SANS, the global training and certification organization for security professionals, has published an excellent resource: 20 Critical Security Controls (Version 2.3) in cooperation with CSI. SANS suggests that these Critical Controls should be subject to automated collection, measurement and validation. While this document was created for federal agencies working to comply with NIST practices and FISMA standards, these controls are prescribed by the ISO controls. We’ve borrowed from the SANS document to provide context to discuss the value you get from an automated SIEM solution, like the ones from Intellitactics.
Today we’re introducing and looking at Control 6 in more detail.
CONTROL 6: Maintenance, Monitoring and Analysis of Audit Logs
From SANS: How do attackers exploit the lack of this control?
Deficiencies in security logging and analysis allow attackers to hide their location, malicious software used for remote control, and activities on victim machines. Even if the victims know that their systems were compromised, without protected and complete logging records, the victim is blind to the details of the attack and to the subsequent actions taken by the attackers.
Many organizations keep audit records for compliance purposes but attackers rely on the fact that such organizations rarely look at the audit logs so they do not know that their systems have been compromised. Because of poor or non-existent log analysis processes, attackers sometimes control victim machines for months or years without anyone in the target organization knowing, even though the evidence of the attack has been recorded in unexamined log files.
This is the most fundamental uses of Intellitactics SIEM solutions, Security Manager and Intellitactics SAFE (appliance): automating the collection and review of audit logs. The logging is done continuously and the raw logs and parsed logs or events are not only stored as prescribed but are easily accessible and retrieved. The interfaces are designed to minimize clicks and increase productivity.
The SIEM solution automatically correlates events looking for logs that indicate suspicious or out of scope behavior. The advantage of an automated SIEM over manual log review is that the SIEM generates an alert or notification, so the security administrator can quickly begin investigation, further searching of logs or visual analysis of an evolving attack involving a specific source or target. Intellitactics SIEM solutions enable consistent logging and automated examination of log files to uncover control violations or attacks in progress.
Tomorrow: How can this control be implemented, automated, and its effectiveness measured?
Powered by Compendium Blogware
Comments for Top 20 Critical Controls : Today- Control 6