A corporate data network transmits billions of data packets per day internally and out to the Internet. The data flow creates event records from many sources such as firewall security logs, user account sign on logs, and data resource access logs. By NIST 800-53 compliance, and standard industry best practices, those data logs must be examined or audited for malicious content and intent(NIST, 2015a, pp. F-44). No human team would be able to audit the enormous volume of events in a timeframe that would allow the needed response to an intrusion or data breach(EC-Council, 2017, pp. 322-323). Automated tools are required to gather all the reported data from the various sources into a central data storage system for analysis. In the past, separate tools would gather data from different sources, such as Kiwi gathering syslog data on routers and switches(Zhang et al., 2017, p. 2), or SolarWinds firewall log analyzer gathering traffic data(As-Suhbani & Khamitkar, 2017, p. 420). Separate applications for network analysis create a large administrative workload and great difficulty in correlating events.
The current industry solution is a unified Security Information and Event Management (SIEM) package that gathers data from all sources, stores it in a unified data system, and provides analysis tools and alert mechanisms. This allows the security team to easily perform the required audits for contractual compliance while efficiently analyzing data for threat detection. Attacks can be quickly identified and responses activated to defend the network from intrusion and data loss(splunk, 2017c, pp. 4-5). Sifers-Grayson requires a SIEM for improved data confidentiality and integrity, and DOD contract compliance(NIST, 2015b). A SIEM will satisfy the following requirements of NIST 800-171.
- 1.12 Monitor and control remote access sessions.
- 1.18 Control connection of mobile devices.
- 1.20 Verify and control/limit connections to and use of external systems.
- 3.3 Review and update audited events.
- 3.4 Alert in the event of an audit process failure.
- 3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
- 3.6 Provide audit reduction and report generation to support on-demand analysis and reporting.
- 3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
- 3.8 Protect audit information and audit tools from unauthorized access, modification, and deletion.
- 3.9 Limit management of audit functionality to a subset of privileged users.
- 14.1 Identify, report, and correct system flaws in a timely manner.
- 14.3 Monitor system security alerts and advisories and take action in response.
- 14.5 Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
- 14.6 Monitor organizational systems including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
- 14.7 Identify unauthorized use of organizational systems(NIST, 2015b, pp. 10-15).
References
As-Suhbani, H. E., & Khamitkar, S. (2017). Using Data Mining for Discovering Anomalies from Firewall Logs: a comprehensive Review.
EC-Council. (2017). Ethical hacking and countermeasures. Book 4, Secure network operating systems and infrastructures (Second edition. ed.).
Kavanagh, K. M., & Bussa, T. (2017). Gartner Magic Quadrant for Security Information and Event Management: Gartner.
NIST. (2015a). NIST 800-53 r4: Security and Privacy Controls for Federal Information Systems and Organizations NIST Special Publication (Vol. 800, pp. 462).
NIST. (2015b). NIST 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations NIST Special Publication (Vol. 800, pp. 76).
splunk. (2017a). THE SIX ESSENTIAL CAPABILITIES OF AN ANALYTICS-DRIVEN SIEM.
splunk. (2017b). Splunk Enterprise Security
splunk. (2017c). SPLUNK® SOFTWARE AS A SIEM (pp. 6).
Stephenson, P. (2017, May 01, 2017). Splunk Enterprise Security Review. Retrieved 2/24/2018, from https://www.scmagazine.com/splunk-enterprise-security/review/9359/
Zhang, S., Meng, W., Bu, J., Yang, S., Liu, Y., Pei, D., . . . Qu, X. (2017). Syslog processing for switch failure diagnosis and prediction in datacenter networks. Paper presented at the Quality of Service (IWQoS), 2017 IEEE/ACM 25th International Symposium on.