by Andrew Freeborn
June 20, 2016
When systems do not have accurate and reliable log information, organizations could loose sight of significant events that can lead to increased risks. Without proper audit logging, organizations won’t have the audit trail information needed to quickly address issues before, during, or after an event has occurred. Organizations can utilize the ISO Continuous Monitoring report to monitor and obtain continuous events information such as unusual network activity, high usage events, and suspicious events on network devices and services.
The ISO/IEC 27002:2013 provides a framework that can be used to develop and enhance information security policies for any organization. Each security control and objective provided within the standard can be tailored to specific business and regulatory objectives, and assist with maintaining overall compliance. This report aligns with the ISO/IEC 27002 12.4 and 16.1.2 controls, which can help organizations to monitor suspicious or unauthorized events, and ensure that all systems are being properly audited.
Having continuous and accurate log data provides an audit trail organizations can use to track account usage, along with any unauthorized or suspicious events. Tenable’s Log Correlation Engine (LCE) provides the foundation needed to implement continuous monitoring of an organization’s network assets. Log management can be enhanced further by installing LCE Clients on servers, and if possible on workstations. Servers with LCE clients installed may capture DNS server, web server, mail server, or other security logs from services that are in use on that system. LCE provides event information from routers, switches, and other infrastructure devices on network anomalies, high CPU events, unauthorized login attempts, and more. Organizations should also forward logs from all critical infrastructure devices to the LCE. Together, this will provide organizations with real-time analytics and reporting, along with a centralized location to store logs from network devices and applications.
Information within this report will provide a comprehensive look at an organization’s continuous monitoring efforts. Several chapters will report on the latest abnormal network events, high utilization events, unauthorized login attempts, and other unusual events. Activity from cloud and peer-to-peer (P2P) services can also be monitored to detect malicious activity or events. Both Nessus and Nessus Network Monitor (NNM) provide complete coverage in detecting unauthorized cloud services and P2P activity that can result in data leakage or malicious attacks. The Device Activity chapter alerts analysts to event logs being forwarded from critical infrastructure devices. Login activity events are also included within this report, and present information on invalid login attempts, password guessing, and login failures. Additional elements will report on suspicious events from remote access services, which can indicate possible unauthorized connections, or compromised servers.
This report is available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The report can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The report requirements are:
- Tenable.sc 5.3.2
- Nessus 8.5.1
- LCE 6.0.0
- NNM 5.9.0
Tenable.sc Continuous View (CV) is the market-defining continuous network monitoring platform. Log Correlation Engine (LCE) performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers, and critical infrastructure. Tenable.sc CV is continuously updated with information about advanced threats and zero-day vulnerabilities, and new types of regulatory compliance configuration audits. Tenable.sc CV’s proactive continuous monitoring identifies your biggest risk across the entire enterprise.
The report contains the following chapters:
- Executive Summary: The Executive Summary chapter presents an overview of continuous monitoring efforts throughout a network. The chapters within this report will provide targeted information that organizations can use to quickly identify areas of concern. This report aligns with the ISO/IEC 27002 12.4 control that can help organizations to monitor suspicious or unauthorized events by ensuring that all systems are being properly audited.
- Continuous Monitoring Activity: This chapter provides a comprehensive look at continuous monitoring efforts across the enterprise. Elements will provide information on high utilization events, events spikes, cloud services, and P2P activity. Events spikes will include detailed information provided by LCE that are compared to the current hour’s event rate for each host to the same hour in previous days. Each element provides detailed information that organizations can use to quickly detect, respond, and contain incidents.
- Device Activity: The Device Activity chapter includes several elements that report on normalized event data by device. Elements include high utilization events from specific network devices such as Cisco, Juniper, Huawei, and more. Top IDS and IPS events will provide the latest information on potential attacks, malware, and network connection activity from network devices and services. This chapter will provide targeted information analysts need to detect and respond to issues on critical network devices in a timely manner.
- Login Activity: This chapter includes of summary of login activity events. In addition to monitoring network devices, events such as login failures, suspicious login attempts, access denied, and password-guessing events should also be monitored to detect unauthorized login attempts. The sooner unauthorized users are discovered; the sooner analysts can react to limit potential damage to targeted systems. Elements within this chapter will assist organizations to quickly detect potential blind spots within existing security policies.