Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM
MAPPING SIEM & ISO 27001
EMAIL [email protected]
PHONE +46 (0)8-545 333 00
WEBSITE www.sentor.se
ACCELERATE ISO 27001 COMPLIANCE WITH SIEM
ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM
MAPPING SIEM & ISO 27001
EMAIL [email protected]
PHONE +46 (0)8-545 333 00
WEBSITE www.sentor.se
Accelerate ISO 27001 compliance with SIEM For most organizations achieving ISO 27001 compliance is a challenging task, because of its broad scope. This SIEM and ISO 27001 mapping aim to show how Sentor’s SIEM solution LogSentry can accelerate ISO 27001 compliance. In order to accelerate ISO 27001 compliance, organizations need to simplify, consolidate and automate essential security controls. LogSentry can assist in meeting controls in the following areas:
• Asset Management • Access Control • Logging and Monitoring • Network Security Management • Application Security Management • Information Security Incident Management
Detect unwanted activity and ensure compliance with LogSentry LogSentry safeguard your business and its IT systems from potential security breaches. With 24/7 x 365 monitoring, alerting and incident management support via Sentor’s Security Operations Center, security analysts can detect and respond to cyber threats in near real-time. For more information on SIEM or ISO 27001, visit Sentor.se or contact us via [email protected].
ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM
MAPPING SIEM & ISO 27001
EMAIL [email protected]
PHONE +46 (0)8-545 333 00
WEBSITE www.sentor.se
ISO 27001 controls to LogSentry mapping
ISO 27001 Control Objective
ISO 27001 Control How Sentor LogSentry helps you reach compliance
A.8 - Asset Management
A.8.1 Responsibility of assets
A.8.1.1 Inventory of assets
Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained
Discover and support review of changes to the operating systems, software applications, and services running within discovered assets
Inventories and support review of changes to the operating systems, software applications, and services running within discovered assets
A.9 – Access Control
A.9.2 User Access Management
A.9.2.2 User Access Provisioning
A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services
Monitors and logs the provisioning and de-provisioning of user accounts in applications, Microsoft AD, in Office 365 (Azure Active Directory), in G Suite, and in authentication products
A.9.2.3 Management of privileged access rights The allocation and use of privileged access rights shall be restricted and controlled
Monitors and logs successful and failed logon events to assets across your on-premises and cloud environments, as well as to cloud applications including Office 365 and G Suite Monitors and logs successful and failed logon attempts to external applications through Azure Active Directory, and to Office 365 and G Suite
ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM
MAPPING SIEM & ISO 27001
EMAIL [email protected]
PHONE +46 (0)8-545 333 00
WEBSITE www.sentor.se
A.12 – Operations Security
A.12.2 – Protection from malware
A.12.2.1 - Controls against malware
Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness
Identify systems susceptible to known vulnerabilities, or that may not have antivirus installed and/or operational Monitor for indicators of malware-based compromise, such as, communication to a known Command & Control (C&C, or C2) Server Continuously development and updates of use cases to enable detection of new and existing threats. A possible log source could be IDS to enhance detection of malware.
A.12.4 – Logging and monitoring
A.12.4.1 – Event logging
Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed
Aggregates events and log data, including user and administrator activity, from across your on-premises and cloud environments, and cloud applications
File Integrity Monitoring can detect and log access and changes to critical system and application data and configuration files, and to the Windows Registry
SIEM systems can be configured to store alerts and events in 'hot storage' for any required duration of time, enabling rapid search and inspection, and raw events in 'cold', long-term for offline investigation and evidence
ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM
MAPPING SIEM & ISO 27001
EMAIL [email protected]
PHONE +46 (0)8-545 333 00
WEBSITE www.sentor.se
A.12.4.2 – Protection of log information
Logging facilities and log information shall be protected against tampering and unauthorized access.
• By sending the logs to a dedicated system where Sentor monitors all activity, including the access and actions performed on log data, the logs are protected against tampering by unauthorized personnel
File Integrity Monitoring can detect and log access and changes to critical system and application configuration and log files, and to the Windows Registry, detecting any attempt to delete or prevent the processing of log data
A.12.4.3 – Administrator and operator logs
System administrator and system operator activities shall be logged, and the logs protected and regularly reviewed
Monitors and logs successful and failed logon events to assets across your on-premises and cloud environments, as well as to cloud applications Monitors and logs successful and failed logon attempts to external applications through Azure Active Directory, Okta, Office 365, G Suite and other LDAP sources Monitor for changes to Office 365 policies such as Data Leakage Protection (DLP), information management, and more Monitors user and administrator activities, including access and modification of files and content, in on-premises and cloud-hosted assets, and in cloud applications
ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM
MAPPING SIEM & ISO 27001
EMAIL [email protected]
PHONE +46 (0)8-545 333 00
WEBSITE www.sentor.se
A.12.4.4 – Clock Synchronization
The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source
• Monitor and alarm on Group Policy errors, which could indicate issues or attempts to disable clock synchronization
File Integrity Monitoring can detect changes and access to critical system and application configuration files, and Windows Registry entries, which could indicate issues or attempts to disable clock synchronization
A.13 – Communication Security
A.13.1 – Network security management
A.13.1.1 – Network controls
Networks shall be managed and controlled to protect information in systems and applications
• Monitors and correlates events gathered from network traffic (network IDS, cloud IDS) and network devices (routers, switches, firewalls, and more) to identify anomalous network traffic, such as communication to a known malicious server
Continuously updated threat intelligence from multiple sources to detect communication with known bad hosts are included as a standard in the service.
A.13.2 – Information transfer
A.13.2.3 – Electronic messaging
Information involved in electronic messaging shall be appropriately protected
• Monitors for phishing or malware attacks against email services, including Office 365 and G Suite
Audit administrator actions, including mailbox creation and deletion, or changing configurations that could disable protection
ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM
MAPPING SIEM & ISO 27001
EMAIL [email protected]
PHONE +46 (0)8-545 333 00
WEBSITE www.sentor.se
mechanisms such as encryption or data leakage protection
Know when users access mailbox folders, purge deleted items, access other mailbox accounts, and more
Be alerted to changes to Exchange policies that could let in malware
A.14 – System acquisition, development and maintenance
•
A.14.1 – Security requirements of information systems
A.14.1.2 - Security application services on public networks
Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification
Monitor and alarm on Group Policy errors, which could indicate attempts to disable local security services and introduce misconfigurations that compromise asset integrity and security File Integrity Monitoring can detect changes and access to critical system and application configuration files, and Windows Registry entries, which could indicate installation of malware or disabling protection mechanisms like two-factor authentication or encryption Detect the use of clear-text protocols used for network communication over unsecure networks.
A.14.1.3 – Protection application services transactions
• Monitors and correlates events gathered from network traffic (network IDS, cloud IDS) and network devices (routers, switched, firewalls, and more) to identify
ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM
MAPPING SIEM & ISO 27001
EMAIL [email protected]
PHONE +46 (0)8-545 333 00
WEBSITE www.sentor.se
Information involved in application service transactions shall be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay
anomalous network traffic, such as communication of transactions and data to a known malicious server
A.16 – Information security incident management
•
A.16.1 – Management of information security incidents and improvements
A.16.1.2 – Reporting information security events
Information security events shall be reported through appropriate management channels as quickly as possible
• Enables creation of different user accounts that grant access to the Sentor customer portal and/or SIEM solution for inspection and review of alarms, events and reports
• Built-in notification capabilities enable analysts to be alerted to alarms through email, SMS, customer portal or telephone
A.16.1.4 – Assessment of and decision on information security events
Information security events shall be assessed, and it shall be decided if they are to be classified as information security incidents
Sentor SOC analyses all alerts 24/7 to qualify if there is a potential security incident. The analysis is performed by trained and qualified security analysts. Continuous development ensures that the service is operating with the latest correlation directives and context on those threats to support comprehension and incident response decision making
ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM
MAPPING SIEM & ISO 27001
EMAIL [email protected]
PHONE +46 (0)8-545 333 00
WEBSITE www.sentor.se
A.16.1.5 – Response to information security incidents
Information security incidents shall be responded to in accordance with the documented procedures
• Sentor SOC provides recommendations on how to respond to different incident types and an individual Incident Response Plan is created for each customer.
Sentor offers a ticketing API to integrate ticketing systems like Jira and ServiceNow.
A.16.1.6 – Learning from information security incidents Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents
• Provides forensics investigation using rich filter and search capabilities, and reporting, against event and log data that is centrally aggregated and retained from across your on-premises and cloud environments and applications
A.16.1.7 – Collection of evidence
The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence
Aggregates events and log data from across your on-premises and cloud environments, and cloud applications including Office 365 and G Suite, into long term log storage Maintain searchable database of incidents for the full-service period, accessible in the Sentor Portal.
ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM
MAPPING SIEM & ISO 27001
EMAIL [email protected]
PHONE +46 (0)8-545 333 00
WEBSITE www.sentor.se