Protective Monitoring and the UK Public Services Network (PSN)€¦ · WHITEPAPER - Protective monitoring and the UK Public Services Network PSN) technology provides the ability to

WWW.LOGRHYTHM.COM

WHITEPAPER

Protective Monitoring and the UK Public Services Network (PSN)

WWW.LOGRHYTHM.COM

WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)

Executive Summary

Introduction

Conducting business and delivering services online has delivered

great benefits but there are associated risks that customers and

the public are increasingly becoming aware of. Malicious activity

and successful attacks against organisations and government

services have been well publicised, to the extent that they are no

longer news unless the impact has been significant. Obviously

the motivation and capability of those seeking to threaten, abuse

or illegally benefit from attacking business, government services

and critical national infrastructure greatly differ and range from

foreign governments through to the opportunistic criminal,

hactivist or disaffected employee [1].

Government and the services it provides to its citizens are as

much at risk as commercial organisations for the reason that

they conduct and deliver a wide range of services. Much of the

information collected and used by Government is very valuable

and classified as high risk, e.g. tax and benefit records, law

enforcement information, intelligence and military secrets and

other sensitive personal identity data that is stored in a range of

systems across Government.

• The UK Government is committed to its ‘Digital First’ policy

which is simply a concerted effort to move its services online.

It is, however, cognisant that uptake and use of these services

relies on citizens trusting Government to take care of their

personal information and ensure its security. To support this

objective Government requires its own departments, agencies

and suppliers contracted to deliver the services to comply

with HMG information security policy and guidance. In addition

to developing policy the Government has also developed

enabling capabilities that delivery organisations can use and

exploit with confidence. One such capability is the Public

Services Network (PSN). The PSN is a communications

network operated by a number of suppliers that provides

a trusted, reliable, cost-effective connectivity solution to

Government departments, agencies, local authorities, and

other bodies that work in the public sector allowing them to

communicate and share information.

To protect the PSN, and before it is allowed to connect to or

offer services over it, an organisation must make a formal

commitment and provide assurance that they will comply

with the network conditions. One of those conditions is

the requirement to implement an effective protective

monitoring capability.

Audience

This paper is intended to be relevant to a broad audience,

the executive summary, is targeted at management level,

including Senior Information Risk Owners, and assumes no prior

knowledge of the issues, other than what is discussed in the

media. The remainder of the paper provides a more in-depth and

technical view, specifically focussing on aligning requirements

to the UK Cyber Security Strategy [2] and providing an overview

of the underlying standards and guidance available to meet

the challenge. This part of the white paper is more focussed at

the Information Assurance (IA) experts and does have a bias

towards those working in, or organisations providing services

to, the public sector. Nevertheless, the value of this guidance is

recognised beyond the public sector and is generating interest

from industry, the commercial sector and other countries.

The Cyber Threat

The Government have categorised cyber-attacks as a Tier 1 [3] threat

to the UK and it is recognised that it costs industry and Government

directly and indirectly in excess of £20Bn each year. The 2014

Information Security Breaches published by the Department for Business

Innovation and Skills describes the issues in detail [4]. To mitigate these

risks and issues regulatory controls are responding, for example the EU is

planning to update its data protection legislation [5] to make disclosure

a legal requirement and introduce the power to fine organisations 5% of

global turnover in the case of the most serious breaches.

What is Protective Monitoring?

Amongst the methods and tools that can be used to detect and

counter cyber-attacks, there is one discipline that has proved

especially effective. It has been developed by CESG, who are the

UK’s national technical security authority. They have developed a

regime known as Protective Monitoring, as defined in CESG Good

Practice Guide No. 13 (GPG 13: [6]). It gets its name from the Her

Majesty’s Government’s (HMG’s) approach to protective security

coupled with the monitoring requirement. Protective monitoring

is a discipline of correct configuration of information system

logs and audit trails, collection, audit and analysis of those logs,

and scaling the level of monitoring based on the assessed risk to

the information. This is much more than browsing a log file: it is

a complete methodology for getting it right. GPG 13 continues,

perhaps uniquely, to promote a holistic approach to protective

monitoring that is not solely focused on technology solutions.

PAGE 1

WWW.LOGRHYTHM.COM


Why is Protective Monitoring Important?

All organisations, including HMG, face a combination

of legislative, regulatory, policy and industry standards

requirements which they must satisfy. Implementation of

appropriate protective monitoring controls with their intrinsic

levels of recordkeeping and reporting can help in delivering

these requirements by providing evidence of compliance.

Organisations also need to understand what is happening on

their networks and systems to be able to detect and respond to

an attack in a timely manner. Protective monitoring also assists

in making employees accountable for their use of ICT systems.

The PSN Protective Monitoring Condition

The Cabinet Office PSN team require a commitment statement to be

signed by an appropriate person before an organisation is allowed to

connect to or offer services over the PSN. It effectively requires that the

organisation agrees to the obligations and conditions spelled out in the

relevant PSN document. The protective monitoring condition in the code

of connection [7] states that:

‘You will collect and retain event data and undertake activities

that will help you detect actual or potential security incidents.

You must have a protective monitoring policy that describes the

use cases you are aiming to detect, which can be used to define

event data collection. Your policy must include both detection

of technical attacks as well as important abuses of business

processes. These conditions do not describe any specific events

to collect or incidents to detect. The requirement is that the

business has thought about and documented its collection and

analysis requirements and that this has led to your approach to

protective monitoring and intrusion detection’.

Protective Monitoring and SIEM

For medium or large enterprises, adoption of a protective monitoring

regime is not a trivial exercise. Business critical systems may generate

high volumes of event data, and there will be many of those systems

across the enterprise: there is therefore an essential need for security

technology that can assist with Protective Monitoring. In terms of the

cyber threat this is even more important as the target of cyber-attacks

will not be known until an attack is underway. Hence, it is essential to

have technology that responds in near real-time to an attack anywhere

within an organisation’s IT estate. The nearest class of such tools are

known as Security Information and Event Management (SIEM) systems.

The SIEM should be an essential hub within an organisation, providing

holistic security intelligence, and helping them to both proactively

monitor and detect attacks whilst also aiding in investigation and

recovery, all from a single pane of glass.

Conclusion to the Executive Summary

It is by the application of a protective monitoring regime,

supported by an effective SIEM implementation from a trusted

specialist Security Intelligence company such as LogRhythm,

that the public sector and commercial medium and large

enterprises can deliver a robust cyber defence.

SIEMs in depthBenefits

What are the benefits of adopting a rigorous approach to protective

monitoring and deploying a fully integrated security intelligence

solution?

Defence and Risk Management – it will be effective in detecting,

responding to, investigating and defending against cyber attacks.

There will be a direct business benefit as the risks of losses to

important business assets will be reduced, the organisation’s

valuable intellectual property will be protected, the

organisation’s reputation is protected and enhanced, insurance

premiums may also reduce as “no claims” periods increase.

An effective Security Intelligence platform ideally enables a

streamlined workflow, delivering automation wherever possible.

If an organization can optimize its efficiency in performing these

critical steps in the detect/respond cycle, it can reduce its Mean-

Time-To-Detect (MTTD) and Mean-Time-To-Respond (MTTR) and

thus reduce its exposure to risk.

Compliance – with cyber security best practices and both

government and commercial standards. Demonstration to

customers, auditors, regulators, IA authorities and other

stakeholders that they are exercising due diligence and a duty

of care. Opportunities for new business should expand as the

organisation can appeal to customers with raised information

security expectations

Improvement – by incorporating an effective feedback strategy

that includes learning lessons from previous security incidents

and attacks, improvements of the cyber security posture can

be achieved on an on-going basis. This is assisted through the

appropriate implementation of a protective monitoring regime

and use of SIEM technology that can reduce the Mean-Time-To-

Detect and Mean-Time-To-Respond, and automatically produce

meaningful statistical data thus tracking effective improvement

on a month by month basis

Situational awareness – use of protective monitoring

techniques and provision of security intelligence through SIEM

PAGE 2

WWW.LOGRHYTHM.COM


technology provides the ability to correlate, visualize, and

analyze event data in order to develop actionable insight into

threats that pose real harm to the organization, and to build

a more proactive defence for the future, whilst also providing

near real-time displays of the organisation’s exact cyber

environment. The technology has rapidly evolved so that it can

now enable, for those organisations that require it, a 24/7 view

on the health of their IT systems and the attacks that are being

directed against them. It has enabled commercial organisations

to establish specialised security operations centres to provide a

protective monitoring capability to both public and private sector

organisations alike. Collaborative enterprises can link operations

centres to provide national and trans-national intelligence

pictures of cyber space and allow secure exchange of attack and

security incident information

Increased accountability – protective monitoring techniques

and advanced reporting capabilities allow organisations to track

and account for their information assets in the same

way as GPS trackers and RFID tags can help track physical

assets. Where it is required, the microscope can be turned on

user activity and changes to information. This is of particular

value to organisations that are in the information business:

especially those with high value intellectual property to protect

or in the finance sector where financial instruments only exist

in cyberspace.

Business requirements

What are some of the key requirements that an organisation

needs to satisfy in developing an effective protective

monitoring solution?

Facilitation – the solution must readily and effectively

implement the organisation’s strategy, its policy, and support its

compliance objectives

Sophistication – organisations need solutions architected by

subject matter experts, who can remain ahead of the attackers

and can build and maintain effective defences to detect and

defeat the most complex forms of cyber attack

Usability – the sophistication needs to be contained within the

solution, externally it needs to be easy to operate and produce

meaningful output that can be useful not just to specialists but

management at any level

Performance – the solution needs to respond with a

performance equal to the dynamics of real-world attacks, which

can develop second by second

Diversity – the solution must cater for the complexity of any

organisations’ IT estate, being able to be introduced with the

minimum level of disruption and to be able to cater equally for

both new and legacy systems within a heterogeneous

technology environment

Automation – the solution has to be efficient to operate with

minimal manpower overheads. It has to make what used to be

complex tasks simple. It must provide Integrated workflows and

collaboration capabilities that expedite the analysis and response

process, and automation in support of incident response

processes and the deployment of countermeasures

Cost-effectiveness – the solution needs to be affordable and

provide a positive business case for implementation

Adaptability – the solution must be able to adapt to change:

organisational change and changes to cyber threats and attack

techniques. Any solution needs to have at least a 5 year life span

Scalability – the solution must have no artificial limits that

constrain its application, it should be easy to grow as an

enterprise grows.

Applicable principles, guidelines and standards

UK Government policies, standards and guidelines are continuing

to evolve to support its Digital First strategy. The Government

Digital Service (GDS) and CESG are driving this change in

accordance with their ‘Principles of Effective Cyber Security

Risk Management’ [8]. These principles and the majority of

Government Information Security policy and guidance developed

in accordance with the Security Policy Framework (SPF) [9] have

been published on the www.gov.uk website.

The SPF defines the expectations of how HMG organisations and

third parties handling HMG information and other assets will

apply protective security to ensure HMG can function effectively,

efficiently and securely. Examples of the expectations include:

• Mechanisms and trained specialists to analyse threats,

vulnerabilities, and potential impacts which are associated

with business activities

• The detection and correction of malicious behaviour

• The ability to facilitate a rapid and effective response to

recover from incidents

• Arrangements to determine and satisfy themselves that

Delivery Partners, service providers and third party suppliers,

also apply proper security controls.

PAGE 3

WWW.LOGRHYTHM.COM


SIEM technologies can also assist in other aspects of SPF

compliance including:

• SIEMs support incident investigations and can be of particular

value in attaining forensic readiness. The guidance is

described in GPG 18 [10] and detailed planning requirements

defined in the companion CESG Implementation Guide

No. 18 [11]

• SIEMs collect and analyse logs from malware reporting

systems forming part of an architecture designed to conform

with the guidance given in GPG 7 [12]

• SIEMs link to firewalls, intrusion detection systems, business

application / systems, de-militarized zone services (including

remote access) and secure remote end points to provide

a sophisticated near real-time reporting of attacks at the

organisational boundary with the internet. It can therefore

assist in protecting public sector internet connections which

need to observe the guidance given in GPG 8 [13] and remote

working solutions, given in GPG 10 [14]

• SIEMs can also interface to web proxy services and receive

reports of user browsing. This can enable monitoring and

policing, in accordance with organisation policies, of staff

access to external online social networking sites, CESG

guidance for this being covered in GPG 27 [15]

• The reporting functions of SIEMs can analyse threats over

time. This can be utilised in developing organisation specific

threat pictures (short and long term), which can be used

in conjunction with the guidance given in Technical Threat

Briefing No. 1 [16] to directly feed current and accurate threat

into formal risks assessment

• SIEMs can assist with internal accounting and the “insider”

threat (as well as detecting cyber intruders): agents can be

used to monitor business critical servers, storage networks,

etc., and this complements CESG guidance given in GPG

35 [17].

It can be clearly seen that the implementation of an SIEM meets

many of the SPF Good Practice requirements and that they

can have a significant role in assisting compliance in the public

sector environment.

PSN Codes of Connection, Practice and Interconnection

Before an organisation can connect to the PSN it needs to pass

the PSN compliance process. This is intended to demonstrate to

Government that the organisation’s infrastructure is sufficiently

secure and that its connection to the PSN would not present an

unacceptable risk to the security of the network. The Information

Assurance (IA) requirements have been designed to provide an

achievable and sensible baseline for security. Along with these

IA requirements, the organisation will also need to make a

number of commitments about how it will work with Government

to ensure the ongoing security of the PSN. A tailored set of

conditions has been developed for the three specific types of

organisation. These include:

• Code of Connection [7]: Organisations wishing to connect to

and consume services

• Code of Practice [18]: Organisations wishing to provide

services over the PSN

• Code of Interconnection [19]: Organisations wishing to

provide the PSN Connectivity Service.

Implementing a Protective Monitoring Solution

To implement a protective monitoring solution an organisation

needs to invest in the technology, the staffing, skills, independent

advice and implementation expertise after having first identified

and developed the requirements. Naturally this is a significant

commitment and needs to be instituted as a fully funded

programme or project supported at the board level, commencing

with a feasibility study and business case development.

Each organisation should develop a protective monitoring policy

that outlines the support and commitment given to the policy

and that defines the associated roles and responsibilities. It

can be expected that medium size organisations would need at

least a full time equivalent to fulfil the role; larger organisations

may appoint a dedicated team and have a dedicated security

operations centre from which to operate. Any scale of

organisation has an increasing diversity of outsourcing options

for security monitoring services, although UK public sector

organisations need to observe HMG guidance given in Office of

the Government SIRO - HMG Offshoring Policy for OFFICIAL v1.0

[20] and GPG6 [21] in this regard, especially that relating

to offshoring.

PAGE 4

WWW.LOGRHYTHM.COM


One mistake to avoid is the temptation to create parallel

audit and monitoring structures. It is possible to combine

traditional compliance audit and security management roles

to develop effective functions that serve all requirements. It is

recommended that the feasibility stage includes widespread

consultation with the appropriate internal and external

stakeholders. However, there is still a requirement to maintain

segregation of certain trusted roles and avoidance of internal

conflicts of interest, such as an independence requirement for

security audit functions (e.g. the IT department should not audit

and monitor itself).

As part of the detailed design process it is necessary to address

the key business processes that will address the protective

monitoring requirement, including:

Risk management – both the infrastructure and business

system risk management activities should consider protective

monitoring control requirements (as per GPG 13) and select

the appropriate level of logging and monitoring for selected

infrastructure points and platforms. A risk assessment will

help to identify the risks which can be treated by protective

monitoring

Audit logging – the outcome of the risk assessment should

intelligently support the selection of audit logging requirements

and parameters

Monitoring system use – the risk assessment will also inform

the requirements and nature of the level of monitoring.

Integrating this will provide overall capacity requirements for the

security operations functions and capacity requirements for any

SIEM or central logging and log retention facility

Information security incident management – this management

function, which should already exist, will need to be closely

integrated with the protective monitoring system. For public

sector or Critical National Infrastructure (CNI) organisations is

it also prudent to consider enrolling or establishing a Warning,

Alerting and Reporting Point (WARP) function to interface with

the HMG central UK Cyber Security Incident Response Team

(CSIRTUK) and GovCERTUK. An integrated platform offering end

to end management of threat detection and incident response

is a primary consideration for reducing the time to detect and

respond to threats.

Information systems audit – despite the central online auditing

capability that some SIEMs provide, the requirement for more

traditional audit activities would remain; there would still be a

need for auditing offline systems and local compliance status

needs to be visibly inspected. The benefit from implementing an

integrated SIEM and log management solution is that many audit

activities can be fully automated.

During the implementation of the project it would be necessary

to further refine the processes and document the detailed

procedures that support the processes. It would also be

necessary to ensure all of the cyber and IA team members have

been appropriately trained in the new environment and that

their skills are maintained.

Larger organisations will need to implement a phased approach

to implementation, especially if they extend over several sites

or regions. It is important that the phases include gate reviews

during which lessons learnt in one phase of implementation

are passed into the next phase. Smaller organisations may also

initially implement proof-of-concept or demonstrators as part of

the feasibility stage.

Protective monitoring regimes and SIEMs themselves need

time to bed down. Some SIEMs incorporate artificial intelligence

systems that need to learn “normal” behaviour in order to

deduce the “abnormal” in their environment. Other SIEMs may

need gradual configuration to tailor them to all of the various

business applications and network environments in use by

an organisation.

Aligning with good practice

In addition to defining the PSN compliance conditions this

paper also aligns LogRhythm’s SIEM capabilities with the HMG

protective monitoring guidance and controls defined in GPG

13. A table at the end of the paper provides a cross-reference

of the capabilities of the LogRhythm product offering matched

against each control (shown in table rows). The intersection

between rows and columns provides a brief description of the

SIEM attributes that assist with the control implementation. In

this way it can be seen that the LogRhythm SIEM can assist with

implementing a GPG 13 compliant solution at any level.

Tools

It is necessary to combine an SIEM with other systems and

security tools in order to provide a full visibility across the

environment. Examples of systems and tools that an SIEM can

either integrate with or work alongside include:

Servers and Workstations – operating system logs and local

event analysers. These may interface to a SIEM through either

open protocols for instance snmp, syslog or sftp, or they may

have dedicated SIEM software agents installed. Agents may be

PAGE 5

WWW.LOGRHYTHM.COM


deployed to acquire logs, or to generate additional

forensic data not natively generated by the operating system,

providing deeper visibility and protection via fully integrated

host monitoring.

Firewalls and IDS/IPS systems – may also interface to

an SIEM through syslog or SIEM based firewall log interpreters

or through a central firewall management system, and

intrusion detection and prevention systems. Should the firewall

provide the appropriate interface, the SIEM should have the

capability to automate a configuration change in response to

a detected threat

Network devices – a SIEM may receive syslog and snmp

messages either directly from network devices or from a central

network management system

Anti-malware systems – enterprise anti-malware solutions can

be interfaced to an SIEMs, with the SIEM being able to correlate

the ingress of infections with other penetration indicators

Database and OLTP systems – SIEM agents are supported

for many common database and online transaction processing

platforms that can enable transaction level reporting

Web services – logs from web servers and web proxies can

be captured by an SIEM to allow tracking of both inbound and

outbound web activity. Some SIEMs also support deep analysis

at the web and web services layers

Application servers and application firewalls – a SIEM can

support agents for a variety of application server and firewall

systems. Some SIEMs also support agent programming to

support non-standard applications and legacy systems

Backup and Storage systems – a SIEM may support

interrogation of certain backup management systems, storage

controllers and tape library systems

Log capture and relay – log capture mechanisms are typically

intrinsic to most SIEMs. A SIEM can also work with external log

management systems and relays. These tools include forensic

facilities to enhance captured logs with authentication checks,

cryptographic hashes and digital signatures; they also allow

certified copies of logs to be taken to an evidential standard

Log analysis – one of the most important core technologies of a

SIEM will be integrated log analysis capabilities that support both

audit and investigative processes. A SIEM may also work with

external tools to support offline analysis or analysis of archived

log information

Alerting channels – a SIEM or SIEM interface will typically

support remote alerting methods including email,

newsfeeds, text messaging or interfaces to an organisation’s

telecommunications system to alert its staff outside of the

security operations centre. A SIEM can also interface to other

packages to support a common alerting framework

Event correlation –Advanced SIEM technologies include machine

analytics capabilities which can combine logs and events from

many different sources, and, using a variety of correlation and

statistical techniques enable the detection of and response to

cyber attacks early in their life cycle. Using machine analytics

enables the detection of both common and previously unknown

attacks. In terms of the cyber defence toolkit this can be the

most important function as it can be effective in detecting

and investigated the most advanced forms of attack, including

Advanced Persistent Threats (APTs) and zero-day attacks

Behavioural analysis – event correlation can be combined

with behavioural analysis tools that learn network and system

behaviour patterns over time and that advise on deviations from

expected behaviour. These engines can also be linked to financial

transaction, metering and payment systems to support fraud

investigation and alerting

Denial of service mitigation – internet carrier level solutions

and services can provide solutions for enterprises that mitigate

denial of service and traffic flooding attacks. Some systems can

provide automatic reaction in the event of a traffic breach and

provide automated management of IP black lists and white lists

Computer network defence – increasingly there are

commercially available spin-offs of military grade solutions that

can potentially allow proactive response to cyber attacks to

trace the attack sources, gather intelligence about the sources,

positively react against attackers or even provide “honey pots”

to divert the interest of the attackers.

Critically, the SIEM should be able to consume logs and events

from any source, and uniformly process them in a classified

and contextual form. This enables the intelligence contained

in the logs to be unlocked, and to be optimally prepared for

further analysis.

Developing a protective monitoring architecture

Protective monitoring can only effectively be deployed in ICT

environments that adopt general IT best practices for example

ITIL [22]. Poorly implemented SIEMs may themselves be subject

PAGE 6

WWW.LOGRHYTHM.COM


of information security risks or even be turned against the

owning organisation during a cyber attack. Therefore, there

is a requirement for formal design and assurance activities in

the development and implementation of any cyber security

technical solution, including solutions that incorporate SIEMs.

For UK public sector solutions it is imperative that the design

phase includes a risk assessment: event logs themselves are

sensitive information assets and can have a different (more

sensitive) information risk profile than the networks and systems

they protect.

SIEMs and log management systems can amass a vast amount of

data rapidly and have retention and archiving requirements that

exceed normal corporate standards. In the public sector systems,

cyber security solutions may also be further complicated by the

need to monitor information across several network domains

operating at different protective marking levels. CESG have

provided a specific Architectural Pattern to support audit and

monitoring across security domains [23]. Figure 1 provides an

illustration of an example protective monitoring architecture that

is in-line with this architectural pattern, it shows two security

domains which link to a dedicated audit and monitoring network

that includes an SIEM as the log data repository and system.

Data is pumped to the network via one-way connections and

relays incorporating log and event message origin verification.

Conclusion

This paper has demonstrated the value of implementing an

effective cyber security strategy by an organisation, coupled

with the adoption of a protective monitoring approach under

pinned by cyber defence tools of which SIEM products and

services, such as those delivered by LogRhythm, should play a

significant role. This strategy will help organisations to obtain

the benefits of protective security in managing risk to their

information assets.

About the author

The author of this paper is an experienced IA expert working

for an independent IA consultancy organisation, Amethyst

Risk Management Ltd. The author has a long track record in

enabling both public sector and commercial to meet the rigorous

requirements of the SPF and Government Departmental

security policies, and also assists organisations in attaining ISO/

IEC 27001 certification.

Dedicated Audit andMonitoring Network

Uni-directionalEnforcement

Source of Audit and Monitoring Data(Security Domain A)

Source of Audit and Monitoring Data(Security Domain B)

Uni-directionalEnforcement

SIEM =Centralised Audit andMonitoring System

Relay =OriginVerification

Relay =OriginVerification

InformationFlow

Figure 1 – Example cyber security architecture

PAGE 7

WWW.LOGRHYTHM.COM


Acronyms

APT Advanced Persistent Threat, a class of cyber attack that is sophisticated and directed at specific organisations or

facilities and that develops and persists over a long period of time

CESG Communications-Electronics Security Group, part of GCHQ and acts as the UK national technical information

assurance authority

CNI Critical National Infrastructure

CPNI Centre for the Protection of the National Infrastructure

CSIRTUK UK Cyber Security Incident Response Team, focuses on responding specifically to cyber attacks

CSOC Cyber Security Operations Centre, UK centre for monitoring of cyber attacks attached to GCHQ

GCHQ General Communications Headquarters

GDS Government Digital Service

GovCERTUK UK HMG Computer Emergency Response Team, focussing on information security breaches and also

disseminating information on IT system vulnerabilities

GPG Good Practice Guide, issued by CESG

GPS Global Positioning System, including facilities in mobile devices that allows geographic positions of physical

devices to be accessed

HMG HM Government

IA Information Assurance

ICT Information and Communications Technology, combination of IT systems and networks

IDS Intrusion Detection System, a passive ICT monitoring system that can assist in detecting an ICT based attack

IG Implementation Guide, issued by CESG

IPS Intrusion Prevention System, an active ICT monitoring system that can both detect attacks and provide a series

or manual or automated responses to the attack

IT Information Technology

ITIL IT Infrastructure Library

OCSIA Office of Cyber Security and (formerly Office of Cyber Security (OCS)), attached to the Cabinet Office

OLTP Online Transaction Processing

PSN Public Services Network

RFID tag Radio Frequency Identification tags

SIEM Security Incident and Event Management system. A system that allows logs to be collected and analysed centrally

across an enterprise, community, national or trans-national network

WARP Warning, Alerting and Reporting Point, a collaborative community entity that can be established, supported

by a toolkit issued by CPNI, to provide sharing and propagation of information regarding security incidents and

cyber attacks

PAGE 8

WWW.LOGRHYTHM.COM


References

[1] Understanding local cyber resilience – A guide for local governments on cyber threats and how to mitigate them,

March 2015

[2] The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world, November 2011

[3] A Strong Britain in an Age of Uncertainty: The National Security Strategy , October 2010

[4] 2014 Information Security Breaches published by the Department for Business Innovation and Skills, April 2014

[5] Data Protection: an update on reform, Information Commissioner’s Office 2014

[6] Good Practice Guide No. 13 – Protective Monitoring for HMG ICT Systems, Issue 1.7, October 2012

[7] PSN Code of Connection (CoCo), March 2015

[8] Principles of Effective Cyber Security Risk Management, March 2015

[9] HM Government Security Policy Framework, April 2014

[10] Good Practice Guide No. 18 – Forensic Readiness Policy, CESG, Issue 1.1 September 2012

[11] Implementation Guide No. 18 – Forensic Readiness Planning, CESG, Issue 1.0, July 2011

[12] Good Practice Guide No. 7 – Protection from Malicious Code, CESG, Issue 1.1, October 2012

[13] Good Practice Guide No. 8 – Protecting External Connections to the Internet, CESG, Issue 1.0, March 2009

[14] Good Practice Guide No. 10 – Remote Working, CESG, Issue 2.2, September 2012

[15] Good Practice Guide No. 27 – Online Social Networking, CESG, Issue 1.2, February 2014

[16] Technical Threat Briefing No. 1 – Assessment of Technical Threat, Issue 1.2, December 2012

[17] Good Practice Guide No. 35 – Protecting an Internal ICT Network, CESG, Issue 2.0, August 2011

[18] PSN Code of Practice, March 2015

[19] PSN Code of Interconnection, March 2015

[20] Office of the Government SIRO - HMG Offshoring Policy for OFFICIAL v1.0, February 2015

[21] Good Practice Guide No. 6 – Outsourcing and Offshoring: Managing the Security Risks, CESG, Issue 2.1, September 2010

[22] IT Infrastructure Library

[23] Architectural Pattern – Audit and Monitoring across Security Domains, CESG, Issue 1.1, November 2012

Note: Documents issued by CESG are exempt from release or publication under the Freedom of Information Act and are only made available to IA practitioners working in the UK public sector. However, commercial organisations working with the public sector or CNI may request access to these guides by application to CESG at IA, CESG, B2h, Hubble Road, Cheltenham, Gloucestershire, GL51 0EX or [email protected].

PAGE 9

WWW.LOGRHYTHM.COM


LogRhythm SIEM: helping to implement the Protective Monitoring Controls

The following table provides an overview of how LogRhythm helps to address the GPG 13 Protective Monitoring requirements.

Table 1 – LogRhythm features that support the Protective Monitoring Controls

Protective Monitoring Controls (PMCs)

Information Risk Control Segment : increasing rigour

AWARE DETER DETECT & RESIST DEFEND

PMC1 – Accurate time in logs Can be linked to master radio clock source

Supports UTS validated, time-stamped collection of log files

Can detect and report time inaccuracies along collection path

PMC2 – Recording relating to business traffic crossing a boundary

Collects malware reports and alerts at the boundary

Collects web activity reports and alerts

Policy based violation detection reporting and alerting plus customisable business rules and reports can be applied at the boundary

PMC3 – Recording relating to suspicious activity at a boundary

Accepts logs and alerts from all major firewall devices

Accepts logs and alerts from all major IDS/IPS systems

LogRhythm scales to an enterprise class SIEM

PMC4 – Recording of workstation, server or device status

Collects malware reports and alerts centrally from individual devices

Supports either agent based or agentless (syslog/snmp) collection of logs and alerts from devices

Agents are customisable and support granular reporting of configuration changes and status

Monitoring and reporting can be fine tuned to allow detailed file integrity activity to be monitored

PMC5 – Recording relating to suspicious internal activity

Tracks internal or external firewalls

Includes visual trend analysis tools

Accepts logs and alerts from Host IDS agents

Provides sophisticated AI rules-based multi-point stateful analysis to support behaviour analysis and detection of APTs and zero-day attacks

PMC6 – Recording relating to network connections

Supports extraction and analysis of information from MAC, DHCP, RADIUS, LDAP and other remote access authentication systems

Can provide analysis of dynamic network connection information to the service and port level

Can receive alerts and reports from network devices that detect lock-down or Network Access Control violations

Integrates with tools and devices that have Wireless IDS capability

PMC7 – Recording of session activity by user and workstation

Provides specific and meaningful reports that de-clutter OS logon activity

Enables detection of changes to the security posture indicative of tampering by an intruder

Provides reports relating to host configuration changes and privilege escalation and use

Supports hundreds of third party monitoring products to provide transaction level accounting

PMC8 – Recording of backup data status

Captures backup events and storage related events and allows rules-based correlation in reports and alerts

Supports robust archiving scalable to the global level and centralised reporting and monitoring of backup, recovery, test and storage status.

PMC9 – Alerting critical events Supports near-real time dashboard display with drilldown to underlying event records, customisable alerts (delivered over a selection of channels, including VPNs), Provides alert throttling and roll-up to de-clutter alert lists, has an AI engine that is programmed to only highlight meaningful alerts and not OS chatter. Enables alert thresholds to be set and spikes to be highlighted.

PMC10 – Reporting of status of the audit system

Provides reports on log source status and detection of loss of “heart beats”. Records all device failures and resets.

Records information regarding log flow and rotation. Fully automated and consistent schema rotation.

Archive integrity protected by cryptographic hashes. SecondLook tool allows investigation of historic log information direct from archive.

PMC11 – Production of sanitised and statistical management reports

Comes with a suite of pre-packaged reports for common OS and devices. Also has an ad hoc report customizer and builder

Provides both graphical high-level statistical reports and detailed textual output.


It supports multi-vendor and diverse platform solutions. It can also work alongside other security products and open solutions.

PMC12 – Providing a legal framework for Protection Monitoring activities

Combination of secure log collection, storage and archiving, cryptographic hash technology, reporting and investigation tools, access controls, mean that LogRhythm can support the legal framework for monitoring.

PAGE 10

WWW.LOGRHYTHM.COM


LogRhythm SIEM: helping to implement the Protective Monitoring Controls

The following table provides an overview of how LogRhythm helps to address the GPG 13 Protective Monitoring requirements.

Table 1 – LogRhythm features that support the Protective Monitoring Controls

Protective Monitoring Controls (PMCs)

Information Risk Control Segment : increasing rigour AWARE DETER DETECT & RESIST DEFEND

PMC1 – Accurate time in logs

Can be linked to master radio clock source

Supports UTS validated, time-stamped collection of log files

Can detect and report time inaccuracies along collection path

PMC2 – Recording relating to business traffic crossing a boundary

Collects malware reports and alerts at the boundary

Collects web activity reports and alerts

Policy based violation detection reporting and alerting plus customisable business rules and reports can be applied at the boundary

PMC3 – Recording relating to suspicious activity at a boundary

Accepts logs and alerts from all major firewall devices

Accepts logs and alerts from all major IDS/IPS systems


PMC4 – Recording of workstation, server or device status

Collects malware reports and alerts centrally from individual devices

Supports either agent based or agentless (syslog/snmp) collection of logs and alerts from devices

Agents are customisable and support granular reporting of configuration changes and status

Monitoring and reporting can be fine tuned to allow detailed file integrity activity to be monitored

PMC5 – Recording relating to suspicious internal activity

Tracks internal or external firewalls

Includes visual trend analysis tools

Accepts logs and alerts from Host IDS agents

Provides sophisticated AI rules-based multi-point stateful analysis to support behaviour analysis and detection of APTs and zero-day attacks

PMC6 – Recording relating to network connections

Supports extraction and analysis of information from MAC, DHCP, RADIUS, LDAP and other remote access authentication systems

Can provide analysis of dynamic network connection information to the service and port level

Can receive alerts and reports from network devices that detect lock-down or Network Access Control violations

Integrates with tools and devices that have Wireless IDS capability

PMC7 – Recording of session activity by user and workstation

Provides specific and meaningful reports that de-clutter OS logon activity

Enables detection of changes to the security posture indicative of tampering by an intruder

Provides reports relating to host configuration changes and privilege escalation and use

Supports hundreds of third party monitoring products to provide transaction level accounting

PMC8 – Recording of backup data status

Captures backup events and storage related events and allows rules-based correlation in reports and alerts

Supports robust archiving scalable to the global level and centralised reporting and monitoring of backup, recovery, test and storage status.

PMC9 – Alerting critical events

Supports near-real time dashboard display with drilldown to underlying event records, customisable alerts (delivered over a selection of channels, including VPNs), Provides alert throttling and roll-up to de-clutter alert lists, has an AI engine that is programmed to only highlight meaningful alerts and not OS chatter. Enables alert thresholds to be set and spikes to be highlighted.

PMC10 – Reporting of status of the audit system

Provides reports on log source status and detection of loss of “heart beats”. Records all device failures and resets.

Records information regarding log flow and rotation. Fully automated and consistent schema rotation.

Archive integrity protected by cryptographic hashes. SecondLook tool allows investigation of historic log information direct from archive.

PMC11 – Production of sanitised and statistical management reports

Comes with a suite of pre-packaged reports for common OS and devices. Also has an ad hoc report customizer and builder

Provides both graphical high-level statistical reports and detailed textual output.


It supports multi-vendor and diverse platform solutions. It can also work alongside other security products and open solutions.

PMC12 – Providing a legal framework for Protection Monitoring activities

Combination of secure log collection, storage and archiving, cryptographic hash technology, reporting and investigation tools, access controls, mean that LogRhythm can support the legal framework for monitoring.

PAGE 11

WWW.LOGRHYTHM.COM


Produced for

LOGRHYTHM INC.

Reference: ARM-694-05

Issue: V1.0

Amethyst Risk Management Ltd. 2015

The information contained in this white paper is submitted by

Amethyst Risk Management Ltd (“Amethyst”).

Copyright and ownership of this document transferred to LogRhythm Inc and shall

be used in accordance with relevant agreement in place between Amethyst Risk

Management and LogRhythm Inc in regard of the supply of consultancy services.

Worting House, Church Lane, Basingstoke, Hampshire, RG23 8PX

Tel: +44 (0)1256 345612 Fax: +44 (0)1256 811876

www.amethystrisk.com

PAGE 12