Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
WWW.LOGRHYTHM.COM
WHITEPAPER
Protective Monitoring and the UK Public Services Network (PSN)
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
Executive Summary
Introduction
Conducting business and delivering services online has delivered
great benefits but there are associated risks that customers and
the public are increasingly becoming aware of. Malicious activity
and successful attacks against organisations and government
services have been well publicised, to the extent that they are no
longer news unless the impact has been significant. Obviously
the motivation and capability of those seeking to threaten, abuse
or illegally benefit from attacking business, government services
and critical national infrastructure greatly differ and range from
foreign governments through to the opportunistic criminal,
hactivist or disaffected employee [1].
Government and the services it provides to its citizens are as
much at risk as commercial organisations for the reason that
they conduct and deliver a wide range of services. Much of the
information collected and used by Government is very valuable
and classified as high risk, e.g. tax and benefit records, law
enforcement information, intelligence and military secrets and
other sensitive personal identity data that is stored in a range of
systems across Government.
• The UK Government is committed to its ‘Digital First’ policy
which is simply a concerted effort to move its services online.
It is, however, cognisant that uptake and use of these services
relies on citizens trusting Government to take care of their
personal information and ensure its security. To support this
objective Government requires its own departments, agencies
and suppliers contracted to deliver the services to comply
with HMG information security policy and guidance. In addition
to developing policy the Government has also developed
enabling capabilities that delivery organisations can use and
exploit with confidence. One such capability is the Public
Services Network (PSN). The PSN is a communications
network operated by a number of suppliers that provides
a trusted, reliable, cost-effective connectivity solution to
Government departments, agencies, local authorities, and
other bodies that work in the public sector allowing them to
communicate and share information.
To protect the PSN, and before it is allowed to connect to or
offer services over it, an organisation must make a formal
commitment and provide assurance that they will comply
with the network conditions. One of those conditions is
the requirement to implement an effective protective
monitoring capability.
Audience
This paper is intended to be relevant to a broad audience,
the executive summary, is targeted at management level,
including Senior Information Risk Owners, and assumes no prior
knowledge of the issues, other than what is discussed in the
media. The remainder of the paper provides a more in-depth and
technical view, specifically focussing on aligning requirements
to the UK Cyber Security Strategy [2] and providing an overview
of the underlying standards and guidance available to meet
the challenge. This part of the white paper is more focussed at
the Information Assurance (IA) experts and does have a bias
towards those working in, or organisations providing services
to, the public sector. Nevertheless, the value of this guidance is
recognised beyond the public sector and is generating interest
from industry, the commercial sector and other countries.
The Cyber Threat
The Government have categorised cyber-attacks as a Tier 1 [3] threat
to the UK and it is recognised that it costs industry and Government
directly and indirectly in excess of £20Bn each year. The 2014
Information Security Breaches published by the Department for Business
Innovation and Skills describes the issues in detail [4]. To mitigate these
risks and issues regulatory controls are responding, for example the EU is
planning to update its data protection legislation [5] to make disclosure
a legal requirement and introduce the power to fine organisations 5% of
global turnover in the case of the most serious breaches.
What is Protective Monitoring?
Amongst the methods and tools that can be used to detect and
counter cyber-attacks, there is one discipline that has proved
especially effective. It has been developed by CESG, who are the
UK’s national technical security authority. They have developed a
regime known as Protective Monitoring, as defined in CESG Good
Practice Guide No. 13 (GPG 13: [6]). It gets its name from the Her
Majesty’s Government’s (HMG’s) approach to protective security
coupled with the monitoring requirement. Protective monitoring
is a discipline of correct configuration of information system
logs and audit trails, collection, audit and analysis of those logs,
and scaling the level of monitoring based on the assessed risk to
the information. This is much more than browsing a log file: it is
a complete methodology for getting it right. GPG 13 continues,
perhaps uniquely, to promote a holistic approach to protective
monitoring that is not solely focused on technology solutions.
PAGE 1
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
Why is Protective Monitoring Important?
All organisations, including HMG, face a combination
of legislative, regulatory, policy and industry standards
requirements which they must satisfy. Implementation of
appropriate protective monitoring controls with their intrinsic
levels of recordkeeping and reporting can help in delivering
these requirements by providing evidence of compliance.
Organisations also need to understand what is happening on
their networks and systems to be able to detect and respond to
an attack in a timely manner. Protective monitoring also assists
in making employees accountable for their use of ICT systems.
The PSN Protective Monitoring Condition
The Cabinet Office PSN team require a commitment statement to be
signed by an appropriate person before an organisation is allowed to
connect to or offer services over the PSN. It effectively requires that the
organisation agrees to the obligations and conditions spelled out in the
relevant PSN document. The protective monitoring condition in the code
of connection [7] states that:
‘You will collect and retain event data and undertake activities
that will help you detect actual or potential security incidents.
You must have a protective monitoring policy that describes the
use cases you are aiming to detect, which can be used to define
event data collection. Your policy must include both detection
of technical attacks as well as important abuses of business
processes. These conditions do not describe any specific events
to collect or incidents to detect. The requirement is that the
business has thought about and documented its collection and
analysis requirements and that this has led to your approach to
protective monitoring and intrusion detection’.
Protective Monitoring and SIEM
For medium or large enterprises, adoption of a protective monitoring
regime is not a trivial exercise. Business critical systems may generate
high volumes of event data, and there will be many of those systems
across the enterprise: there is therefore an essential need for security
technology that can assist with Protective Monitoring. In terms of the
cyber threat this is even more important as the target of cyber-attacks
will not be known until an attack is underway. Hence, it is essential to
have technology that responds in near real-time to an attack anywhere
within an organisation’s IT estate. The nearest class of such tools are
known as Security Information and Event Management (SIEM) systems.
The SIEM should be an essential hub within an organisation, providing
holistic security intelligence, and helping them to both proactively
monitor and detect attacks whilst also aiding in investigation and
recovery, all from a single pane of glass.
Conclusion to the Executive Summary
It is by the application of a protective monitoring regime,
supported by an effective SIEM implementation from a trusted
specialist Security Intelligence company such as LogRhythm,
that the public sector and commercial medium and large
enterprises can deliver a robust cyber defence.
SIEMs in depthBenefits
What are the benefits of adopting a rigorous approach to protective
monitoring and deploying a fully integrated security intelligence
solution?
Defence and Risk Management – it will be effective in detecting,
responding to, investigating and defending against cyber attacks.
There will be a direct business benefit as the risks of losses to
important business assets will be reduced, the organisation’s
valuable intellectual property will be protected, the
organisation’s reputation is protected and enhanced, insurance
premiums may also reduce as “no claims” periods increase.
An effective Security Intelligence platform ideally enables a
streamlined workflow, delivering automation wherever possible.
If an organization can optimize its efficiency in performing these
critical steps in the detect/respond cycle, it can reduce its Mean-
Time-To-Detect (MTTD) and Mean-Time-To-Respond (MTTR) and
thus reduce its exposure to risk.
Compliance – with cyber security best practices and both
government and commercial standards. Demonstration to
customers, auditors, regulators, IA authorities and other
stakeholders that they are exercising due diligence and a duty
of care. Opportunities for new business should expand as the
organisation can appeal to customers with raised information
security expectations
Improvement – by incorporating an effective feedback strategy
that includes learning lessons from previous security incidents
and attacks, improvements of the cyber security posture can
be achieved on an on-going basis. This is assisted through the
appropriate implementation of a protective monitoring regime
and use of SIEM technology that can reduce the Mean-Time-To-
Detect and Mean-Time-To-Respond, and automatically produce
meaningful statistical data thus tracking effective improvement
on a month by month basis
Situational awareness – use of protective monitoring
techniques and provision of security intelligence through SIEM
PAGE 2
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
technology provides the ability to correlate, visualize, and
analyze event data in order to develop actionable insight into
threats that pose real harm to the organization, and to build
a more proactive defence for the future, whilst also providing
near real-time displays of the organisation’s exact cyber
environment. The technology has rapidly evolved so that it can
now enable, for those organisations that require it, a 24/7 view
on the health of their IT systems and the attacks that are being
directed against them. It has enabled commercial organisations
to establish specialised security operations centres to provide a
protective monitoring capability to both public and private sector
organisations alike. Collaborative enterprises can link operations
centres to provide national and trans-national intelligence
pictures of cyber space and allow secure exchange of attack and
security incident information
Increased accountability – protective monitoring techniques
and advanced reporting capabilities allow organisations to track
and account for their information assets in the same
way as GPS trackers and RFID tags can help track physical
assets. Where it is required, the microscope can be turned on
user activity and changes to information. This is of particular
value to organisations that are in the information business:
especially those with high value intellectual property to protect
or in the finance sector where financial instruments only exist
in cyberspace.
Business requirements
What are some of the key requirements that an organisation
needs to satisfy in developing an effective protective
monitoring solution?
Facilitation – the solution must readily and effectively
implement the organisation’s strategy, its policy, and support its
compliance objectives
Sophistication – organisations need solutions architected by
subject matter experts, who can remain ahead of the attackers
and can build and maintain effective defences to detect and
defeat the most complex forms of cyber attack
Usability – the sophistication needs to be contained within the
solution, externally it needs to be easy to operate and produce
meaningful output that can be useful not just to specialists but
management at any level
Performance – the solution needs to respond with a
performance equal to the dynamics of real-world attacks, which
can develop second by second
Diversity – the solution must cater for the complexity of any
organisations’ IT estate, being able to be introduced with the
minimum level of disruption and to be able to cater equally for
both new and legacy systems within a heterogeneous
technology environment
Automation – the solution has to be efficient to operate with
minimal manpower overheads. It has to make what used to be
complex tasks simple. It must provide Integrated workflows and
collaboration capabilities that expedite the analysis and response
process, and automation in support of incident response
processes and the deployment of countermeasures
Cost-effectiveness – the solution needs to be affordable and
provide a positive business case for implementation
Adaptability – the solution must be able to adapt to change:
organisational change and changes to cyber threats and attack
techniques. Any solution needs to have at least a 5 year life span
Scalability – the solution must have no artificial limits that
constrain its application, it should be easy to grow as an
enterprise grows.
Applicable principles, guidelines and standards
UK Government policies, standards and guidelines are continuing
to evolve to support its Digital First strategy. The Government
Digital Service (GDS) and CESG are driving this change in
accordance with their ‘Principles of Effective Cyber Security
Risk Management’ [8]. These principles and the majority of
Government Information Security policy and guidance developed
in accordance with the Security Policy Framework (SPF) [9] have
been published on the www.gov.uk website.
The SPF defines the expectations of how HMG organisations and
third parties handling HMG information and other assets will
apply protective security to ensure HMG can function effectively,
efficiently and securely. Examples of the expectations include:
• Mechanisms and trained specialists to analyse threats,
vulnerabilities, and potential impacts which are associated
with business activities
• The detection and correction of malicious behaviour
• The ability to facilitate a rapid and effective response to
recover from incidents
• Arrangements to determine and satisfy themselves that
Delivery Partners, service providers and third party suppliers,
also apply proper security controls.
PAGE 3
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
SIEM technologies can also assist in other aspects of SPF
compliance including:
• SIEMs support incident investigations and can be of particular
value in attaining forensic readiness. The guidance is
described in GPG 18 [10] and detailed planning requirements
defined in the companion CESG Implementation Guide
No. 18 [11]
• SIEMs collect and analyse logs from malware reporting
systems forming part of an architecture designed to conform
with the guidance given in GPG 7 [12]
• SIEMs link to firewalls, intrusion detection systems, business
application / systems, de-militarized zone services (including
remote access) and secure remote end points to provide
a sophisticated near real-time reporting of attacks at the
organisational boundary with the internet. It can therefore
assist in protecting public sector internet connections which
need to observe the guidance given in GPG 8 [13] and remote
working solutions, given in GPG 10 [14]
• SIEMs can also interface to web proxy services and receive
reports of user browsing. This can enable monitoring and
policing, in accordance with organisation policies, of staff
access to external online social networking sites, CESG
guidance for this being covered in GPG 27 [15]
• The reporting functions of SIEMs can analyse threats over
time. This can be utilised in developing organisation specific
threat pictures (short and long term), which can be used
in conjunction with the guidance given in Technical Threat
Briefing No. 1 [16] to directly feed current and accurate threat
into formal risks assessment
• SIEMs can assist with internal accounting and the “insider”
threat (as well as detecting cyber intruders): agents can be
used to monitor business critical servers, storage networks,
etc., and this complements CESG guidance given in GPG
35 [17].
It can be clearly seen that the implementation of an SIEM meets
many of the SPF Good Practice requirements and that they
can have a significant role in assisting compliance in the public
sector environment.
PSN Codes of Connection, Practice and Interconnection
Before an organisation can connect to the PSN it needs to pass
the PSN compliance process. This is intended to demonstrate to
Government that the organisation’s infrastructure is sufficiently
secure and that its connection to the PSN would not present an
unacceptable risk to the security of the network. The Information
Assurance (IA) requirements have been designed to provide an
achievable and sensible baseline for security. Along with these
IA requirements, the organisation will also need to make a
number of commitments about how it will work with Government
to ensure the ongoing security of the PSN. A tailored set of
conditions has been developed for the three specific types of
organisation. These include:
• Code of Connection [7]: Organisations wishing to connect to
and consume services
• Code of Practice [18]: Organisations wishing to provide
services over the PSN
• Code of Interconnection [19]: Organisations wishing to
provide the PSN Connectivity Service.
Implementing a Protective Monitoring Solution
To implement a protective monitoring solution an organisation
needs to invest in the technology, the staffing, skills, independent
advice and implementation expertise after having first identified
and developed the requirements. Naturally this is a significant
commitment and needs to be instituted as a fully funded
programme or project supported at the board level, commencing
with a feasibility study and business case development.
Each organisation should develop a protective monitoring policy
that outlines the support and commitment given to the policy
and that defines the associated roles and responsibilities. It
can be expected that medium size organisations would need at
least a full time equivalent to fulfil the role; larger organisations
may appoint a dedicated team and have a dedicated security
operations centre from which to operate. Any scale of
organisation has an increasing diversity of outsourcing options
for security monitoring services, although UK public sector
organisations need to observe HMG guidance given in Office of
the Government SIRO - HMG Offshoring Policy for OFFICIAL v1.0
[20] and GPG6 [21] in this regard, especially that relating
to offshoring.
PAGE 4
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
One mistake to avoid is the temptation to create parallel
audit and monitoring structures. It is possible to combine
traditional compliance audit and security management roles
to develop effective functions that serve all requirements. It is
recommended that the feasibility stage includes widespread
consultation with the appropriate internal and external
stakeholders. However, there is still a requirement to maintain
segregation of certain trusted roles and avoidance of internal
conflicts of interest, such as an independence requirement for
security audit functions (e.g. the IT department should not audit
and monitor itself).
As part of the detailed design process it is necessary to address
the key business processes that will address the protective
monitoring requirement, including:
Risk management – both the infrastructure and business
system risk management activities should consider protective
monitoring control requirements (as per GPG 13) and select
the appropriate level of logging and monitoring for selected
infrastructure points and platforms. A risk assessment will
help to identify the risks which can be treated by protective
monitoring
Audit logging – the outcome of the risk assessment should
intelligently support the selection of audit logging requirements
and parameters
Monitoring system use – the risk assessment will also inform
the requirements and nature of the level of monitoring.
Integrating this will provide overall capacity requirements for the
security operations functions and capacity requirements for any
SIEM or central logging and log retention facility
Information security incident management – this management
function, which should already exist, will need to be closely
integrated with the protective monitoring system. For public
sector or Critical National Infrastructure (CNI) organisations is
it also prudent to consider enrolling or establishing a Warning,
Alerting and Reporting Point (WARP) function to interface with
the HMG central UK Cyber Security Incident Response Team
(CSIRTUK) and GovCERTUK. An integrated platform offering end
to end management of threat detection and incident response
is a primary consideration for reducing the time to detect and
respond to threats.
Information systems audit – despite the central online auditing
capability that some SIEMs provide, the requirement for more
traditional audit activities would remain; there would still be a
need for auditing offline systems and local compliance status
needs to be visibly inspected. The benefit from implementing an
integrated SIEM and log management solution is that many audit
activities can be fully automated.
During the implementation of the project it would be necessary
to further refine the processes and document the detailed
procedures that support the processes. It would also be
necessary to ensure all of the cyber and IA team members have
been appropriately trained in the new environment and that
their skills are maintained.
Larger organisations will need to implement a phased approach
to implementation, especially if they extend over several sites
or regions. It is important that the phases include gate reviews
during which lessons learnt in one phase of implementation
are passed into the next phase. Smaller organisations may also
initially implement proof-of-concept or demonstrators as part of
the feasibility stage.
Protective monitoring regimes and SIEMs themselves need
time to bed down. Some SIEMs incorporate artificial intelligence
systems that need to learn “normal” behaviour in order to
deduce the “abnormal” in their environment. Other SIEMs may
need gradual configuration to tailor them to all of the various
business applications and network environments in use by
an organisation.
Aligning with good practice
In addition to defining the PSN compliance conditions this
paper also aligns LogRhythm’s SIEM capabilities with the HMG
protective monitoring guidance and controls defined in GPG
13. A table at the end of the paper provides a cross-reference
of the capabilities of the LogRhythm product offering matched
against each control (shown in table rows). The intersection
between rows and columns provides a brief description of the
SIEM attributes that assist with the control implementation. In
this way it can be seen that the LogRhythm SIEM can assist with
implementing a GPG 13 compliant solution at any level.
Tools
It is necessary to combine an SIEM with other systems and
security tools in order to provide a full visibility across the
environment. Examples of systems and tools that an SIEM can
either integrate with or work alongside include:
Servers and Workstations – operating system logs and local
event analysers. These may interface to a SIEM through either
open protocols for instance snmp, syslog or sftp, or they may
have dedicated SIEM software agents installed. Agents may be
PAGE 5
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
deployed to acquire logs, or to generate additional
forensic data not natively generated by the operating system,
providing deeper visibility and protection via fully integrated
host monitoring.
Firewalls and IDS/IPS systems – may also interface to
an SIEM through syslog or SIEM based firewall log interpreters
or through a central firewall management system, and
intrusion detection and prevention systems. Should the firewall
provide the appropriate interface, the SIEM should have the
capability to automate a configuration change in response to
a detected threat
Network devices – a SIEM may receive syslog and snmp
messages either directly from network devices or from a central
network management system
Anti-malware systems – enterprise anti-malware solutions can
be interfaced to an SIEMs, with the SIEM being able to correlate
the ingress of infections with other penetration indicators
Database and OLTP systems – SIEM agents are supported
for many common database and online transaction processing
platforms that can enable transaction level reporting
Web services – logs from web servers and web proxies can
be captured by an SIEM to allow tracking of both inbound and
outbound web activity. Some SIEMs also support deep analysis
at the web and web services layers
Application servers and application firewalls – a SIEM can
support agents for a variety of application server and firewall
systems. Some SIEMs also support agent programming to
support non-standard applications and legacy systems
Backup and Storage systems – a SIEM may support
interrogation of certain backup management systems, storage
controllers and tape library systems
Log capture and relay – log capture mechanisms are typically
intrinsic to most SIEMs. A SIEM can also work with external log
management systems and relays. These tools include forensic
facilities to enhance captured logs with authentication checks,
cryptographic hashes and digital signatures; they also allow
certified copies of logs to be taken to an evidential standard
Log analysis – one of the most important core technologies of a
SIEM will be integrated log analysis capabilities that support both
audit and investigative processes. A SIEM may also work with
external tools to support offline analysis or analysis of archived
log information
Alerting channels – a SIEM or SIEM interface will typically
support remote alerting methods including email,
newsfeeds, text messaging or interfaces to an organisation’s
telecommunications system to alert its staff outside of the
security operations centre. A SIEM can also interface to other
packages to support a common alerting framework
Event correlation –Advanced SIEM technologies include machine
analytics capabilities which can combine logs and events from
many different sources, and, using a variety of correlation and
statistical techniques enable the detection of and response to
cyber attacks early in their life cycle. Using machine analytics
enables the detection of both common and previously unknown
attacks. In terms of the cyber defence toolkit this can be the
most important function as it can be effective in detecting
and investigated the most advanced forms of attack, including
Advanced Persistent Threats (APTs) and zero-day attacks
Behavioural analysis – event correlation can be combined
with behavioural analysis tools that learn network and system
behaviour patterns over time and that advise on deviations from
expected behaviour. These engines can also be linked to financial
transaction, metering and payment systems to support fraud
investigation and alerting
Denial of service mitigation – internet carrier level solutions
and services can provide solutions for enterprises that mitigate
denial of service and traffic flooding attacks. Some systems can
provide automatic reaction in the event of a traffic breach and
provide automated management of IP black lists and white lists
Computer network defence – increasingly there are
commercially available spin-offs of military grade solutions that
can potentially allow proactive response to cyber attacks to
trace the attack sources, gather intelligence about the sources,
positively react against attackers or even provide “honey pots”
to divert the interest of the attackers.
Critically, the SIEM should be able to consume logs and events
from any source, and uniformly process them in a classified
and contextual form. This enables the intelligence contained
in the logs to be unlocked, and to be optimally prepared for
further analysis.
Developing a protective monitoring architecture
Protective monitoring can only effectively be deployed in ICT
environments that adopt general IT best practices for example
ITIL [22]. Poorly implemented SIEMs may themselves be subject
PAGE 6
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
of information security risks or even be turned against the
owning organisation during a cyber attack. Therefore, there
is a requirement for formal design and assurance activities in
the development and implementation of any cyber security
technical solution, including solutions that incorporate SIEMs.
For UK public sector solutions it is imperative that the design
phase includes a risk assessment: event logs themselves are
sensitive information assets and can have a different (more
sensitive) information risk profile than the networks and systems
they protect.
SIEMs and log management systems can amass a vast amount of
data rapidly and have retention and archiving requirements that
exceed normal corporate standards. In the public sector systems,
cyber security solutions may also be further complicated by the
need to monitor information across several network domains
operating at different protective marking levels. CESG have
provided a specific Architectural Pattern to support audit and
monitoring across security domains [23]. Figure 1 provides an
illustration of an example protective monitoring architecture that
is in-line with this architectural pattern, it shows two security
domains which link to a dedicated audit and monitoring network
that includes an SIEM as the log data repository and system.
Data is pumped to the network via one-way connections and
relays incorporating log and event message origin verification.
Conclusion
This paper has demonstrated the value of implementing an
effective cyber security strategy by an organisation, coupled
with the adoption of a protective monitoring approach under
pinned by cyber defence tools of which SIEM products and
services, such as those delivered by LogRhythm, should play a
significant role. This strategy will help organisations to obtain
the benefits of protective security in managing risk to their
information assets.
About the author
The author of this paper is an experienced IA expert working
for an independent IA consultancy organisation, Amethyst
Risk Management Ltd. The author has a long track record in
enabling both public sector and commercial to meet the rigorous
requirements of the SPF and Government Departmental
security policies, and also assists organisations in attaining ISO/
IEC 27001 certification.
Dedicated Audit andMonitoring Network
Uni-directionalEnforcement
Source of Audit and Monitoring Data(Security Domain A)
Source of Audit and Monitoring Data(Security Domain B)
Uni-directionalEnforcement
SIEM =Centralised Audit andMonitoring System
Relay =OriginVerification
Relay =OriginVerification
InformationFlow
Figure 1 – Example cyber security architecture
PAGE 7
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
Acronyms
APT Advanced Persistent Threat, a class of cyber attack that is sophisticated and directed at specific organisations or
facilities and that develops and persists over a long period of time
CESG Communications-Electronics Security Group, part of GCHQ and acts as the UK national technical information
assurance authority
CNI Critical National Infrastructure
CPNI Centre for the Protection of the National Infrastructure
CSIRTUK UK Cyber Security Incident Response Team, focuses on responding specifically to cyber attacks
CSOC Cyber Security Operations Centre, UK centre for monitoring of cyber attacks attached to GCHQ
GCHQ General Communications Headquarters
GDS Government Digital Service
GovCERTUK UK HMG Computer Emergency Response Team, focussing on information security breaches and also
disseminating information on IT system vulnerabilities
GPG Good Practice Guide, issued by CESG
GPS Global Positioning System, including facilities in mobile devices that allows geographic positions of physical
devices to be accessed
HMG HM Government
IA Information Assurance
ICT Information and Communications Technology, combination of IT systems and networks
IDS Intrusion Detection System, a passive ICT monitoring system that can assist in detecting an ICT based attack
IG Implementation Guide, issued by CESG
IPS Intrusion Prevention System, an active ICT monitoring system that can both detect attacks and provide a series
or manual or automated responses to the attack
IT Information Technology
ITIL IT Infrastructure Library
OCSIA Office of Cyber Security and (formerly Office of Cyber Security (OCS)), attached to the Cabinet Office
OLTP Online Transaction Processing
PSN Public Services Network
RFID tag Radio Frequency Identification tags
SIEM Security Incident and Event Management system. A system that allows logs to be collected and analysed centrally
across an enterprise, community, national or trans-national network
WARP Warning, Alerting and Reporting Point, a collaborative community entity that can be established, supported
by a toolkit issued by CPNI, to provide sharing and propagation of information regarding security incidents and
cyber attacks
PAGE 8
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
References
[1] Understanding local cyber resilience – A guide for local governments on cyber threats and how to mitigate them,
March 2015
[2] The UK Cyber Security Strategy - Protecting and promoting the UK in a digital world, November 2011
[3] A Strong Britain in an Age of Uncertainty: The National Security Strategy , October 2010
[4] 2014 Information Security Breaches published by the Department for Business Innovation and Skills, April 2014
[5] Data Protection: an update on reform, Information Commissioner’s Office 2014
[6] Good Practice Guide No. 13 – Protective Monitoring for HMG ICT Systems, Issue 1.7, October 2012
[7] PSN Code of Connection (CoCo), March 2015
[8] Principles of Effective Cyber Security Risk Management, March 2015
[9] HM Government Security Policy Framework, April 2014
[10] Good Practice Guide No. 18 – Forensic Readiness Policy, CESG, Issue 1.1 September 2012
[11] Implementation Guide No. 18 – Forensic Readiness Planning, CESG, Issue 1.0, July 2011
[12] Good Practice Guide No. 7 – Protection from Malicious Code, CESG, Issue 1.1, October 2012
[13] Good Practice Guide No. 8 – Protecting External Connections to the Internet, CESG, Issue 1.0, March 2009
[14] Good Practice Guide No. 10 – Remote Working, CESG, Issue 2.2, September 2012
[15] Good Practice Guide No. 27 – Online Social Networking, CESG, Issue 1.2, February 2014
[16] Technical Threat Briefing No. 1 – Assessment of Technical Threat, Issue 1.2, December 2012
[17] Good Practice Guide No. 35 – Protecting an Internal ICT Network, CESG, Issue 2.0, August 2011
[18] PSN Code of Practice, March 2015
[19] PSN Code of Interconnection, March 2015
[20] Office of the Government SIRO - HMG Offshoring Policy for OFFICIAL v1.0, February 2015
[21] Good Practice Guide No. 6 – Outsourcing and Offshoring: Managing the Security Risks, CESG, Issue 2.1, September 2010
[22] IT Infrastructure Library
[23] Architectural Pattern – Audit and Monitoring across Security Domains, CESG, Issue 1.1, November 2012
Note: Documents issued by CESG are exempt from release or publication under the Freedom of Information Act and are only made available to IA practitioners working in the UK public sector. However, commercial organisations working with the public sector or CNI may request access to these guides by application to CESG at IA, CESG, B2h, Hubble Road, Cheltenham, Gloucestershire, GL51 0EX or [email protected].
PAGE 9
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
LogRhythm SIEM: helping to implement the Protective Monitoring Controls
The following table provides an overview of how LogRhythm helps to address the GPG 13 Protective Monitoring requirements.
Table 1 – LogRhythm features that support the Protective Monitoring Controls
Protective Monitoring Controls (PMCs)
Information Risk Control Segment : increasing rigour
AWARE DETER DETECT & RESIST DEFEND
PMC1 – Accurate time in logs Can be linked to master radio clock source
Supports UTS validated, time-stamped collection of log files
Can detect and report time inaccuracies along collection path
PMC2 – Recording relating to business traffic crossing a boundary
Collects malware reports and alerts at the boundary
Collects web activity reports and alerts
Policy based violation detection reporting and alerting plus customisable business rules and reports can be applied at the boundary
PMC3 – Recording relating to suspicious activity at a boundary
Accepts logs and alerts from all major firewall devices
Accepts logs and alerts from all major IDS/IPS systems
LogRhythm scales to an enterprise class SIEM
PMC4 – Recording of workstation, server or device status
Collects malware reports and alerts centrally from individual devices
Supports either agent based or agentless (syslog/snmp) collection of logs and alerts from devices
Agents are customisable and support granular reporting of configuration changes and status
Monitoring and reporting can be fine tuned to allow detailed file integrity activity to be monitored
PMC5 – Recording relating to suspicious internal activity
Tracks internal or external firewalls
Includes visual trend analysis tools
Accepts logs and alerts from Host IDS agents
Provides sophisticated AI rules-based multi-point stateful analysis to support behaviour analysis and detection of APTs and zero-day attacks
PMC6 – Recording relating to network connections
Supports extraction and analysis of information from MAC, DHCP, RADIUS, LDAP and other remote access authentication systems
Can provide analysis of dynamic network connection information to the service and port level
Can receive alerts and reports from network devices that detect lock-down or Network Access Control violations
Integrates with tools and devices that have Wireless IDS capability
PMC7 – Recording of session activity by user and workstation
Provides specific and meaningful reports that de-clutter OS logon activity
Enables detection of changes to the security posture indicative of tampering by an intruder
Provides reports relating to host configuration changes and privilege escalation and use
Supports hundreds of third party monitoring products to provide transaction level accounting
PMC8 – Recording of backup data status
Captures backup events and storage related events and allows rules-based correlation in reports and alerts
Supports robust archiving scalable to the global level and centralised reporting and monitoring of backup, recovery, test and storage status.
PMC9 – Alerting critical events Supports near-real time dashboard display with drilldown to underlying event records, customisable alerts (delivered over a selection of channels, including VPNs), Provides alert throttling and roll-up to de-clutter alert lists, has an AI engine that is programmed to only highlight meaningful alerts and not OS chatter. Enables alert thresholds to be set and spikes to be highlighted.
PMC10 – Reporting of status of the audit system
Provides reports on log source status and detection of loss of “heart beats”. Records all device failures and resets.
Records information regarding log flow and rotation. Fully automated and consistent schema rotation.
Archive integrity protected by cryptographic hashes. SecondLook tool allows investigation of historic log information direct from archive.
PMC11 – Production of sanitised and statistical management reports
Comes with a suite of pre-packaged reports for common OS and devices. Also has an ad hoc report customizer and builder
Provides both graphical high-level statistical reports and detailed textual output.
LogRhythm scales to an enterprise class SIEM
It supports multi-vendor and diverse platform solutions. It can also work alongside other security products and open solutions.
PMC12 – Providing a legal framework for Protection Monitoring activities
Combination of secure log collection, storage and archiving, cryptographic hash technology, reporting and investigation tools, access controls, mean that LogRhythm can support the legal framework for monitoring.
PAGE 10
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
LogRhythm SIEM: helping to implement the Protective Monitoring Controls
The following table provides an overview of how LogRhythm helps to address the GPG 13 Protective Monitoring requirements.
Table 1 – LogRhythm features that support the Protective Monitoring Controls
Protective Monitoring Controls (PMCs)
Information Risk Control Segment : increasing rigour AWARE DETER DETECT & RESIST DEFEND
PMC1 – Accurate time in logs
Can be linked to master radio clock source
Supports UTS validated, time-stamped collection of log files
Can detect and report time inaccuracies along collection path
PMC2 – Recording relating to business traffic crossing a boundary
Collects malware reports and alerts at the boundary
Collects web activity reports and alerts
Policy based violation detection reporting and alerting plus customisable business rules and reports can be applied at the boundary
PMC3 – Recording relating to suspicious activity at a boundary
Accepts logs and alerts from all major firewall devices
Accepts logs and alerts from all major IDS/IPS systems
LogRhythm scales to an enterprise class SIEM
PMC4 – Recording of workstation, server or device status
Collects malware reports and alerts centrally from individual devices
Supports either agent based or agentless (syslog/snmp) collection of logs and alerts from devices
Agents are customisable and support granular reporting of configuration changes and status
Monitoring and reporting can be fine tuned to allow detailed file integrity activity to be monitored
PMC5 – Recording relating to suspicious internal activity
Tracks internal or external firewalls
Includes visual trend analysis tools
Accepts logs and alerts from Host IDS agents
Provides sophisticated AI rules-based multi-point stateful analysis to support behaviour analysis and detection of APTs and zero-day attacks
PMC6 – Recording relating to network connections
Supports extraction and analysis of information from MAC, DHCP, RADIUS, LDAP and other remote access authentication systems
Can provide analysis of dynamic network connection information to the service and port level
Can receive alerts and reports from network devices that detect lock-down or Network Access Control violations
Integrates with tools and devices that have Wireless IDS capability
PMC7 – Recording of session activity by user and workstation
Provides specific and meaningful reports that de-clutter OS logon activity
Enables detection of changes to the security posture indicative of tampering by an intruder
Provides reports relating to host configuration changes and privilege escalation and use
Supports hundreds of third party monitoring products to provide transaction level accounting
PMC8 – Recording of backup data status
Captures backup events and storage related events and allows rules-based correlation in reports and alerts
Supports robust archiving scalable to the global level and centralised reporting and monitoring of backup, recovery, test and storage status.
PMC9 – Alerting critical events
Supports near-real time dashboard display with drilldown to underlying event records, customisable alerts (delivered over a selection of channels, including VPNs), Provides alert throttling and roll-up to de-clutter alert lists, has an AI engine that is programmed to only highlight meaningful alerts and not OS chatter. Enables alert thresholds to be set and spikes to be highlighted.
PMC10 – Reporting of status of the audit system
Provides reports on log source status and detection of loss of “heart beats”. Records all device failures and resets.
Records information regarding log flow and rotation. Fully automated and consistent schema rotation.
Archive integrity protected by cryptographic hashes. SecondLook tool allows investigation of historic log information direct from archive.
PMC11 – Production of sanitised and statistical management reports
Comes with a suite of pre-packaged reports for common OS and devices. Also has an ad hoc report customizer and builder
Provides both graphical high-level statistical reports and detailed textual output.
LogRhythm scales to an enterprise class SIEM
It supports multi-vendor and diverse platform solutions. It can also work alongside other security products and open solutions.
PMC12 – Providing a legal framework for Protection Monitoring activities
Combination of secure log collection, storage and archiving, cryptographic hash technology, reporting and investigation tools, access controls, mean that LogRhythm can support the legal framework for monitoring.
PAGE 11
WWW.LOGRHYTHM.COM
WHITEPAPER - Protective monitoring and the UK Public Services Network (PSN)
Produced for
LOGRHYTHM INC.
Reference: ARM-694-05
Issue: V1.0
Amethyst Risk Management Ltd. 2015
The information contained in this white paper is submitted by
Amethyst Risk Management Ltd (“Amethyst”).
Copyright and ownership of this document transferred to LogRhythm Inc and shall
be used in accordance with relevant agreement in place between Amethyst Risk
Management and LogRhythm Inc in regard of the supply of consultancy services.
Worting House, Church Lane, Basingstoke, Hampshire, RG23 8PX
Tel: +44 (0)1256 345612 Fax: +44 (0)1256 811876
www.amethystrisk.com
PAGE 12