by Megan Daudelin
June 20, 2016
As changes to devices, policies, files, and folders occur on a daily basis, many organizations often lose track of changes that can leave a network vulnerable to attack. The smallest change can lead to system outages, data loss, and can add unwanted security risks and increased costs for an organization. The ISO/IEC27000 Change Control Management dashboard can assist the organization in monitoring device, software, and network change control events.
The ISO/IEC 27002:2013 framework is a global security standard that provides best practice solutions in support of the controls found in Annex A of ISO/IEC 27001:2013. The framework establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management systems (ISMS). Each of the security controls and objectives provided within the standard can be tailored to specific business and regulatory objectives and assist with maintaining overall compliance. This dashboard focuses on the ISO/IEC 27002 12.1.2 and 12.5.1 controls that will identify any change control or configuration events on a network.
Proper change control management allows organizations to be aware of changes in their environment, understand potential impacts, and achieve business goals without unnecessary delay. Both authorized and unauthorized changes to a network device, software, file, or folder can impact user access to systems and result in loss of integrity. Without change control procedures in place, changes can be made without management’s knowledge, formal risk assessment, or approval.
The components in this dashboard provide a comprehensive view of change events using the Log Correlation Engine (LCE). LCE provides information on normalized events for device changes, software modifications, file and directory changes, and statistical indicators. Statistical event indicators use keywords to identify normalized event logs that the analyst should review further, including service changes, user activity, and suspicious activity. Changes on network devices will provide the analyst with targeted information, which can be used to strengthen change control management procedures.
The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The dashboard requirements are:
- Tenable.sc 5.3.1
- LCE 6.0.0
Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Our family of products includes Tenable.sc Continuous View (CV), Nessus, NNM and LCE. Tenable.sc CV performs log normalization from hundreds of unique data sources. LCE performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers and critical infrastructure.
This dashboard contains the following components:
- Daily Usage Summary - Configuration Changes: This component collects the top 10 configuration changes. Adding a new user account into Windows, changing a firewall rule, or installing new software may generate these events. Networks are always evolving and constantly require changes. Tenable.sc Continuous View (Tenable.sc CV) customers can detect these changes by monitoring LCE and syslog events. NNM can alert in real-time when new hosts are discovered. This component refreshes hourly and should be monitored throughout the workday.
- ASD Top 4 Mitigation Strategies - Software Modification Events: This component provides an indicator for file changes or modification events collected from systems with LCE Clients installed, or from systems where syslogs are collected. For each indicator, when a pattern match is found, the indicator will turn purple. Some of the event indicators in the matrix are application changes, a Windows executable file has changed, and UNIX library file changes. The indicators of this component provide system administrators with a central location to monitor for authorized or unauthorized software execution, installation, or changes. Regardless of if the software is downloaded from the internet or a USB drive, LCE Client software can log the application events. When configured appropriately, whitelisting can help prevent unauthorized intruders from modifying or adding software to secure servers or workstations.
- File Integrity Monitoring - File and Directory Change Event Details - Past 7 Days: The File and Directory Change Event Details – Past 7 Days table lists the events related to file changes detected in the past 7 days by count. This table uses the Normalized Event Summary tool and filters based on the keyword “File” and the “detected-change” type. The data in this table can be useful in determining the most common file change events and where they originate.
- Stats Summary - Stats Indicators: This dashboard component shows the 40 different types of anomalies that the statistics daemon monitors. If there is one or more events for each of the anomalies monitored, it will be indicated in this component.
- CSF - Network Changes: This component displays a list of network changes over the last 72 hours. There are several normalized event types presented that detect changes from servers, database, and infrastructure devices. Many of these detected changes are additions to the network, such as new hosts, new software, policy and security settings changes, and new open ports. Any new additions or changes should be investigated to determine if they are authorized. To obtain additional information, the analyst can click on any of the normalized events.
- CSF - Top Detected Changes (Last 72 Hours): This table displays the top change events detected on the network in the last 72 hours. The table is sorted so that the changes detected most often are at the top. This table can be used by an analyst to investigate recent network changes and determine if they are appropriate and authorized. Clicking on the Browse Component Data icon will bring up the event analysis screen to display all of the detected change events and allow further investigation. In the analysis screen, clicking on a particular event will display all occurrences of that event. Setting the tool to IP Summary will display the systems on which the events occurred. Setting the tool to Raw Syslog will display the raw syslog of the events, which can give more details.