Today’s blog entry is a continuation of yesterday’s blog on SIEM features which support continuous monitoring requirements. Yesterday’s blog covered situational awareness and threats. In today’s entry I will cover continuous monitoring requirements for assessing security controls and collecting, correlating, and analyzing security information.
The THIRD requirement is “assessing all security controls.” For this requirement the organization must assess all implemented security controls to insure they properly mitigate the threat as intended. This is best accomplished by having a 3rd party perform an annual review of the organizations information security controls. The third party should be versed in reviewing controls specific to the organizations regulatory requirements. Organizations should also be conducting internal assessment in an ongoing basis in order to supplement the third party review. A SIEM should be able to help with this assessment by providing support for vulnerability and patch management. SIEMs should be capable of collecting notifications of vulnerabilities from anti-malware, firewalls, IDSs, and vulnerability scanners along with patch management notifications from hosts. The more advanced SIEMs actually have the capability to import vulnerability scan results or even launch scans from the console which allows for the verification of an identified vulnerability.
The FOURTH requirement is “collecting, correlating, and analyzing security-related information.” This is a mandate for organizations to collect security relate information, correlate the information with multiple sources, and analyze the information in order to properly assess the risk. All SIEMs should directly support the event & incident management process by automating the collection, correlation, analysis, and risk rating of security related information. SIEMs should collect information from a variety of logs (applications, hosts, network devices, physical devices, security devices, etc…). One of the most important things to understand about a particular SIEM is what systems they can collect logs from, how the collection occurs, and what can be done if a system log is not supported. A SIEM compatible with an organization should have the capability either native or through custom parsing to collect security information from all in scope systems. It is best practice for SIEMs to archive and retain logs in the original state for no less than one year in order to provide forensic investigation support. Be sure to tune in for tomorrow’s blog entry where I will finish the discussion by covering security status communication and risk management requirements for continuous monitoring.