SIM through Compliance

EventLogAnalyzer | July 17, 2006 | 2 min read

Author: parthasarathi

Mood: Cool  I came across an article in S-OX

Compliance is defined as being in accordance with authoritative requirements. That means being up to date on guidelines, processes and practices. These processes and practices are oriented around such requirements as:? Only authorized user/systems can access and modify specific information they require,? The privacy and integrity of the information and systems must be maintained and assured,

? Audit records are maintained and indisputable, and

? Operational best practices are in place and improved.

Regulations, today, may differ in substance but tend to create a group of common requirements. These requirements include:

? Event collection and retention,

? Activity review and assessment,

? Data integrity and chain-of-custody,

? Use audit reduction tools,

? Investigation and forensic analysis, and

? Reporting to and by appropriate personnel.

Most security event management (SEM) and security information management (SIM) solutions focus on incident response ? consolidating alerts to respond to visible threats and attacks. And, that?s important. But, as will be evident, the back end of the SIM process ? event data analysis and retention used for reporting, audit and investigation ? is usually half-baked. As a result, compliance support is often spotty.

So as mentioned, Compliance is an important Security Information Management(SIM) solution.

Let us see how EventLogAnalyzer(ELA) fairs against the above compliance requirements.

ELA provides reports which meet

HIPAA(Health Insuraance Portability and Accountability Act),

SOX(Sarbanes-Oxley) and

GLBA(Gramm-Leach-Bliley Act) security standards under Compliance.

Currently ELA provides the following reports under Compliance section which meets the above security standards.

1. Successful User Logons – Identifies all the user logon events

EventIDs supported: (528,540)

2. User Logoffs – Tracks all the user logoff events

EventIDs supported: 538

3. Logon Failures – Tracks all the failed user logon events

EventIDs supported: (529, 530, 531, 532, 533, 534, 535, 536, 537, 539)

4. Audit Policy Changes – Tracks all the changes done in the audit policy

EventIDs supported: 612

5. Audit Logs Cleared – Tracks all the audit logs clearing events

EventIDs supported: 517

6. Object Access – Identifies when a given object (File, Directory, etc.) is accessed, the type of access (e.g. read, write, delete) and whether or not access was successful/failed, and who performed the action

EventIDs supported: (560,562,563,564,565,566,567,568)

7. System Events – Identifies local system processes such as system startup and shutdown and changes to the system time

EventIDs supported: (512,513,514,515,516,518,519,520)

8. User Account Changes – Identifies all the changes done on an user account like user account creation,deletion, password change etc.,

EventIDs supported: (624,625,626,627,628,629,630,642,644)

9. User Group Changes – Identifies all the changes done on an user group such as adding or removing a global or local group, adding or removing members from a global or local group,etc..

EventIDs supported: (631 – 641) and (643 – 646)

10. Successful User Account Validation – Identifies successful user account logon events, which are generated when a domain user account is authenticated on a domain controller

EventIDs supported: (672,680)

11. Failed User Account Validation – Identifies unsuccessful user account logon events, which are generated when a domain user account is authenticated on a domain controller.

EventIDs supported: (675,681)

If you would like to enhance the compliance reports further, do let us know.

Thank You,