynamic incident response templates provide customized guidance on how to respond to each alert. Allocate security analyst tasks based on role-based views and detailed information about assets, networks, and other risk categories. Correlate built-in asset, vulnerability, and netflow analysis data to validate new information processing facilities. Validate adherence to confidentiality agreements through log analysis and advanced event correlation Leverage unified control and visibility of built-in essential security to automate and accelerate internal and third party audits and reviews. Automated asset inventory paired with vulnerability and threat detection data assigns contextualized risk to highlight areas of exposure whether internal or external. Automated asset inventory correlated with vulnerability and threat detection data can identify policy violations with your customer communication guidelines. 2
Unified Security Compliance 7.1 Asset : Responsibility for Assets 7.1.1 Inventory of Assets 7.1.2 Ownership of Assets 7.1.3 Acceptable Use of Assets File Integrity 7.2 Asset : Information Classification 7.2.1 Classification Guidelines 8.3 Human Resources Security: Termination of Change of Employment 8.3.1 Termination Responsibilities 8.3.2 Return of Assets 8.3.3 Removal of Access Rights 9.1 Physical and Environmental Security: Secure Areas 9.1.2 Physical Entry Controls 9.1.3 Securing Offices, Rooms and Facililties / Event Correlation / Event Correlation 10.1 Communications and Operations : Operational Procedures and Responsibilities 10.1.1 Documented Operating Procedures 10.1.2 Coordination Dynamic Incident Response templates Automated asset discovery and inventory captures configuration information, installed software, and other system details. Additionally, this is correlated with vulnerability scan data for a full picture into asset security and risk profile. Validate automated risk scoring for each asset and assign ownership to assets, and logical asset groupings. Monitor acceptable use policy adherence through user activity monitoring, changes to critical files informed by the asset inventory and relative risk scores. Track and monitor the usage of terminated user accounts to validate removal of access, and any changes to critical system files Track and monitor the usage of terminated user accounts to validate removal of access, and any changes to critical system files. Identify usage or attempted usage of terminated user accounts, profiles, and systems to verify return of assets to authorized personnel. Track and monitor the usage of terminated user accounts to validate removal of access, and any changes to critical system files. Track, monitor, and correlate physical security system logs and events with system access, netflow analysis and other data to verify physical security controls are working. Track, monitor, and correlate physical security system logs and events with system access, netflow analysis and other data to verify physical security controls are working. Dynamic incident response templates provide the foundation for a SOP workflow for security monitoring and incident response. Use rich asset information to automatically identify asset value and risk ratings. Monitor user activity and changes to critical system files to support change management process and procedures. 3
Unified Security Compliance 10.1.3 Segregation of Duties 10.1.4 Separation of Development, Test and Operational Facilities 10.2 Third-Party Service Delivery 10.2.2 Monitoring and Review of Third- Party Services 10.2.3 Managing Changes to Third-Party Services 10.3 System Planning and Acceptance 10.3.1 Capacity 10.4 Protection Against Malicious and Mobile Code 10.4.1 Protection Against Malicious Code 10.5 Back-up Role-based Access Control Asset Classification 10.5.1 Information Back-up 10.6 Network Security 10.6.1 Network Controls Enforce segregation of duties based on role-based views and detailed information about assets, networks, and other risk categories. real-time asset map for functional network segments. Built-in netflows and IDS technologies provide validation that ACLs and other segmentation tactics are working properly. Monitor and review third party services with built-in, automated asset inventory correlated with vulnerability and threat detection data to identify policy violations with third party services. Effectively manage changes to third party services and applications with built-in, automated asset inventory correlated with vulnerability and threat detection data. Monitor service and system availability to maintain service levels and stay ahead of capacity constraints. Quickly identify and isolate malware outbreaks throughout your network leveraging built-in security controls such as IDS, netflow analysis, event correlation, and log analysis. Dynamic incident response templates provide customized guidance for each alert. Built-in log management and analysis can trigger alerts when back-up systems or processes fail to complete. Securely manage and enforce network controls by leveraging built-in security techologies such as IDS, netflow analysis, event correlation, and log analysis. Dynamic incident response templates provide customized guidance for each alert. 4
Unified Security Compliance 10.6.2 Security of Network Services 10.7 Media Handling 10.7.1 of Removable Media 10.8 Exchange of Information 10.8.4 Electronic Messaging 10.8.5 Business Information Systems 10.9 Electronic Commerce Services Host-based (HIDS) 10.9.1 Electronic Commerce 10.9.2 Online Transactions 10.9.3 Publicly Available Information real-time asset map for functional network segments. Built-in netflows and IDS technologies provide validation that ACLs and other segmentation tactics are working properly. Built-in HIDS alerts on policy violations such as attempted use of external storage media on critical systems (e.g. USB drives). Additionally, built-in file integrity monitoring captures anomalous changes to critical files and event correlation rules provide the situational awareness needed to identify the potential exfiltration of sensitive data. Built-in essential security controls help to protect against known and unknown exploits (e.g. DDoS, 0day, etc.) by providing a unified view of electronic messaging and other network-based communication channels. Built-in essential security monitors and identifies potential security events and policy violations that are often caused by failures in business process. Built-in essential security controls help to protect against known and unknown exploits to e-commerce applications and systems (e.g. SQL injection, DDoS, etc.) by providing a complete and unified view of your critical service delivery infrastructure. Built-in essential security controls help to protect against known and unknown exploits to publicly available systems by providing a complete and unified view of the security of your DMZ and publicly facing infrastructure. Built-in essential security controls help to protect against known and unknown exploits to publicly available systems by providing a complete and unified view of the security of your DMZ and publicly facing infrastructure. 5
Unified Security Compliance 10.10 Monitoring 10.10.1 Audit Logging 10.10.2 Coordination 10.10.3 Protection of Log Information 10.10.4 Administrator and Operator Logs 10.10.5 Fault Logging 10.10.6 Clock Synchronization Built-in, automated and unified asset discovery, file integrity monitoring and log management provide an easy way to meet this requirement. Additionally, data archiving and data retrieval are easily managed via a single console. Built-in asset discovery, vulnerability assessment, threat detection, behavioral monitoring, and security intelligence reduces the cost and complexity of compliance. Unified log review and analysis, with triggered alerts for high risk systems speed the audit process. Built-in log management, vulnerability assessment, and file integrity monitoring detect changes to critical system files, particularly event and audit log data. Built-in log management, vulnerability assessment, and file integrity monitoring detect changes to critical system files, particularly audit log data, with triggered alerts on privileged users such as administrators and operators. Built-in log management, vulnerability assessment, and file integrity monitoring detect critical system faults, and can correlate these with other security events and netflow data leveraging automated event correlation. Built-in log management and analysis protects chain-of-custody by synchronizing log data. 11.1 Access Control: Business for Access Control 11.1.1 Access Control Policy 11.2 Access Control: User Access (wireless, network, 11.2.1 User Registration 11.2.2 Privilege Built-in essential security technologies such as asset discovery, IDS, netflows, file integrity monitoring, and user activity monitoring provide a complete view of access control policy violations and other security events. Built-in user activity monitoring and log management provide the necessary information to effectively manage user accounts, and investigate unauthorized activity. Built-in user activity monitoring and log management provide the necessary information to effectively monitor privileged activity, and investigate unauthorized access attempts. 6
Unified Security Compliance 11.2.3 User Password 11.2.4 Review of User Access Rights 11.3 Users Responsibilities (wireless, network, (wireless, network, 11.3.1 Password Use 11.4 Network Access Control 11.4.1 Policy on Use of Network Services 11.4.3 Equipment Identification in Networks 11.4.5 Segregation in Networks 11.4.6 Network Connection Control 11.4.7 Network Routing Control Built-in, automated vulnerability assessment identifies the use of weak and default passwords while built-in host-based IDS and File Integrity Monitoring signal when password files and other critical system files have been modified. Built-in user activity monitoring, vulnerability assessment, and threat management technologies work together to monitor user access (successful and unsuccessful attempts). Built-in, automated vulnerability assessment identifies the use of weak and default passwords while built-in host-based IDS and File Integrity Monitoring signal when password files and other critical system files have been modified. Built-in asset discovery, vulnerability assessment, threat detection, behavioral monitoring, and security intelligence reduces the cost and complexity of network security and compliance. Unified log review and analysis, with dynamic incident response templates guide the security analyst through forensic investigations. real-time asset map for functional network segments. Built-in netflows and IDS technologies provide validation that ACLs and other segmentation tactics are working properly. real-time asset map for functional network segments. Built-in netflows and IDS technologies provide validation that ACLs and other segmentation tactics are working properly. Built-in netflows and IDS technologies detect unauthorized access attempts and anomalous behavior (e.g. outbound command-and-control connections). Built-in netflows and IDS technologies detect network routing anomalies (e.g. outbound command-and-control connections). 11.5 Operating System Access Control 11.5.1 Secure Log-On Procedures Built-in host-based IDS monitors all activity on critical files and systems. Automated event correlation signals activities such as unauthorized logins followed by additional security exposures like data exfiltration. 7
Unified Security Compliance 11.5.2 User Identification and Authentication 11.5.3 Password Systems 11.5.4 Use of System Utilities 11.5.5 Session Time Out 11.6 Application and Information Access Control 11.6.1 Information Access Restriction 11.6.2 Sensitive System Isolation 11.7 Mobile Computing and Teleworking 11.7.1 Mobile Computing and Communications 11.7.2 Teleworking 12.1 Information Systems Acquisition, Development and Maintenance 12.1.1 Security Analysis and Specification Built-in user activity monitoring, vulnerability assessment, and threat management technologies work together to monitor user identities and access (e.g. successful and unsuccessful attempts). Built-in, automated vulnerability assessment identifies the use of weak and default passwords while built-in host-based IDS and File Integrity Monitoring signal when password files and other critical system files have been modified. Host-based IDS monitors system utilities, usage, and performance data to ensure service availability and avoid downtime. Host-based IDS monitors user activity and enforces session timeouts on critical systems. Built-in essential security technologies such as vulnerability assessment, IDS, netflows, file integrity monitoring, and user activity monitoring provide a complete view of access control policy violations and other security events. real-time asset map to auto-populate an asset inventory, including sensitive systems. Built-in netflows and IDS technologies provide validation that ACLs and other segmentation tactics are working properly. Built-in asset discovery auto-discovers all devices on wired and wireless networks while wireless IDS detects any policy violations, rogue devices and other wireless threats. Built-in asset discovery auto-discovers all devices connecting to the corporate network including teleworkers and other remote users. IDS and netflow analysis technologies identify real-time threats and policy violations. Evaluate and analyze security requirements based on detailed and unified information about assets, their vulnerabilities, network baselines, and calculated risk scores. 8
Unified Security Compliance 12.3 Cryptographic Controls 12.3.1 Policy on the Use of Cryptographic Controls 12.4 Security of System Files 12.4.1 Control of Operational Software 12.4.2 Protection of System Test Data 12.4.3 Access Control to Program Source Library (wireless, network, (wireless, network, Unified netflow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from sensitive data resources. Built-in wireless IDS monitors encryption strength and identifies unauthorized access attempts to critical infrastructure. complete and dynamic asset inventory critical for identifying all operational software. Host-based IDS and file integrity monitoring identify and alert on changes to critical software. Built-in essential security technologies such as asset discovery, vulnerability assessment, IDS, netflows, file integrity monitoring, and user activity monitoring provide a complete view of access to and protection of system test data. Built-in essential security technologies such as asset discovery, vulnerability assessment, IDS, netflows, file integrity monitoring, and user activity monitoring provide a complete view of access control policy violations to program source libraries. 12.5 Security in Development and Support Process 12.5.1 Change Control Procedures 12.5.2 Technical Review of Applications After Operating System Changes 12.5.4 Information Leakage Built-in, automated asset discovery combined with vulnerability assessment data validates the successful execution of configuration changes and other operational tasks. Built-in, automated asset discovery combined with vulnerability assessment data provides a full technical review of the impact of operating system changes on critical applications. Built-in threat detection, behavioral monitoring and event correlation signals information leakage and other attacks in progress for example, unauthorized access followed by additional security exposures such as sensitive data exfiltration. Built-in log management enables the collection and correlation of valid and invalid authentication attempts on critical devices. Centralized, role-based access control for audit trails and event logs preserves chain-of-custody for data forensics and investigations. 9
Unified Security Compliance 13.1 Incident 13.1.1 Reporting Events 13.1.2 Reporting Weaknesses 13.2 of Incidents and Improvements 13.2.2 Learning from Events 13.2.3 Collection of Evidence 15.1 Compliance with Legal 15.1.3 Protection of Organizational Records 15.1.4 Data Protection & Privacy of Personal Information 15.1.5 Prevention of Misuse of Information Processing Facilities Report on all security metrics (vulnerability statistics, IDS alerts, etc) from a single unified workflow. Dynamic incident response templates provide customized guidance on how to respond to each alert. Identify, manage and report on all network, system, and application vulnerabilities from a single unified workflow. Correlate vulnerability data with log analysis and IDS alerts to prioritize remediation efforts. Built-in essential security technologies such as vulnerability assessment, IDS, netflows, file integrity monitoring, and user activity monitoring provide a complete picture of operational security. This unified perspective allows for a built-in feedback loop to your technical and executive management teams for continuous improvement. Built-in log management and analysis provides the necessary raw evidence to assist in data forensics and investigations. Built-in and unified log review and analysis, with triggered alerts for highrisk systems (containing organizational records and other sensitive data). Built-in host-based intrusion detection and file integrity monitoring detect and alarm on changes to cryptographic keys for encrypted data. Built-in and unified log review and analysis, with triggered alerts for highrisk systems (containing personal information). Built-in host-based intrusion detection and file integrity monitoring detect and alarm on changes to cryptographic keys for encrypted data. Unified netflow analysis and event correlation monitors traffic and issues alerts on unencrypted traffic to/from high risk resources where encryption is required. Correlate built-in asset, vulnerability, and netflow analysis data to detect and prevent the misuse of information processing facilities. 10
Unified Security Compliance 15.2 Compliance with Security Policies and Standards, and Technical Compliance 15.2.1 Compliance with Security Policies and Standards 15.2.2 Technical Compliance Checking 15.3 Information Systems Audit Considerations 15.3.1 Information Systems Audit Controls Compliance Reporting / Dashboards Compliance Reporting / Dashboards Built-in essential security controls provide a complete and unified view into information security and compliance posture. Unified compliance reports and dashboard views highlight key operational metrics against compliance and business requirements. Unified vulnerability assessment, threat detection, and event correlation provides full situational awareness in order to reliably check technical compliance requirements. Built-in essential security controls provide a complete and unified view into information systems audit controls performance. Unified compliance reports and dashboard views highlight key operational metrics and facilitate the audit process. Summary Traditional approaches aren t sufficient for today s cyber security landscape and changing compliance requirements. They re costly, complex, and they take too long to deploy. AlienVault USM delivers more functionality at reduced costs and in significantly less time. Simplified and automated compliance makes everyone happy including your auditors. For more information on how AlienVault can help you meet your compliance needs, contact us at +1-650-453-2350 or +44 7703 649313, or send email to sales@alienvault.com. contact us to learn more Copyright @ AlienVault. All rights reserved. 01112014 www.alienvault.com