With growing threats to industrial, financial and personal information security, there has been an influx of regulation and legislation designed to improve the way that institutions handle sensitive data. This is especially true in areas that are directly related to information privacy and security: the Payment Card Industry (PCI); the Sarbanes-Oxley Act (SOX); the Gramm-Leach-Bliley Act (GLBA); the Federal Information Security Management Act (FISMA); and the Health Insurance Portability & Accountability Act (HIPAA). To satisfy these new regulations, companies are required to deploy systems, policies, and programs that enforce information security, information control, and information monitoring and reporting capabilities for corporate assets. These regulatory directives are becoming an immense burden and an enormous expense. Companies are suddenly forced to demonstrate compliance with security requirements, both from regulatory bodies and internal mandates. For many organizations, compliance has become a top security concern.
The breadth and depth of the various regulations spans many departmental boundaries and introduces many technological and operational challenges. Focusing solely on those challenges specific to information systems, the list narrows but remains daunting. The largest issue is undoubtedly one of capacity: even in a relatively small enterprise, there may be billions of data points that need to be stored, analyzed, and reported — both in real time and forensically. In addition, most regulations concern business processes and accountability, not bits and bytes; the data therefore needs to identify the events, activities, and trends that are required by compliance auditors..
Leveraging NitroSecurity's technology, it is finally possible to manage the vast data necessary to achieve sustainable compliance processes and controls. NitroView Enterprise Security Manager (ESM) has the ability to correlate data from various information sources — and produce actionable intelligence from that data — providing the foundation upon which a cost-effective, sustainable program may be built. Examining specific areas of regulatory compliance (the standards) and what an enterprise must do to meet those requirements clearly illustrates how NitroSecurity's capabilities facilitate meeting the stringent demands of regulatory compliance.
Sophisticated compliance auditing requires massive data collection, analysis and correlation. Massive amounts of data require either massive amounts of processing capabilities, or correspondingly massive amounts of time. While administrators are reluctantly adapting to hour- or even day- long data queries, NitroSecurity prefers expediency and efficiency.
NitroView ESM enables log management, security event management, and network behavior analysis in real time. Whether analyzing live data from an IPS or years of historical logs and events, NitroView correlates, analyzes and displays relational queries in seconds. Business auditing becomes facilitated as information analysis bottlenecks are removed. Complex data queries, event correlation, relational trend analysis, and baselining are provided in real-time, even when managing massive stores of historical data. The computational efficiency of NitroView allows security professionals to easily investigate large amounts of data, while eliminating the "coffee cup query" and the "let it run overnight report". In short — NitroView is an enabling tool for managing business information.
Combining the unprecedented level of performance and security intelligence with highly customizable visualization tools provides CSOs with the most elusive ingredient to successful regulatory compliance efforts: the network, user and policy information necessary to maintain an accurate business-driven audit trail. This critical data is presented in an intuitive and effective manner via NitroView, enabling companies to address compliance issues through both real-time information management and forensic investigations of stored information — easily and quickly.
NitroSecurity eliminates the need for the painful ultimatum between capacity and business applicability. After all, information security is not a solely technical issue, but a business and governance challenge. The Data Governance Council recently recommended that boards provide strategic oversight regarding information security, including:
The remainder of this document addresses four major regulations — PCI, SOX, HIPAA, and FISMA — addressing the specific information security requirements of each, and how NitroSecurity addresses each of these concerns.
One of the inherent problems with proving compliance from a technical standpoint, is that the regulations are concerned with who has access to secure data; the data itself, however, is accessible through a variety of means. Using a human resources database as an example, there are several paths that a user could take to access employee information. The most direct is to log into the database directly and retrieve it using standard SQL queries. Less direct methods, however, include: accessing the same database through desktop- or web-based applications; or the physical removal of stored database records on removable media. More malicious access might include external attacks, which penetrate the corporate network and spoof user identities to gain access to records. In other words, there are many paths that exist through and within corporate networks, and to provide accurate protection — and compliance — total visibility of the entire infrastructure is required. This includes: the databases themselves (to know what data was accessed, and how); the network (to determine the vectors used to access the database); and the network perimeter (to determine wether the access originated from outside the corporate network, or if compromised data was transfered out through the network). This equates to the collection of log data consisting of network traffic information (network flows, found in log files of switches, routers, and some intrusion prevention devices), database activity (transactions, provided by a database monitoring device), and any other relevant device logs including: server logs, host logs, application logs, firewall logs, and logs from authentication systems, directory servers, etc.
With the need for comprehensive log collection and analysis, it's no surprise that compliance obligations are a common catalyst for log management projects. In order to demonstrate that specified procedures have been followed, reports are generated from system logs. For instance, the Sarbanes-Oxley Act makes repeated reference to "controls" - this business requirement essentially requires (among other things) an auditable process that documents I.T. systems access attempts. By consolidating system logs from key servers, it's relatively easy to generate reports on password changes, rejected log-on attempts, or other activities that are considered part of the compliance landscape.
Partial List of Regulations & Accreditations that Use Logs:
When scoping out a log consolidation project, it is important to consider what systems should be included - some critical systems are not as apparent as others. Implementation of the log management infrastructure can be done over time, but having a reasonably accurate sense of the complexity of the project and the scope will ensure that the selected log management solution will be adequate.
Obvious candidates for logging are key servers - Windows, UNIX, or Linux; transaction servers, database servers, web servers or e-mail servers. Network components like routers and firewalls are also high on the initial list. Most organizations can generate an inventory of these key elements with relative ease and prioritize them for inclusion in a log consolidation project.
Strategic log management should include key systems that are frequently overlooked by mistake. These systems frequently represent "back doors" that hackers attempt to use as a backdoor to their ultimate goals. In other cases, inclusion in log management is advised from a value perspective - they contain significant events that are helpful when you capture them.
Reviewing the logs of tape arrays, backup storage servers, and storage software are important from a systems management perspective and from a security/compliance perspective. Systematic analysis of logs can confirm that the backup process completed without error (which is not always a safe assumption to make). Additionally, logs can reveal penetration attempts that would indicate a hacker is targeting your backups.
Increased reliance on security infrastructure makes it imperative to prevent hackers from penetrating the security systems. Elements such as identity management servers, LDAP servers, two-factor authentication servers, proxy servers, and the like should be closely monitored to ensure they aren't compromised as the early stage of an attack.
Virus protection is an interesting example of valuable application-level logging. Notoriously unreliable, virus scanning applications can be monitored to confirm the security status of the underlying host. Log management can ensure that the virus database is up to date. Early warning of a new virus can even help trigger a response to malware that is too new for effective virus updates.
Complicated network topologies may introduce system access that bypasses some defenses. Log review of Citrix implementations, modem banks, terminal access servers, or the like can provide another layer of alerting.
Controlling data access is perhaps the most critical element of an I.T. security and compliance framework. It may well be the hardest to do, as well. Each company wants to safeguard its own financial data from intrusion or defacement, but many firms will also need to protect data from customers or partners - data that may include credit card information, personally identifiable information (PII) such as Social Security Numbers, and personal health information (PHI). Data of this sort is the target of most attempted penetrations and is the underlying reason for most compliance regulations. Additionally, a company's reputation can be significant damaged if it fails to safeguard this sort of key data.
It's only now that understanding of the database layer can be included in a log consolidation system. In the past, reports on database health were either limited to those within the database management console itself or were limited to reports on the server that the database used, rather then the database itself.
Historically, logs addressed the health of the server on which the database ran - including metrics like CPU utilization, disk activity, and the like. NitroSecurity's NitroView DBM (DBM) customers receive much more relevant logs - viewing information on user access, data viewed by different users, and suspicious data access patterns that fit common attack profiles.
Combining logs of data access with system logs provides great synergies. For one, it's possible to correlate system access with database log-in and send an alarm when a user logs onto the database with a user ID that doesn't match the Windows user name. In environments with pooled connections, the system-level information can be used to derive the named user for specific queries. Insider theft of confidential data can be identified when a DBA backs up a database outside of the scheduled routine and then correlated to a file copy process onto removable media, or an FTP outside of the firewall.
NitroSecurity is the only log management vendor with a solution to address data-layer logging. By complementing NitroView with NitroView DBM - NitroSecurity's solution for data assurance - a complete logging solution consolidates data access patterns with systems layer logs.
back to top | See our companion whitepaper specific to PCI compliance
PCI was created by Visa, Master Card and other credit card companies. The PCI Security Standards Council, which is an oversight body of PCI, was jointly formed by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. Compliance is required of all merchants and service providers that store, process, or transmit cardholder data. Any organization that utilizes Visa or Master Card transactions is required to comply with the PCI Data Security Standard regulations. The program applies to all payment channels, including retail, mail/telephone order, and e-commerce. To achieve compliance, merchants and service providers must adhere to the PCI Data Security Standard, which offers a single approach to safeguarding sensitive data for all card brands.
The Payment Card Industry Standard (PCI Standard) sets out 12 basic security requirements including encryption, access control and firewalls. Noncompliance can result in fines of up to $500,000 and the loss of privilege to process credit card transactions. Accountability is ensured through auditing requirements ranging from self-assessments, to quarterly network scans, to annual onsite audits.
There are twelve security requirements mandated by PCI, designed to: Build and Maintain a Secure Network; Protect Cardholder Data; Maintain a Vulnerability Management Program; Implement Strong Access Control Measures; Regularly Monitor and Test Networks; and Maintain an Information Security Policy.
NitroSecurity is able to solve certain PCI requirements in an obvious manner. For example, the components of PCI Rule 11 require the explicit use of an Intrusion Prevention System (IPS), such as the NitroGuard IPS.
All PCI requirements benefit in some way from the capabilities of the NitroView DBM, NitroGuard IPS and/or the NitroView Enterprise Security Manager and NitroView ELM. The unmatched performance of the NitroSecurity solution, combined with an easy-to-use, highly configurable interface, provides the technical control required to accelerate the process of PCI Data Security Standard compliance. The NitroGuard IPS provides the tools necessary to enforce effective security policy throughout the enterprise from a centralized management console. NitroView provides a practical approach to improving security awareness, and acts as a valuable reporting resource for information security auditing.
| PCI Requirements | NitroSecurity Advantage |
|---|---|
| 1. Install and maintain a firewall configuration to protect data ... Keep a current network diagram with all connections to cardholder data, including wireless networks. |
NitroGuard IPS includes a firewall which supplements existing firewall protection with both anomaly and signature detection capability. NitroView monitors, reports, and alerts on activity from popular firewalls.
NitroView also provides multiple device discovery methods to build complete network topologies, including end-user and rogue device detection. All flow information to and from critical servers is reported. |
| 2. Do not use vendor-supplied defaults for system passwords and other security parameters. | NitroView DBM monitors and alerts at the application source, providing automated risk assessment of system audit settings, user credentials (local and domain); reports on default accounts, deviation from password policy and security best practices; and, continuously monitors changes to account passwords and access to systems and databases.
In addition, NitroGuard IPS allows signature-based blocking of known default passwords and parameters. |
| 3. Protect stored data. | NitroView DBM protects at stored data at the source by monitoring all database activity directly, protecting sensitive objects such as files and database tables that may contain encryption keys by monitoring access and providing real-time alerts when there are unauthorized changes
NitroGuard IPS protects at network perimeter and critical areas within the network. NitroView ESM provides unified DBM, IPS, flow and log analysis to protect the entire network, providing visibility across all areas. |
| 4. Encrypt cardholder data and sensitive information across public networks. | All NitroSecurity products support this initiative through encryption of data "on the wire" between NitroView and NitroGuard systems. In addition, encryption of raw log files is provided by NitroView ELM. |
| 5. Use and regularly update anti-virus software. | NitroView DBM assesses servers and workstations to ensure that anti-virus software has been installed and processes are running. Detects & alerts when a process is stopped, and even restart it automatically.
NitroView ESM integrates these activity alerts with attack events, flows, and information from leading Vulnerability Assessment (VA) and Antivirus (AV) solutions, providing easy analysis and reporting on system patches, security levels, and anti-virus software updates, and the relevant risk of threat activity. |
| 6. Develop and maintain secure systems and applications. 6.4 Follow change control procedures for all system and software configuration changes. | Systems are secured through protection at the source using NitroView DBM database activity management, at the Edge with NitroGuard IPS intrusion prevention, and across the entire network using NitroView ESM. Reports are available on patch updates to windows servers and workstations, vulnerability of systems, threats, threat response activity, and other relevant events and functions.
NitroView DBM satisfies the difficult requirement of PCI 6.4, with the ability to track user & administrator sessions and reconcile with change control tickets. Out of process database changes, policy violations & anomalies are also identified. |
| 7. Restrict access to cardholder data by business need-to-know | NitroView monitors, reports and alerts on events related to logon failures, access denied errors, data access policy violations including access from unauthorized users, applications or networks to cardholder data. Identity awareness across collected event, flow & log data provides difficult to acquire context to reports. |
| 8. Assign a unique ID to each person with computer access ... ensure that actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. | NitroView DBM identifies the use of logon accounts by more than one individual or client and expired accounts, and captures all events related to user account provisioning, privilege escalation (8.5). NitroView correlates these events with other event, flow and log activity that are associated with the user/accounts in question, and provides comprehensive reporting on user and account activity. |
| 9. Restrict physical access to cardholder data. | While physical access restrictions are typically beyond the scope of a security management system, NitroSecurity can support these efforts through the collection and reporting of events from physical security systems. |
| 10. Audit all access to network resources and cardholder data. | NitroView DBM directly monitors all access to cardholder information at the source. Logs all administrator activity by default. (10.2) Provides individual user audit-trail of access to cardholder data, including failed access attempts, starting/stopping auditing processes, and changes to system objects. (10.3) Logs an audit-trail of all access to system objects. (10.5) Secures audit trails so they cannot be altered or even viewed by unauthorized personnel.
NitroView ESM performs data analytics for both user and system activity, providing additional context to DBM alerts (such as identity, location within the network, and other user behavior). NitroView ELM provides compliant storage of raw log data for auditing purposes, including (10.6) report acknowledgement to ensure daily review of log reports, (10.7) retention of original raw logs. |
| 11.4 — Use network intrusion detection systems, host based intrusion detection systems and intrusion prevention systems to monitor all network traffic and alert personnel to suspected compromises. 11.5 — Deploy file integrity monitoring software to alert personnel to unauthorized modification of critical system or content files ... | The NitroGuard family provides network intrusion detection and prevention, database activity monitoring, and monitoring of all network traffic for security events and correlating events to network flows, device logs, and other data sources in real time. Provides "live" traffic monitoring as well as forensic event management to identify and isolate security breaches, attacks, and anomalies. Satisfies the difficult requirement of PCI 11.4, which requires real-time monitoring of both security events and network traffic data.
NitroView DBM provides continuous monitoring of critical system files and database tables to ensure their integrity. Additionally, a framework is provided for executing scripts on target servers for assessing, reporting and enforcing corporate policies. |
| 12. Maintain a policy that addresses information security.... Include alerts from intrusion detection, intrusion prevention, and file integrity monitoring systems. | NitroSecurity's solution satisfies PCI item 12 in three ways:
|
See our companion whitepaper specific to PCI compliance
The Sarbanes Oxley Act of 2002, named after the sponsors of the Sarbanes Oxley Act — US Senator Paul Sarbanes (D-MD) and Rep. Mike Oxley (R-Ohio) — was passed in response to a number of major corporate and accounting scandals which had resulted in a decline of public trust in accounting and reporting practices. The SOX Rules and Regulations provide guidance to corporations for financial and accounting disclosure information. The standard is wide reaching and covers every aspect of financial responsibility and reporting structures within an organization. In June 2003, the Securities and Exchange Commission ("SEC") implemented Section 404 of the Sarbanes-Oxley Act, requiring issuers to include in their annual reports an assessment of the company's internal control over financial reporting as well as an auditor's report on that assessment.
The specifics are summarized in section 404.3 and read as follows:
"A process designed by, or under the supervision of, the registrant's principal executive and principal financial officers, or persons performing similar functions, and effected by the registrant's board of directors, management and other personnel, to provide reasonable assurance regarding the reliability of financial reporting and the preparation of financial statements for external purposes in accordance with generally accepted accounting principles and includes those policies and procedures that:
The SOX requirements ultimately rely upon large histories of data concerning user- or role- based system usage, which must be available for deep forensic analysis.
SOX focuses on 'internal controls' requirements, and most of what is required is non-technical. However, two of the SOX requirements — the requirements in SOX rule 302 and 404 — are aligned with a company's reporting structure. Although rules 302 and 404 mainly focus on financial reporting, a migration towards IT and security reporting is occurring as new internal controls procedures are being implemented. These new rules require corporate managers to produce annual reports detailing internal controls and procedures. Obviously, with the ongoing shift towards technology reporting, there is an opportunity to leverage the technologies of NitroSecurity to facilitate these regulatory requirements.
| SOX Requirements | NitroSecurity Advantage |
|---|---|
| 302, 404 — The ability to reconstruct what actually happened to specific data, including time sequences for processing and related activities. | NitroGuard Database Activity Manager (DBM) provides protected audit trails of all database activity, including that of privileged users. NitroView ESM performs data analytics for database activity (as detected by NitroView DBM), as well as user and system activity seen elsewhere in network, server logs, and other events. |
| 304, 306, 308 — Monitor login failures to financial data-sources, and monitor activity by user when logins are successful, provide reports of account activity including new and disabled accounts. | NitroView DBM monitors these critical data-sources directly either via an agent or network-based appliance. All user activity, account creation, authentication, and database activity performed on the database is logged for reporting and auditing purposes, an events are generated for further correlation and analysis. of this activity.
NitroView ESM provides the ability to correlate all database activity events, network activity events, and security events — providing reports for Admin Access to Financial Systems, Login Failures, and related activity both before Login (network activity) ad after login (database activity). |
| 404, 409 — Create and monitor controls of systems that can impact the ability to faithfully report financial status. | NitroView provides extensive attack alert and audit trail storage. Can be used to cross-reference observed behavior during forensic analysis. Combined with NitroView DBM database activity monitoring, NitroView is able to monitor both the network and the database itself, clearly indicating when financial systems are compromised, as well as who compromised the system, when, and in many cases how. |
| 404, 409, 802 — Continuous monitoring of database activity, especially high risk activities including privileged user behavior, direct access to sensitive data stores, user privilege escalation, failed login and failed database operations. | NitroView DBM provides database access monitoring — either host-based on as a non-intrusive network appliance. NitroView DBM includes secure "audit the auditor" capabilities to ensure accurate detection and logging of privileged user behavior, account changes, schema changes, database table access, etc.
NitroView ESM performs real-time monitoring, logging, and auditing of user activity., based upon NitroView DBM events as well as additional data collected from security devices, logs, and the network itself. Using Policy based access, the data collected in the NitroView system is not accessible to the users being monitored and therefore provides a clear demarcation to sensitive data. |
| 409 — Reporting. | NitroSecurity supports the creation of reports across a wide range of Sox requirements, including those items highlighted here, and any other requirement involving network activity, information access, database activity, user activity, etc. |
| ISO 17799, Section A.9 — Monitor and report on foreign domain activity and password events (i.e., activity across the trusted network perimeter) | NitroView Enterprise Security Manager (ESM) provides correlation and reporting of foreign domain activity (from firewalls, IPS, network activity, and server logs) and password events (from server logs).
NitroGuard Database Activity Manager (DBM) provides core password event monitoring, at the database itself. This data may be used alone, or with NitroView ESM for correlation and analysis. |
| ISO 17799, Section A.10 — Control of operational software, system test data, etc. | NitroView DBM provides continuous monitoring of critical system files, database tables, and software to ensure their integrity. The DBM is able to track user & administrator sessions, detect out-of-process database changes, policy violations & anomalies, and ensure that required operational processes are running. Detects & alerts when a process is stopped, and even restart it automatically Additionally, a framework is provided for executing scripts on target servers for assessing, reporting and enforcing corporate policies.
NitroView ESM provides analysis an correlation, and reporting of these events, which may be sourced from NitroView DBM and/or from object-level auditing on the operational software itself. |
| ISO 17799, Section A.12 — Control of Financial data and Human Resources data. Provide control of system audit data and collected data, including control of source code to prevent control bypass. | NitroView DBM provides core control over database processes, operation, access and data, as discussed above, with further analysis being provided by NitroView ESM to provide context around events — such as: the attack vector of the unauthorized access to Financial or HR data; related security violations; and other patterns useful for forensic security operations.
NitroView ELM provides proper encryption and storage of this audit data, providing the necessary control of collected evidence. |
| Role / User based identity. | NitroView ESM's integration with popular authentication systems helps ease the complexity associated with appropriately tracking and accounting for user authentication across the system. This includes the correlation of event, flow and log information to database activity events created by NitroView DBM, perimeter security events created by NitroGuard IPS, and internal system-, host- and network- activity collected from routers, switches, and logs. |
| Create policies and procedures that identify prevention and timely detection of unauthorized acquisition, use or disposal of assets. | NitroSecurity provides a complete view of user activity from the network perimeter to the database itself, providing a clear and concise system for the detection, prevention, and forensic examination of asset activity. |
The Health Insurance Portability & Accountability Act of 1996, Public Law 104-191, which amended the Internal Revenue Service Code of 1986, also known as the Kennedy-Kassebaum Act, requires improved efficiency in healthcare delivery by standardizing electronic data interchange, as well as the protection of confidentiality and security of health data through setting and enforcing standards.
Virtually all healthcare organizations - including all healthcare providers, health plans, public health authorities, healthcare clearinghouses, and self-ensured employers - as well as life insurers, information systems vendors, various service organizations, and universities are effected by HIPAA. There are severe civil and criminal penalties for non-compliance, including fines up to $250K and/or imprisonment up to 10 years.
Compliance requirements are diverse, and include organizational, procedural and security standards. The Security Rule or Security Standards and Technical Safeguards is included in the Security Standards for the protection of Electronic Protected Health Information provision. This Standard is found at HIPAA 45 CFR Part 160 & Part 164, subparts A and C.
NitroSecurity provides a solution for the Access Control portion of the Security Rule, identified in Part 164.304 through 164.312 of the standard is defined as:
Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. Rights and/or privileges should be granted to authorized users based on a set of access rules that the covered entity is required to implement as part of 164.308(a)(4), the Information Access Management Standard under the Administration Safeguards section of the rule.
| HIPAA Requirements | NitroSecurity Advantage |
|---|---|
| 164.308.1 — Implement policies and procedures to prevent, detect, contain, and correct security violations. | NitroGuard IPS detects and prevents security violations at the network perimeter, or inline at other critical network junctions, isolating suspect devices either via a blacklist or VLAN isolation — automating protection and facilitating remediation.
NitroView DBM (DBM) monitors the protected information at the source, alerting on database access, policy violations, transaction activity, etc. |
| 164.308.1b — Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. | NitroView ESM provides log management, security event management and network behavior analysis — correlating data from each area for contextual data reporting. |
| Provide unique user access IDs and protect against disclosure of authorized information that is not permitted by the Privacy Rule, and ensure compliance by their workforce. | NitroView ESM's ability to create role based policies provides strict access to information and monitors control over that information. Additionally user activity is tracked via the login process. Known user information is correlated against security events and network data to help identify unauthorized access. |
| Protect against any reasonably anticipated threats or hazards to the security or integrity of ePHI. | NitroGuard actively protects against potential electronic threats, while NitroGuard IPS and NitroView DBM provide protection and notification of threats that do occur. |
| 164.308.6 — Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents; and document security incidents and their outcomes. | Correlating security events against network flow information enables the extrapolation of: the source or root cause of an attack; additional attack targets from the same source; the contamination vector of malicious code; and even the "patient zero" source of viruses. This mitigates security incidents and helps to quickly isolate additional, related threats. |
| 164.312.b — Audit Control - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. | NitroGuard IPS and NitroView DBM directly monitor inter- and intra- network activity, while NitroView ELM provides compliant mechanisms for recording this activity. In addition, NitroView ESM provides analysis and correlation capabilities that allow controllers to examine all activity together for both forensic and auditory purposes. |
| 164.312.d — Entity Authentication - Implement a procedure to verify that a person or entity seeking access to electronic protected health information is the one claimed. | NitroView ELM tracks user activity within the database itself, while NitroView ESM correlates user identity through all aspects of the network for deep forensic capabilities. NitroView's integration with popular authentication systems and directories helps to ease the complexity associated with appropriately tracking and accounting for user authentication and verification. |
The Federal Information Security Management Act (FISMA) Implementation Project was established in January 2003 to produce several key security standards and guidelines required by Congressional legislation. These publications include FIPS 199, FIPS 200, and NIST Special Publications 800-53, 800-59, and 800-60. Additional security guidance documents include NIST Special Publications 800-37, 800-53, and 800-53A. This covers many aspects of security including physical security, personnel security, contingency planning and others. Of particular importance to Security Information Managers are those FISMA controls that specifically relate to network and data security: AC (access Control); AU (Audit and Accountability); SC (System and Communications Protection); IR (Incident Response); and SI (System and Information Integrity).
FISMA requires each federal agency to develop, document, and implement an agency-wide program to provide security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. The requirements of FISMA include:
The requirements of FISMA present extensive data collection and analysis, potentially requiring the management of billions of events, data flows, and other data points. Further strain is imposed by requiring responsive, real-time analysis as well as historical, forensic analysis of these massive data stores, as well as the correlation of these events to defined users, roles, and policies.
| FISMA Requirements | NitroSecurity Advantage |
|---|---|
| Periodic assessments of risk, including the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the organization. | NitroView's is able to analyze user and system activity by correlating network device logs, security events, and network data. This provides valuable audit trails, and is often critical for preventing, detecting, responding to, and remediating security breaches.
NitroView ELM includes risk assessment capabilities to see exactly how each of its systems is configured, if policy settings are in place or if configuration vulnerabilities are present. Additionally, a risk assessment allows for automated scanning, management and reporting. |
| Risk assessments policies and procedures that cost-effectively reduce information security risks to an acceptable level, and ensure that information security is addressed throughout the life cycle of each organizational information system. | NitroView ELM is able to perform risk assessment with automated scanning and reporting features, to help reduce the cost of compliance risk assessment.
NitroView ESM combines vulnerability assessment data and known asset data with log and event data from many sources within the infrastructure, reducing risk through the reduction of false positives, and more efficient mitigation and remediation. |
| Subordinate plans for providing adequate information security for networks, facilities, information systems, or groups of information systems, as appropriate. | NitroView's reporting capability provides a process that allows distribution of security information throughout the organization. Topology (including device- and host- discovery) features further facilitate this process through the accurate presentation of systems and assets. |
| Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices, and controls to be performed with a frequency depending on risk, but no less than annually. | NitroView has the ability to store and retrieve vast histories of security information data and to present this data for evaluation — including historical data analysis and audit trails for periodic evaluation. |
| Procedures for detecting, reporting, and responding to security incidents. | NitroSecurity's entire solution is designed to detect, prevent, analyze and report on security incidents. NitroView DBM monitors and protects core databases and applications; NitroGuard IPS protects the network perimeter (and/or other critical network junctions); NitroView ESM provides advanced correlation and analytics fro mitigation and remediation of incidents; and NitroView LogCaster provides log storage and management features for audits and "proof of compliance." |
| AC-3 Access Enforcement | NitroSecurity's NitroView DBM, NitroGuard IPS, and NitroView ESM provide identity-based, role-based and rule-based policies and access enforcement mechanisms and application level monitoring to control access between users and organizations using user permissions, groups, virtual IPS instances and custom views. |
| AC-4 Information Flow Enforcement | NitroView ESM correlates log and event data with network activity, tracking information flow and providing notification and enforcement mechanisms. NitroGuard IPS performs native collection of network flows in addition to intrusion prevention functions, and can proactively block a flow if a policy violation occurs. |
| AC-17 Remote Access | NitroView ESM Allows the organization to document, monitor, and control all methods of remote access (e.g., dial-up, Internet) to the information systems. Each remote access method can be classified and only authorized for the necessary users for each access method. |
| AC-18 Wireless Access Restrictions | NitroView ESM Allows the organization to establish usage restrictions and tracking for wireless technologies and documents, monitors, and controls wireless access to the information system. |
| AU-2 Auditable Events | NitroView ELM provide universal log collection, archiving, encryption, and validation for audit purposes and proof of compliance.
NitroView ESM provides further analysis of collected log data and log-generated events from LogCaster, including real-time forensic and correlation capabilities. The checklists and configuration guides at http://csrc.nist.gov/pcig/cig.html provide recommended lists of auditable events. |
| AU-3 Content of Audit Records | NitroView ELM is capable of filtering on the contents of log text and producing actionable events, either for audit or analysis purposes.
NitroView ESM is capable of correlating log data with user identity and network activity, to provide additional, detailed reports for audit events identified by type, location, or subject. Also, provides the capability to centrally manage the content of audit records generated by individual components throughout the system. |
| AU-4 Audit Storage Capacity | NitroView provides sufficient audit record storage capacity and configures auditing to prevent such capacity being exceeded. Data may be stored locally on NitroSecurity appliances, or remotely using NAS or SAN technology. Records are not pruned or summarized for compression purposes, maintaining data granularity and information integrity even over long periods of time. |
| CA-7 Continuous Monitoring | NitroView DBM monitors database and application activity, while NitroGuard IPS monitors the network for intrusion attempts and suspicious behavior. NitroView ESM provides an additional layer of monitoring through the unified correlation and analysis of DBM, IPS, Firewall, log, and network data.
This allows the organization to monitor the security controls in the information system on an ongoing basis including continuous monitoring activities as security impact analyses of changes to the system, ongoing assessment of security controls, and status reporting. NIST Special Publication 800-53A provides guidance on the assessment of security controls. |
| IR-4 Incident Handling | NitroSecurity's solution offers direct monitoring and correlated detection of a variety of incidents, allowing the organization to implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery. |
| IR-5 Incident Monitoring | NitroView tracks all activity collected from logs, network flows, and monitoring devices such as NitroView DBM and NitroGuard IPS. This provides for the organization to automatically track and document information system security incidents on an ongoing basis and produce information to create an analysis of the incident. |
| IR-6 Incident Reporting | Both NitroView ELM and NitroView ESM allows the organization to promptly report incident information to appropriate authorities. The types of incident information reported, the content and timeliness of the reports, and the list of designated reporting authorities or organizations are consistent with applicable federal laws, directives, policies, regulations, standards, and guidance. |
| SC-5 Denial of Service Protection | NitroGuard IPS protects against the effects of denial of service attacks, including distributed, service level, application, and exploit-based attacks through correlating network traffic and filtering rogue traffic without the need for increased capacity and bandwidth. |
| SI-3 Malicious Code Protection | NitroGuard IPS implements malicious code protection that includes a capability for automatic updates. Employs virus protection mechanisms at critical information system entry and exit points on the network. |
| SI-4 Intrusion Detection Tools and Techniques | NitroView DBM detects suspicious activity within the database itself, while NitroGuard IPS detects attacks at the network perimeter (and/or at strategic junctions within the network), monitoring outbound communications for unusual or unauthorized activities indicating the presence of malware (e.g., malicious code, spyware, adware). Individually or together, these systems identify unauthorized use of systems and employ automated tools to support real-time analysis of events in support of detecting and preventing system-level attacks.
NitroGuard IPS is able to directly block attacks: by dropping or resetting sessions. This supports rapid response to attacks. For more complex attacks, such as correlated incidents involving multiple vectors, NitroView ESM is able to detect and mitigate these sophisticated threats: including the further ability to remediate if necessary. |
| SI-5 Security Alerts and Advisories | NitroView collects events form all security devices, including third party devices, and provides notification of security alerts/advisories on a regular basis, to appropriate personnel, and takes appropriate actions in response. |
| SI-6 Security Functionality Verification | NitroView DBM is able to verify the correct operation of security functions, with appropriate notification and remediation capabilities. NitroView ELM is able to perform a risk assessment as well to ensure that logs are being collected appropriately. |
| SI-8 Spam and Spyware Protection | NitroGuard IPS provides protection against spam and spyware at critical information system entry points. In addition, NitroView ESM provides the correlation and analysis of IPS and other data (e.g., firewalls, electronic mail servers, remote-access servers) to determine root cause and "patient zero." |
| SI-12 Information Output Handling and Retention | NitroSecurity allows for retention output that is in accordance with most organizational policy and operational requirements. This includes NitroView ELM's archival, encryption and validation capabilities which ensure that raw log files have not been altered or tampered. |
From federal information security threats, identity theft, and accounting fraud to the involuntary introduction of malware, spyware, and adware by unknowing hosts, our data is at risk. Management of information systems and resources — and the auditing thereof — is not only a recommended practice for businesses, it is often a legal requirement. Where applicable, regulations and standards have been enacted to ensure a consistent and creditable approach by corporations, government agencies, and other institutions.
When striving towards a compliance solution for the Payment Card Industry Data Security Standard , the Health Insurance Portability & Accountability Act , the Sarbanes Oxley Act , or the Federal Information Security Management Act , a strong Security Information Management solution is essential. Across all regulatory compliance standards, certain criteria remain constant:
NitroSecurity's combined security solution, including: NitroView Enterprise Management Server (ESM); NitroView ELM ; NitroView DBM (DBM); and NitroGuard IPS (IPS) provide the sophistication, scalability and performance needed to effectively manage complex information systems. NitroSecurity provides the log management, security event management, and network behavior analysis tools that companies need to earn compliance. Information processing, including correlation and trending, is possible in real time, even when managing billions of data records. That means the freedom to collect the data needed to monitor or audit virtually any regulatory requirement, and the ability to put that data to use quickly and easily — even when managing historical records that may go back more than a year. For more information or to see a demo of NitroView, please visit www.nitrosecurity.com , where more information about our products and solutions are available.
Log in
