Embed Size (px)
Citation preview
GOOD PRACTICE GUIDE 13 (GPG13)
GPG13 - AT A GLANCE• ProtectiveMonitoring(PM)isbasedonGood
PracticeGuide13
• Comprisesof12sectionscalledProactiveMonitoringControls1-12
• BasedonfourRecordingProfiles;Aware,Deter,Detect/ResistandDefend.
• ProtectiveMonitoringandGPG13namesaresometimesusedinterchangeably.
• GPG13isaframeworkofpeople,businessesandprocesses
• Designedtoreducerisk
• StrongrecommendationforallHMGICTSystemsandcompulsoryforsystemsthatstorehighimpactleveldata.
• GoalisprovideanoperationalinsightofITuseandabuse
• PM/GPG13ismandatedbytheSecurityPolicyFrameworkwhichispublishedbytheUKCabinetOffice
Background
InordertogainaccessandshareinformationthatresidesontheGovernmentConnectSecureExtranet(GCSX),allpublicsectororganisationsarerequiredtocomplywithpublishedstandardsthathaveexistedformanyyears.Theseorganisationsincludebothcentralgovernmentdepartmentsandlocalauthorities.Forexample,themostwell-knowncompliancerequirementthatlocalauthoritiesmustdemonstrateisadherencetoCodeofConnection(CoCo)whichcameintoeffectin2009.CESG,theGovernment’sNationalTechnicalAuthorityforInformationAssurance,added35guidesaspartofCoCo.TheseguidesarewidelyknownasGoodPracticeGuidesandwerecreatedtohelporganisationsmanageriskeffectivelyinareasmanyareasincludingremoteworking,offshoring,virtualisationandforensics.
What is GPG13?
Ofthe35guidestheGoodPracticeGuide13(GPG13)definesrequirementsfor12ProtectiveMonitoringControls(PMC)whichcompriseoftaskssuchaseventlogmanagementanduseofintrusiondetectionandpreventionsystems.LocalauthoritiesarerequiredtoconformtoGPG13inordertopreventaccidentalormaliciousdataloss.AsconnectiontoGCSXencompassesaccesstosensitiveandconfidentialdata,compliancewithGPG13isimperativeforprotectingprivacyandpreventingdatabreaches.GPG13Itisimperativethatlogiscollectedfromsystemsthatprovidethesecuritymechanisms.
GPG13hasfourRecordingProfilesthatroughlymaptotheHMGInformationAssuranceStandardSegmentationModelwhichhasfourhierarchicalsegments;Aware, Deter, Detect/Resist and Defend.Thenecessarycontrolsareallrelatedtoallaspectslogging,recording,reportingofnetworktrafficflows,criticaleventsandactivitiesasdefinedbelow.
AwareObligationtobeAwareofpublicdomainthreats,commonattackvectorsandknownvulnerabilities.
DeterObligationtoDeteranattackfromaskilledhacker.AppropriatecontrolsshouldbeinplacetoDetersuchanattack.
Detect/Resist ObligationtobothDetecttheattackandResisttheattackfromasophisticatedattacker.
Defend ObligationtoDefendagainstanattackfromasophisticatedattacker.
Segment(Risk Level)
Log Retention Period
Log Checks
Console Manning
Compliance Review Period
Aware (Medium)
Upto3monthsAtleastonce
amonth
Notalwaysbutalertsformcriticalconditions
mustbemanaged Atleastannually
Deter(Medium-High)
3to6monthsAtleastonce
aweekOnlyduringcorebusinesshours
Detect/Resist(High)
6to12monthsAtleastonce
adayAlwaysmanned
Atleastevery6months
Defend(Very High)
Morethan12months
Atleastonceeveryhour
Atleasteveryquarter
Segment(Risk Level)
Preliminary Response Analysis Instigated
Aware (Medium)
Lessthan1day NoGuidance
Deter(Medium-High)
Lessthan4hours Within2days
Detect/Resist(High)
Lessthan1hour Within1day
Defend(Very High)
Lessthan30minutes Within4hours
GPG13 Guidelines for Incident Response
Anyalertsgeneratedrequirearesponseanddependingontheseverityservicelevelagreementsneedtobeestablishedasoutlinedbelow:
GPG13 Guidelines for Log Management
LogmanagementisthekeyandmandatorycomponentforgovernmentdepartmentstoachieveGPG13compliance.Networksnowadaysproducemillionsoflogsfromacrosstheentireinfrastructurethatarerequiredtobecaptured,analysed,alerteduponandstoreddaily.ThisisanenormoustaskthatITstaffhastoendureindevelopingandmanaginglogdataefficientlytohelpsolvecomplexcompliancechallenges.DatarequiredforGPG13iscollectedfromsystemsthatareinplacetosecureorganisationsandincludesfirewalllogs,intrusionsystemsandalertsfromoperatingsystems.AspartofmeetingGPG13requirements,theguidelinesbelowmustbefollowed.
Achieving GPG 13 Compliance with McAfee
TohelporganisationsmeetGPG13compliance,theSIEM(SecurityInformationEventManagement)solutionfromMcAfeeformstheessentialcomponentthatdeliversdatamonitoringandcollectionrequirementsatallthe12ProtectiveMonitoringControllevels.McAfeeSIEMiscomplimentedbyadditionalMcAfeetechnologiesthatisacombinationofperimetersecurity,intrusiondetection/preventionsystems,endpointprotectionandtwo-factorauthenticationallofwhichareintegratedtoformtheSecurityConnectedframework.Theamalgamationofdifferentsolutionsensuresystemactivitylogs,realtimefileintegritycontrol,privilegedidentityactivityandcriticalapplicationsessiondataseamlesslyfallundertheSIEMreportingumbrella.
Aware Deter Detect/Resist Defend
PMC #1 - Accurate time in logsTimestampscomparedtothresholdstolookfordiscrepanciesandcomplimentwithexternaltimesource.
•SIEM•ePO•PolicyAuditor
•SIEM•ePO•PolicyAuditor
•SIEM•ePO•PolicyAuditor
•SIEM•ePO•PolicyAuditor
PMC #2 - Recording relating to business traffic crossing a boundaryCollectionandanalysesoflogsfromperimetersecurity,endpointsecurityandassetdatabaseallcollectedcentrally.
•SIEM•Firewall•WebGW•ePO
•SIEM•Firewall•WebGW•ePO
•SIEM•Firewall•WebGW•ePO
•SIEM•Firewall•WebGW•ePO
PMC #3 - Recording relating to suspicious activity at a boundaryCollectionandanalysesoflogsfromfirewalls.IDS/IPS,authenticationcontrols,endpointprotectionandothersystemsusedattheboundary.
•SIEM•Firewall•WebGW
•SIEM•Firewall•WebGW•IDS/IPS
•SIEM•Firewall•WebGW•IDS/IPS
•SIEM•Firewall•WebGW•IDS/IPS
PMC #4 - Recording of workstation, server or device statusCollectionandanalysesoflogsfromworkstation.Servers,networkdevices,securitydevices,databasesandapplications.
•SIEM•ePO•Anti-Virus•DatabaseSecurity
•SIEM•ePO•Anti-Virus•DatabaseSecurity
•SIEM•ePO•Anti-Virus•DatabaseSecurity
•SIEM•ePO•Anti-Virus•DatabaseSecurity
PMC #5 - Recording relating to suspicious internal networkCollectionandanalysesoflogsfromdiversesystemssuchasauthenticationsystems,networksservices(DNS,DHCP,WINS),firewalls,databasesandnetworktraffic.
•SIEM•Firewall
•SIEM•Firewall
•SIEM•Firewall•ePO•FileIntegrity
•SIEM•Firewall•ePO•FileIntegrity
PMC #6 - Recording relating to network connections Collectionandanalysesoflogsfromdiversesystemssuchasauthenticationsystems,networksservices(DNS,DHCP,WINS),firewalls,databasesandnetworktraffic.
•SIEM •SIEM•SIEM•IDS/IPS
•SIEM•IDS/IPS
PMC #7 - Recording of session activity by user and WorkstationImportusersandworkstationsfromprovisioningsystemssuchasActiveDirectory.McAfeecollectslogscentrallyforauditing,analysesandalerting.
•SIEM•DatabaseSecurity
•SIEM•DatabaseSecurity
•SIEM•DatabaseSecurity•ChangeControl
•SIEM•DatabaseSecurity•ChangeControl
PMC #8 - Recording of data backup statusCollectlogsfromexternalbackupsystems.
•SIEM•Backup
•SIEM•Backup
•SIEM•Backup
•SIEM•Backup
PMC #9 - Alerting critical eventsMcAfeeisablesendcriticalalertstothirdpartyservicemanagementsystemssuchasBMCandHP.
•SIEM •SIEM •SIEM •SIEM
PMC #10 - Reporting on the status of the audit systemThesystemisabletoalertonitshealthforanyfailuresandthresholds.
•SIEM •SIEM •SIEM •SIEM
PMC #11 - Production of sanitised and statistical management reportsMcAfeeprovideshigh-levelreportsanddashboardsoutofthebox.ReportdatacanbeexportedtoPDF,XML,CSVandHTML.
•SIEM •SIEM •SIEM •SIEM
PMC #12 - Providing a legal framework for Protective Monitoring activitiesCollectedlogsarenormalisedformanagementandauditingpurposesbyMcAfeeSIEM.Inadditionlogsarestoredandretainedinoriginal/rawformatforforensicsandlegalrequirements.
•SIEM •SIEM •SIEM •SIEM
Thefollowingtableillustratesadirectone-onemappingofthePMControlstotheMcAfeesolutionswhereSIEMistheintegralconstituent.
McAFEE VALUE FOR GPG 13 COMPLIANCEOperational benefits
• Globalviewofthesecuritycountermeasuresandinsightintothesecuritylandscape.
• MinimumadministrationoverheadasMcAfeeSIEMisdesignedtowithspecificallyforlogmanagement.
• Logdataviewscanbechangedfromyearstosecondsinstantaneously
• ReducesoverheadinidentifyingthreatsfromdaystosecondswiththeintegrationintoGTI.
• Reduceddeploymentcostwith“outofthebox”functionality
• IntegrationintothecompleteMcAfeemanagementplatformwithfeedsfromGTI(GlobalThreatIntelligence)
• Unparalleledperformanceandscalabilitywithlogcollectioncapabilityof300,000EPS
• Fullycontextandcontentawarenesstoascertainrisklevels
• Collectedlogdatastoredintwoplaces;originalformatforforensicsandsecondlycorrelation
Key benefits
• McAfeeSIEMispositionedasaLeaderbyGartnerforcompletenessofvisionandabilitytoexecute
• ExperiencedandtrainedMcAfeeProfessionalServicescanworkwithorganisationstoachieveGPG13requirements
• McAfeeSIEMprovidesGPG13outoftheboxanddoesnotrequireadditionallicensesassomeothervendors.
• Built-incapabilitytocollectlogdatafromover300datasourceswithabilitytocreateadditionalasrequired.
• GPG13reportsanddashboardsarepre-builtwithoptionstocreatecustomasrequired
• TheSecurityConnectedapproachprovidesaframeworkforcosteffectivemanagementwheremultipletechnologiesareintegratedseamlessly.
• Logmanagementsolutionsarecomplexandcostly.McAfeeSIEMcanbeset-upquicklyandeasilywithminimumeffort.
2821 Mission College Boulevard Santa Clara, CA 95054 888 847 8766 www.mcafee.com
About McAfeeMcAfee,awhollyownedsubsidiaryofIntelCorporation(NASDAQ:INTC),istheworld’slargestdedicatedsecuritytechnologycompany.McAfeedeliversproactiveandprovensolutionsandservicesthathelpsecuresystems,networks,andmobiledevicesaroundtheworld,allowinguserstosafelyconnecttotheInternet,browse,andshopthewebmoresecurely.Backedbyitsunrivaledglobalthreatintelligence,McAfeecreatesinnovativeproductsthatempowerhomeusers,businesses,thepublicsector,andserviceprovidersbyenablingthemtoprovecompliancewithregulations,protectdata,preventdisruptions,identifyvulnerabilities,andcontinuouslymonitorandimprovetheirsecurity.McAfeeisrelentlesslyfocusedonconstantlyfindingnewwaystokeepourcustomerssafe.http://www.mcafee.com
McAfee and the McAfee logo are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the United States and other countries. Other marks and brands may be claimed as the property of others. The product plans, specifications and descriptions herein are provided for information only and subject to change without notice, and are provided without warranty of any kind, express or implied. Copyright © 2013 McAfee, Inc.
