PMC Requirement

Relevant SOC BOX Capabilities

Examples of How LTS Secure SOC BOX Helps

1. Accurate timestamp in logs

Provide a means to ensure that accounting and auditing logs record accurate timestamps.

Aware

• Ensure all accounting and audit logs include a timestamp
• Any Alerts generated must be time stamped and should reference the original audit log

·         All of the necessary “Aware” recording requirements are satisfied within the SOC BOX solution.

·         LTS Secure Logger preserves the integrity of all audit logs collected, and timestamps each audit log, as well as any alerts that are generated related to the audit log.

Deter

• Ensure you meet the requirements of lower recording profiles
• Digitally sign the timestamp as a minimum
• Hash the log file that stores the collected audit log

·         All of the necessary “Deter” recording requirements are satisfied within the SOC BOX solution.

·         Built-in host-based IDS alerts on policy violations such as failed access attempts to files on critical systems.

·         Built-in file integrity monitoring captures anomalous changes to critical files and file systems such as access rights modifications, software configuration, and changes to storage volumes.

·         Additionally, SOC BOX alerts when an attached device (e.g. USB drive) connects to a monitored host.

Detect and Resist

• Ensure you meet the requirements of lower recording profiles
• Hash the transaction and digitally sign, plus retain a copy of the audit log

·         All of the necessary “Detect and Resist” recording requirements are satisfied within the SOC BOX solution.

·         LTS Secure Logger preserves the integrity of all audit logs collected, which includes a digital signature, hash code and checksum.

·         Additionally, the original audit log is retained.

Defend

• Ensure you meet the requirements of lower recording profiles

·         All of the necessary “Defend” recording requirements are satisfied within the SOC BOX solution.

·         LTS Secure Logger preserves the integrity of all audit logs collected, which includes a digital signature, hash code and checksum.

·         Additionally, the original audit log is retained.

2. Recording relating to business traffic crossing a boundary

Define a set of Alerts and Reports that will identify authorized vs. non-authorized business traffic across the network boundary. This requires the ability to identify authorized vs. non-authorized traffic, transportation of malicious code is prevented and alerted, and the identification of the manipulation of other business traffic.

Aware

• Report and Alert on Malware detected crossing the boundary

·         All of the necessary “Aware” recording requirements are satisfied within the SOC BOX solution.

·         LTS Secure built-in IDS (network and host-based) will report and alert on detected malware—wherever it is on the network.

Deter

• Ensure you meet the requirements of lower recording profiles
• Report and Alert on:
• Blocked web browsing activities
• Failed file imports and exports across boundary

·         All of the necessary “Deter” recording requirements are satisfied within the SOC BOX solution.

·         Provided the gateway firewall or filtering proxy is configured properly, SOC BOX will report and alert on blocked activities and failed file imports and exports.

Detect and Resist

• Ensure you meet the requirements of lower recording profiles
• Report on:
• Failed file imports and exports across boundary and keep a copy of file content for auditing purposes
• Failed file imports and exports across boundary and keep a copy of file content, Security Label and File Signature, for auditing purposes
• Accepted web traffic across boundary
• Accepted incoming and outgoing file transfers across boundary

·         All of the necessary “Detect and Resist” recording requirements are satisfied within the SOC BOX solution.

·         Provided the gateway firewall or filtering proxy is configured properly, SOC BOX will report and alert on blocked activities and failed file imports and exports—through the correlation of the firewall/ proxy logs.

·         Additionally, any accepted incoming and outgoing file transfers and web activity will also generate alerts and can be investigated.

Defend

• Ensure you meet the requirements of lower recording profiles
• Report on:
• Accepted incoming and outgoing file transfers across boundary, including a copy of the file content
• Accepted file imports and exports across boundary and keep a copy of file content, Security Label and File Signature, for auditing purposes
• Files that have been placed in a file cache, including its URL, content, Security Label, Signature and time to live
• Who has accessed file cache

·         All of the necessary “Defend” recording requirements are satisfied within the SOC BOX solution.

·         Provided the gateway firewall or filtering proxy is configured properly, SOC BOX will report and alert on blocked activities and failed file imports and exports—through correlation of the firewall/proxy logs.

·         Additionally, any accepted incoming and outgoing file transfers and web activity will also generate alerts and can be investigated.

3. Recording relating to suspicious activity at a boundary

Define a set of alerts and Reports that will identify suspicious network traffic crossing the network boundary.

Aware

• Report Deny or Dropped packets on Firewall

·         Provided the firewall is configured properly, SOC BOX will report and alert on all deny or dropped packets from the firewall.

Deter

• Ensure you meet the requirements of lower recording profiles
• Report and Alert on Critical console messages from boundary devices
• Report and Alert on Authentication failures on boundary devices and systems
• Report and Alert on suspected Attacks at the boundary
• Report on:
• Error console messages from boundary devices
• User sessions on boundary devices and consoles
• Changes to Firewall and boundary device rule base, including in response to a detected attack
• Status Change to security software monitoring tools, such as your Security Incident and Event Management, Intrusion Detection Software, Intrusion Prevention Software, etc.

·         All of the necessary “Deter” recording requirements are satisfied within the SOC BOX solution.

·         Quickly identify and isolate suspicious network traffic leveraging built-in security controls such as IDS, Netflow analysis, event correlation, and log analysis.

·         Additionally, dynamic incident response templates provide customized guidance for each alert.

Detect and Resist

• Ensure you meet the requirements of lower recording profiles
• Report on:
• Warning console messages from boundary devices
• All commands issued to boundary devices or boundary consoles
• Packets traversing the boundary device, including packet header, size and firewall interface
• Packets traversing the boundary device, including full packet capture, size and firewall interface

·         All of the necessary “Detect and Resist” recording requirements are satisfied within the SOC BOX solution.

·         Specifically, enabling sniffing on the LTS Secure Sensor will provide full packet capture for in-depth network flow analysis and granular event correlation.

Defend

• Ensure you meet the requirements of lower recording profiles
• Report and Alert on all automated responses at the boundary

·         All of the necessary requirements for the lower recording profiles are satisfied with the SOC BOX solution.

·         Specifically, reports and alerts can be easily set up to fire for all automated responses at the network boundary.

4. Recording of workstation, server or device status

Define a set of Alerts and Reports that will identify configuration and status changes on internal workstations, servers and network devices.

Aware

• Report and Alert on all Critical and above messages from hosts in scope
• Report and Alert on all detected Malware on hosts in scope
• Report on all Error messages from hosts in scope
• Report on changes in status to Malware signature base

·         All of the necessary “Aware” recording requirements are satisfied within the SOC BOX solution.

·         Quickly identify and isolate malware outbreaks throughout your network leveraging built-in security controls such as host-based IDS, Netflow analysis, event correlation, and log analysis.

Deter

• Ensure you meet the requirements of lower recording profiles
• Report on:
• Failed access attempts to files
• Changes to File or directory access rights of system folders
• Change to status of networked hosts
• Change in status of attached devices connected to controlled hosts
• Status of storage volumes of monitored hosts
• Changes to software configuration of monitored hosts

·         All of the necessary “Deter” recording requirements are satisfied within the SOC BOX solution.

·         Built-in host-based IDS alerts on policy violations such as failed access attempts to files on critical systems.

·         Additionally, built-in file integrity monitoring captures anomalous changes to critical files and file systems such as access rights modifications, software configuration, and changes to storage volumes.

Detect and Resist

• Ensure you meet the requirements of lower recording profiles
• Report and Alert on changes to system files or folders
• Report on:
• All critical messages below Warning level from hosts in scope
• Changes to system configuration on monitored hosts
• Changes to system processes on monitored hosts

·         All of the necessary “Detect and Resist” recording requirements are satisfied within the SOC BOX solution.

·         Built-in host-based IDS and file integrity monitoring technologies alert on critical changes to system files and folders.

·         These changes may include configuration changes as well as changes to key processes, critical for service availability monitoring and management.

Defend

• Ensure you meet the requirements of lower recording profiles
• Report on:
• Changes to software configuration of monitored hosts, including software inventory
• Changes to system files, including before and after content
• Changes to system configuration on monitored hosts, including before and after content

·         All of the necessary “Defend” recording requirements are satisfied within the SOC BOX solution.

·         Built-in host-based IDS and file integrity monitoring technologies alert on critical changes to system files and folders.

5. Recording relating to suspicious internal network activity

Define a set of Alerts and Reports that will identify suspicious activity across internal network boundaries from either internal or external agents.

Aware

• Report on all Deny or Dropped packets on the Firewall

·         All of the necessary “Aware” recording requirements are satisfied within the SOC BOX solution.

·         Provided the firewall is configured properly, SOC BOX will report and alert on all deny or dropped packets from the firewall.

Deter

• Ensure you meet the requirements of lower recording profiles
• Report and Alert on:
• All Critical and above console messages from internal Firewalls
• All Authentication Failures from internal network devices and monitoring consoles
• Report on:
• All Error status messages from the console or internal Firewalls
• User sessions on the console or internal Firewalls
• Change of status of Rule base on internal Firewalls and network devices

·         All of the necessary “Deter” recording requirements are satisfied within the SOC BOX solution.

·         Provided the firewall is configured properly, SOC BOX will report and alert on all necessary activities for the “Deter” recording profile.

·         Specifically, SOC BOX will report and alert on error messages, authentication failures, user sessions, and rule base changes on firewalls and network devices.

·         Additionally, these activities can be correlated against other relevant data to provide a full picture of suspicious network activity.

Detect and Resist

• Ensure you meet the requirements of lower recording profiles
• Report and Alert on suspected internal Attacks
• Report on:
• All Warning messages from internal network devices
• All commands sent to network devices or firewalls
• Accepted packets being transferred by internal firewalls
• All Deny or Dropped packets on internal Firewall, including full packet capture
• Response to internal attacks and actions undertaken
• Status Change to internal security software monitoring tools, such as your Security Incident and Event Management, Intrusion Detection Software, Intrusion Prevention Software, etc.

·         All of the necessary “Detect and Resist” recording requirements are satisfied within the SOC BOX solution.

·         Provided the firewall is configured properly, SOC BOX will report and alert on all necessary activities for the “Detect and Resist” recording profile.

·         Specifically, our built-in threat detection and behavioral monitoring technologies are combined with event correlation rules to provide the security intelligence needed to identify suspected internal attacks.

Defend

• Ensure you meet the requirements of lower recording profiles
• Report and Alert on all automated response by internal IPS
• Report on Accepted packets being transferred by internal firewalls, including full packet capture

·         All of the necessary “Defend” recording requirements are satisfied within the SOC BOX solution.

·         Specifically, enabling sniffing on the LTS Secure Sensor will provide full packet capture for in-depth network flow analysis and granular event correlation.

6. Recording relating to network connections

Define a set of Alerts and Reports that will identify temporary connections to the network, such as those made via a VPN or wireless connection.

Aware

• Report and Alert on all remote Authentication Failures
• Report and Alert on failed attempts to connect to the VPN
• Report on:
• DHCP assigned IP registration
• Remote Access User sessions
• Changes to VPN Node registrations

·         All of the necessary “Aware” recording requirements are satisfied within the SOC BOX solution.

·         Built-in log management and event correlation enables the collection and analysis of valid and invalid authentication attempts to VPN and other network devices.

·         Other activities such as DHCP assignments, remote access user sessions, and changes to VPN node registrations are also logged and collected.

Deter

• Ensure you meet the requirements of lower recording profiles
• Report and Alert on:
• Failed equipment connection attempts to protected network attachment points
• Critical and above messages
• Authentication Failures on network consoles
• Report on:
• Error messages from network consoles
• All connection attempts to Wireless Access Points
• User sessions to network connection consoles

·         All of the necessary “Deter” recording requirements are satisfied within the SOC BOX solution.

·         Specifically, failed connection attempts and authentication failures are captured and securely logged via LTS Secure Logger.

Detect and Resist

• Ensure you meet the requirements of lower recording profiles
• Report and Alert on all suspected wireless attacks
• Report on:
• Commands issued on network connection consoles
• Remediation steps taken in response to internal attack notification
• Status changes to IPS, IDS signatures

·         All of the necessary “Detect and Resist” recording requirements are satisfied within the SOC BOX solution.

·         Additionally, built-in log management records commands issued on network connection consoles and dynamic incident response templates provide the detailed remediation steps needed for any internal or external attack activity. Finally, status changes to IDS signatures are also logged.

Defend

• Ensure you meet the requirements of lower recording profiles
• Report and Alert on non-approved wireless interfaces and wireless access points

·         All of the necessary “Defend” recording requirements are satisfied within the SOC BOX solution.

7. Recording on session activity by user and workstation

Define a set of Alerts and Reports that will identify suspect user activity or allow forensic analysis of user activity within the network.

Aware

• Report on:
• User network sessions
• User Account changes
• User privilege or group changes
• Administrator or super user application management

·         All of the necessary “Aware” recording requirements are satisfied within the SOC BOX solution.

·         LTS Secure’s built-in log management and event correlation engine collects, correlates and analyses logs from directory servers, Windows and Unix servers, and other devices to capture the full context of user activity.

Deter

• Ensure you meet the requirements of lower recording profiles
• Alert on User account lockouts
• Report on User privilege escalation on critical workstations and all servers
• Report on execution of accountable User transactions

·         All of the necessary “Deter” recording requirements are satisfied within the SOC BOX solution.

·         Specifically, user account activity such as lockouts, transactions, and escalation of privilege will signal alerts.

Detect and Resist

• Ensure you meet the requirements of lower recording profiles
• Report on User sessions on critical workstations
• Report on local User account changes on critical workstations
• Report on changes to local user account or group membership changes on critical workstations
• Report on execution of all network commands and executable

·         All of the necessary “Detect and Resist” recording requirements are satisfied within the SOC BOX solution.

·         Specifically, user account and administration activities such as session activity, changes on critical workstations, local user account and group membership changes as well as network commands will produce alerts and can be displayed in dashboard views and reports.

Defend

• Ensure you meet the requirements of lower recording profiles
• Report on execution of accountable User transactions including the content of the transaction
• Report on execution of all Workstation critical commands and executable

·         All of the necessary “Defend” recording requirements are satisfied within the SOC BOX solution.

·         Specifically, user transactions and critical commands and executable are logged, and these events are processed and analyzed by LTS Secure’s event correlation engine to produce alerts and user activity reports.

8. Recording of data backup status

Ensure a backup and recovery process is defined and adhered to, such that business can be confident of integrity and availability of the network resources.

Aware

• Report on Backup, Test and Recovery operations
• Alert on Backup, Test and Recovery operation failures

·         All of the necessary “Aware” recording requirements are satisfied within the SOC BOX solution.

·         Notably, as long as backup, test and recovery operations are logged then SOC BOX server can produce alerts when failures occur.

Deter

• Ensure you meet the requirements of lower recording profiles

All of the necessary “Deter” recording requirements are satisfied within the SOC BOX solution.

Detect and Resist

• Ensure you meet the requirements of lower recording profiles
• Report on Backup, Test and Recovery operations including catalog details

All of the necessary “Detect and Resist” recording requirements are satisfied within the SOC BOX solution.

Defend

• Ensure you meet the requirements of lower recording profiles
• Report on Backup, Test and Recovery operations including catalog details, site information and version information

·         All of the necessary “Defend” recording requirements are satisfied within the SOC BOX solution.

·         Specifically, as long as backup, test, and recovery operations (including catalog details, etc.) are logged, then SOC BOX server can produce alerts if any failure occurs during these operations.

9. Alerting critical events

Define a set of real-time Alerts and Reports that will identify events classified as “Critical” by the organization.

Aware

• Report and Alert on all Alert messages generated by the SIEM solution

·         All of the necessary “Aware” recording requirements are satisfied within the SOC BOX solution.

·         Built-in asset discovery, vulnerability assessment, threat detection and behavioral monitoring data provide a rich set of environmental information to be analyzed by LTS Secure’s SIEM and event correlation engine.

Deter

• Ensure you meet the requirements of lower recording profiles
• Reports and Alerts to be delivered by secondary delivery mechanisms, such as email, SMS etc.
• Report on changes to Alert rule base

·         All of the necessary “Deter” recording requirements are satisfied within the SOC BOX solution.

·         LTS Secure supports secondary delivery mechanisms for alerts such as email and will report on changes to the alert rule base.

Detect and Resist

• Ensure you meet the requirements of lower recording profiles
• Ensure Alerts are visible on consoles and or wall displays

·         All of the necessary “Detect and Resist” recording requirements are satisfied within the SOC BOX solution.

·         LTS Secure’s all-in-one console provides flexible dashboards and reporting views to ensure prioritized follow-up to all alerts.

Defend

• Ensure you meet the requirements of lower recording profiles
• SIEM solution should allow multicasting of Alerts to several locations

·         All of the necessary “Defend” recording requirements are satisfied within the SOC BOX solution.

·         Specifically, sending alerts to multiple destinations is fully supported by LTS Secure’s SIEM.

10. Reporting on the status of the audit system

Define a set of Alerts and Reports that will allow confidence in the integrity of the auditing system, such that the output of this system can be relied upon in a court of law.

Aware

• Report and Alert on Log Cleared or Reset, Log collection errors, and threshold exceptions
• Report on status of active log storage, space allocated, space used, space remaining and total record count

·         All of the necessary “Aware” recording requirements are satisfied within the SOC BOX solution.

·         SOC BOX will report on status of active log storage, total record count, and other details regarding space available and usage metrics.

Deter

• Ensure you meet the requirements of lower recording profiles
• Report on status of active log storage, space allocated, space used, space remaining and total record count trended in a graph over time
• Report on status of active log storage, space allocated, space used, space remaining and total record count, plus log rotation information
• Your SIEM solution should be able to prove chain of custody, including each part of the chain adds source and origin information. Original timestamps should not be modified
• Report on log sources
• Your SIEM solution should be able to prove chain of custody, including each part of the chain adds source and origin information, trended in a graphical format over time

·         All of the necessary “Deter” recording requirements are satisfied within the SOC BOX solution.

·         Specifically, LTS Secure’s Logger preserves the integrity of all audit logs collected to prove chain of custody and the SIEM engine provides the full source and origin information for each event log collected and analyzed.

·         Trending and graphical reports are available through SOC BOX management console.

Detect and Resist

• Ensure you meet the requirements of lower recording profiles
• Report and Alert on integrity checking failures anywhere within the chain of custody
• Report on log access requests via queries or reports
• The SIEM should have the capability to search online and archived log data

·         All of the necessary “Detect and Resist” recording requirements are satisfied within the SOC BOX solution.

·         Specifically, LTS Secure’s Logger preserves the integrity of all audit logs collected, and alerts on any failures that are generated related to the audit log.

·         Additionally, the SOC BOX solution will also report on log access requests and provides easy online searches for all archived raw log data.

Defend

• Ensure you meet the requirements of lower recording profiles

·         All of the necessary “Defend” recording requirements are satisfied within the SOC BOX solution.

11. Production of sanitized and statistical management reports

Define a set of Reports that will provide feedback to management on the performance of the Protective Monitoring system effectiveness.

Aware

• Report must be sanitized and omit identifying and sensitive information such as Username, IP addresses, Workstation names and Server names
• If web reports are produced these must also be sanitized

·         All of the necessary “Aware” recording requirements can be satisfied within the SOC BOX solution.

·         Specifically, the 100+ built-in reports can be easily customized to anonymise specific information.

Deter

• Ensure you meet the requirements of lower recording profiles
• If external managed security service providers are used they might include custom reports that can be used directly for management

·         All of the necessary “Deter” recording requirements can be satisfied within the SOC BOX solution.

·         For example, customizing the built-in reports, templates, and dashboards can provide the specific views required for your management team.

Detect and Resist

• Ensure you meet the requirements of lower recording profiles
• It is expected that an enterprise solution is deployed to meet your GPG 13 requirements, most likely a SIEM working with a number of other technologies, such as an IPS, IDS, and Anti-Virus etc.
• A complete Protective Monitoring Solution is likely to include an audit or compliance check software

·         All of the necessary “Detect and Resist” recording requirements can be satisfied within the SOC BOX solution.

·         SOC BOX combines built-in security controls such as IDS, log management, Netflow analysis, file integrity monitoring, and vulnerability assessment to provide complete protective monitoring.

Defend

• Ensure you meet the requirements of lower recording profiles
• It is required to use defense in depth at this segment level, meaning different vendors for the different technologies required for a complete Protective Monitoring Solution, such as a different SIEM vendor from Anti-virus, IPS, IDS and Audit or compliance check software

While SOC BOX provides all of the built-in essential security controls necessary for protective monitoring, our open API allows for easy integration with additional data sources from other security vendors.

12. Providing a legal framework for Protective Monitoring activities

Define a requirement that will ensure all monitoring is conducted in a legal manner, and that the collected data is, in itself, protected and treated as sensitive data.

Deter

• Report on user sign up activity to defined terms and condition of network usage terms

This requirement is more of a procedural one than one that can be satisfied with technology alone. However, SOC BOX can track user activity to verify compliance with network usage terms and conditions.

Detect and Resist

• Report on user sign up activity to defined terms and condition of network usage terms, to include digital user signatures
• Any re-affirmation should also be logged and reported

This requirement is more of a procedural one than one that can be satisfied with technology alone. However, SOC BOX can track user activity to verify compliance and re-affirmation with network usage terms and conditions.

Defend

• Report on user sign up activity to defined terms and conditions of network usage terms, to include digital user signatures and hardware tokens or smart card reference
• Any re-affirmation should also be logged and reported

This requirement is more of a procedural one than one that can be satisfied with technology alone. However, SOC BOX can track user activity to verify compliance and re-affirmation with network usage terms and conditions.