A Blog for Best Practices in Technology

Using Managed SIEM for Compliance

Written by Joe Grzybowski, GSEC, CEH | July 19, 2018

GDPR, NIST, HIPAA, PCI...

The names may change but it all comes down to control, visibility, and auditing.

Meeting the requirements for any of these compliance standards can be a challenge. But there are tools that will make your job easier.

For instance, a managed SIEM solution.


With a managed SIEM solution, you gain a more secure IT environment, meet your compliance requirements, and do so at a lower cost than the manual methods that you are using today.

 

Common Compliance Requirements

Central to the purpose of any compliance mandate are two requirements:

#1 Protect the information.

#2 Provide proof that you are protecting the information.

The overall goal of each requirement is to make the IT infrastructure of companies within specific industries more secure.

Securing the Information

Properly securing the information contained within a computer system consists of two parts: proactive protection and reactive detection.

Protect:

The protection of your assets is typically done as follows:

  • Using firewalls
  • Vetting your employees
  • Managing file access via Active Directory
  • Keeping the doors to your data center and offices locked
Most companies have a variety of protective mechanisms and products in place. On an ongoing basis, these protective mechanisms are maintained, updated, and reconfigured based on company policies and evolving business needs.  

Detect:

Data "protection" is not the purpose of a SIEM. A SIEM's primary role is to quickly "detect" attacks, and then enable the fastest response possible to breaches as they occur within your environment. A SIEM performs this detection and subsequent alerting by collecting logs and analyzing them in real time.

 

Logging

As you read your applicable compliance standard, you will find that it requires the collection of logs from your in-scope devices.

  • Who logged in and when?
  • What files were accessed and by whom?
  • Did a privileged user connect? If so, what did they do?

These logs must be collected, normalized, and stored.

The most basic method for data logging is to simply turn it on.

For Windows server devices, event logs are generated and stored in system, application, and security .evtx files. These files are typically stored locally in the %System32%\winevt\Logs directory and are overwritten as necessary to avoid excessive disk usage.

You can view logs using event viewer and perform rudimentary analysis. Network devices such as routers and firewalls generate syslog files and store them as flat text.


This method will rarely meet any compliance needs.

 

Retention:

Compliance regulations require that log files be retained for some period of time.

From HIPAA Section 164.316(b)(2)(i):

"Retain the documentation required by paragraph (b)(1) of this section for 6 years from the date of its creation or the date when it last was in effect, whichever is later."


For HIPAA, the retention period may be 6 years or longer.

 

Extended time periods like that can cause several headaches:

  • Disk space adds up over time.
  • The lifespan of the log files can exceed that of the originating device.
  • You need to make sure that critical logs are not deleted.

The last of these, the deletion of logs, is a very common coverup technique used by hackers or others (administrators) doing things they should not be doing. As a result, many standards require logging be done to a separate, tightly secured system.

Management:

You have enabled logging, data is being collected into files, and life is good.

Until:

Scenario #1 - A call from your company lawyer advises you to delete any logs once they have met the legal requirements. (Note: I am not your lawyer.)

Scenario #2 - A claims manager asks you on what day a former employee's account was deactivated.

Scenario #3 - You receive a subpoena asking for all logs between June 20XX and August 20YY.

It is then that you find that it would be nice if your files were normalized, structured, sortable, and searchable.

You discover several issues, including:

  • Dates in the log files from different devices use different formats
  • A Windows logon is event id 4624 while your firewall uses ASA-6-605005
  • The user had a shared account and the logon must be correlated across multiple devices

Reviewing and Auditing:

While the actual security of your data is the most important thing, passing your yearly audit is in a close second place.

You say you can find things in the logs. So prove it.

Prove that that you not only can do it, but are doing it, in real time, on a regular basis.

From NIST 800-171 section 3.3.5:

"Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity."

Here is where we see the strength of using a SIEM to meet regulatory compliance requirements.

Functions of a SIEM Solution

The most basic functionality of a SIEM is to collect, normalize, store, sort, and search log files. While it sounds simple, there are many aspects to get correct in order to do it right.

SIEMs are designed for the purposes of alerting and reviewing, plus more.

Alerting:

Anyone that has used flat text files to collect log data knows that reviewing such logs is extremely time consuming, and the alerting capability of such a system is minimal. Quite frankly, it is impossible for a human to do anything with this data without the help of a computer.

You pull down some code from Git, cobble together a bash script, and you're off to the races.

But it is just not practical. To be effective, the analysis needs to be real-time, 24 hours a day, 365 days a year.

Claim your free, 14-day trial of Corserva's managed SIEM service.

Reviewing:

Reviewing the alerts gets into the meat of what the logs are for. This is where the real value is found.

Is the fact that John logged on an event of any importance?
It is if he just so happens to be in Hawaii on his honeymoon at the time.

Is the brute force attack on Mary’s Office 365 account a concern?
You tell me, is her two factor authentication being enforced?


This is where the benefits of using a managed SIEM solution become evident.

 

A SIEM solution can bring together all the log files from the various systems throughout your IT infrastructure and then provide analysis across them. By configuring real-time alerts for security events, you can prevent problems and minimize the impact of intrusions. By adding on a human factor we can fill in the gaps, helping the SIEM turn the raw data into actionable information.

With a managed SIEM service, your provider reviews alerts, typically categorized by severity level:

  • high
  • medium
  • low
A high-level alert could be a user trying to log on to an internal server from an external device. A low-level alert could be an employee incorrectly typing his password.

It is not unusual to have a high number of low level alerts. Over time, a managed SIEM provider will identify frequently reoccurring "false positive" low level alerts and filter them out. Time can then be more efficiently spent on any remaining alerts.

The Services of a Managed SIEM Solution

A managed SIEM provider will take a holistic approach to cybersecurity and will have the expertise to identify and respond to sophisticated attacks.

As part of the managed SIEM service, your provider will review alerts in real-time, hourly, or daily (depending on your plan).

  • For high and medium alerts, the provider will typically review individual alerts to determine cause and significance. An appropriate Incident Response will be initiated.
  • For low alerts, the provider will view them in aggregate, and analysts will look for anomalies and patterns, each of which can be indicative of an underlying incident.
  • Where possible, the provider will remove alerts that are false positives by adding additional filtering rules, thereby saving effort, time, and money in the future.

Experienced security engineers on staff at your provider will have the background and knowledge to:

  • Advise on the risk level of events and alerts
  • Provide guidance on next steps
  • Take action if authorized
  • Engineer a long-term solution to the problems and breaches that are detected

 

 

Process

A significant part of any compliance initiative is the policy, or process.

For example,

Do you have a process or policy that dictates you are looking at alerts on a regular basis?

You will need to be able to provide proof that security alerts are reviewed. When you are using a managed SIEM service provider, they will use a ticketing system to track the review of log files, and this will serve as your evidence for auditors.

Compliance Reports

Another benefit of using a managed SIEM solution for compliance is the reports you need to give to auditors may already be baked into the solution. Your managed SIEM provider can generate and store the necessary reports for you monthly, quarterly, or whatever is needed.

For example, as evidence of HIPAA compliance, you will need to be able to prove that no unauthorized users accessed patient data. For a given file, you will need to be able to show a history of who accessed that file, and confirm those users have a legitimate need to access that file (such as, they are nurses on staff).

Click here to download the free white paper, "20 Steps to Improve Your Security Posture."

Depending on the mandate, a managed SIEM solution can satisfy all or some of the requirements. For requirements not already directly addressed by the managed SIEM solution, having a managed SIEM solution makes it easier and less costly to comply, or at least decreases the cost of complying with those requirements.

A managed SIEM solution decreases your labor costs associated with compliance. It also provides you a better level of security than you would otherwise have. With managed SIEM, your IT infrastructure is proactively monitored, and security issues are prevented.

Corserva’s Managed Security Service

With Corserva’s Managed Security Service, you gain enterprise level cybersecurity for a fixed monthly cost, with no hefty licensing fees and no additional staffing requirements. The solution provides predefined reports you can provide to auditors to show compliance with PCI DSS, HIPAA, NIST 800-53, and NIST 800-171.

Corserva’s Managed Security Service provides centralized security monitoring for your on-premise, hybrid IT, and cloud environments. The platform includes SIEM & log management, asset discovery, behavioral monitoring, vulnerability analysis, and intrusion detection.

 

 

Collecting log files and analyzing them is at the heart of the solution. We can accurately identify, contain, and remediate threats in your network. The built-in security intelligence combined with our expertise in correlating the applicable log data enables us to identify policy violations and respond appropriately.

Corserva’s staff have key security certifications including CISSP, CISM, CGE IT, CRISC, CEH, and CompTIA Security+. We provide 24x7x365 support for our clients from our US based security operations centers.

Request a quote for our managed SIEM service.