ACCELERATE ISO 27001 COMPLIANCE WITH SIEM · 2020-02-24 · ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM MAPPING SIEM & ISO 27001 EMAIL

ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM

MAPPING SIEM & ISO 27001

EMAIL [email protected]

PHONE +46 (0)8-545 333 00

WEBSITE www.sentor.se

ACCELERATE ISO 27001 COMPLIANCE WITH SIEM




PHONE +46 (0)8-545 333 00


Accelerate ISO 27001 compliance with SIEM For most organizations achieving ISO 27001 compliance is a challenging task, because of its broad scope. This SIEM and ISO 27001 mapping aim to show how Sentor’s SIEM solution LogSentry can accelerate ISO 27001 compliance. In order to accelerate ISO 27001 compliance, organizations need to simplify, consolidate and automate essential security controls. LogSentry can assist in meeting controls in the following areas:

• Asset Management • Access Control • Logging and Monitoring • Network Security Management • Application Security Management • Information Security Incident Management

Detect unwanted activity and ensure compliance with LogSentry LogSentry safeguard your business and its IT systems from potential security breaches. With 24/7 x 365 monitoring, alerting and incident management support via Sentor’s Security Operations Center, security analysts can detect and respond to cyber threats in near real-time. For more information on SIEM or ISO 27001, visit Sentor.se or contact us via [email protected].




PHONE +46 (0)8-545 333 00


ISO 27001 controls to LogSentry mapping

ISO 27001 Control Objective

ISO 27001 Control How Sentor LogSentry helps you reach compliance

A.8 - Asset Management

A.8.1 Responsibility of assets

A.8.1.1 Inventory of assets

Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained

Discover and support review of changes to the operating systems, software applications, and services running within discovered assets

Inventories and support review of changes to the operating systems, software applications, and services running within discovered assets

A.9 – Access Control

A.9.2 User Access Management

A.9.2.2 User Access Provisioning

A formal user access provisioning process shall be implemented to assign or revoke access rights for all user types to all systems and services

Monitors and logs the provisioning and de-provisioning of user accounts in applications, Microsoft AD, in Office 365 (Azure Active Directory), in G Suite, and in authentication products

A.9.2.3 Management of privileged access rights The allocation and use of privileged access rights shall be restricted and controlled

Monitors and logs successful and failed logon events to assets across your on-premises and cloud environments, as well as to cloud applications including Office 365 and G Suite Monitors and logs successful and failed logon attempts to external applications through Azure Active Directory, and to Office 365 and G Suite




PHONE +46 (0)8-545 333 00


A.12 – Operations Security

A.12.2 – Protection from malware

A.12.2.1 - Controls against malware

Detection, prevention and recovery controls to protect against malware shall be implemented, combined with appropriate user awareness

Identify systems susceptible to known vulnerabilities, or that may not have antivirus installed and/or operational Monitor for indicators of malware-based compromise, such as, communication to a known Command & Control (C&C, or C2) Server Continuously development and updates of use cases to enable detection of new and existing threats. A possible log source could be IDS to enhance detection of malware.

A.12.4 – Logging and monitoring

A.12.4.1 – Event logging

Event logs recording user activities, exceptions, faults and information security events shall be produced, kept and regularly reviewed

Aggregates events and log data, including user and administrator activity, from across your on-premises and cloud environments, and cloud applications

File Integrity Monitoring can detect and log access and changes to critical system and application data and configuration files, and to the Windows Registry

SIEM systems can be configured to store alerts and events in 'hot storage' for any required duration of time, enabling rapid search and inspection, and raw events in 'cold', long-term for offline investigation and evidence




PHONE +46 (0)8-545 333 00


A.12.4.2 – Protection of log information

Logging facilities and log information shall be protected against tampering and unauthorized access.

• By sending the logs to a dedicated system where Sentor monitors all activity, including the access and actions performed on log data, the logs are protected against tampering by unauthorized personnel

File Integrity Monitoring can detect and log access and changes to critical system and application configuration and log files, and to the Windows Registry, detecting any attempt to delete or prevent the processing of log data

A.12.4.3 – Administrator and operator logs

System administrator and system operator activities shall be logged, and the logs protected and regularly reviewed

Monitors and logs successful and failed logon events to assets across your on-premises and cloud environments, as well as to cloud applications Monitors and logs successful and failed logon attempts to external applications through Azure Active Directory, Okta, Office 365, G Suite and other LDAP sources Monitor for changes to Office 365 policies such as Data Leakage Protection (DLP), information management, and more Monitors user and administrator activities, including access and modification of files and content, in on-premises and cloud-hosted assets, and in cloud applications




PHONE +46 (0)8-545 333 00


A.12.4.4 – Clock Synchronization

The clocks of all relevant information processing systems within an organization or security domain shall be synchronized to a single reference time source

• Monitor and alarm on Group Policy errors, which could indicate issues or attempts to disable clock synchronization

File Integrity Monitoring can detect changes and access to critical system and application configuration files, and Windows Registry entries, which could indicate issues or attempts to disable clock synchronization

A.13 – Communication Security

A.13.1 – Network security management

A.13.1.1 – Network controls

Networks shall be managed and controlled to protect information in systems and applications

• Monitors and correlates events gathered from network traffic (network IDS, cloud IDS) and network devices (routers, switches, firewalls, and more) to identify anomalous network traffic, such as communication to a known malicious server

Continuously updated threat intelligence from multiple sources to detect communication with known bad hosts are included as a standard in the service.

A.13.2 – Information transfer

A.13.2.3 – Electronic messaging

Information involved in electronic messaging shall be appropriately protected

• Monitors for phishing or malware attacks against email services, including Office 365 and G Suite

Audit administrator actions, including mailbox creation and deletion, or changing configurations that could disable protection




PHONE +46 (0)8-545 333 00


mechanisms such as encryption or data leakage protection

Know when users access mailbox folders, purge deleted items, access other mailbox accounts, and more

Be alerted to changes to Exchange policies that could let in malware

A.14 – System acquisition, development and maintenance

•

A.14.1 – Security requirements of information systems

A.14.1.2 - Security application services on public networks

Information involved in application services passing over public networks shall be protected from fraudulent activity, contract dispute and unauthorized disclosure and modification

Monitor and alarm on Group Policy errors, which could indicate attempts to disable local security services and introduce misconfigurations that compromise asset integrity and security File Integrity Monitoring can detect changes and access to critical system and application configuration files, and Windows Registry entries, which could indicate installation of malware or disabling protection mechanisms like two-factor authentication or encryption Detect the use of clear-text protocols used for network communication over unsecure networks.

A.14.1.3 – Protection application services transactions

• Monitors and correlates events gathered from network traffic (network IDS, cloud IDS) and network devices (routers, switched, firewalls, and more) to identify




PHONE +46 (0)8-545 333 00


Information involved in application service transactions shall be protected to prevent incomplete transmission, misrouting, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay

anomalous network traffic, such as communication of transactions and data to a known malicious server

A.16 – Information security incident management

•

A.16.1 – Management of information security incidents and improvements

A.16.1.2 – Reporting information security events

Information security events shall be reported through appropriate management channels as quickly as possible

• Enables creation of different user accounts that grant access to the Sentor customer portal and/or SIEM solution for inspection and review of alarms, events and reports

• Built-in notification capabilities enable analysts to be alerted to alarms through email, SMS, customer portal or telephone

A.16.1.4 – Assessment of and decision on information security events

Information security events shall be assessed, and it shall be decided if they are to be classified as information security incidents

Sentor SOC analyses all alerts 24/7 to qualify if there is a potential security incident. The analysis is performed by trained and qualified security analysts. Continuous development ensures that the service is operating with the latest correlation directives and context on those threats to support comprehension and incident response decision making




PHONE +46 (0)8-545 333 00


A.16.1.5 – Response to information security incidents

Information security incidents shall be responded to in accordance with the documented procedures

• Sentor SOC provides recommendations on how to respond to different incident types and an individual Incident Response Plan is created for each customer.

Sentor offers a ticketing API to integrate ticketing systems like Jira and ServiceNow.

A.16.1.6 – Learning from information security incidents Knowledge gained from analyzing and resolving information security incidents shall be used to reduce the likelihood or impact of future incidents

• Provides forensics investigation using rich filter and search capabilities, and reporting, against event and log data that is centrally aggregated and retained from across your on-premises and cloud environments and applications

A.16.1.7 – Collection of evidence

The organization shall define and apply procedures for the identification, collection, acquisition and preservation of information, which can serve as evidence

Aggregates events and log data from across your on-premises and cloud environments, and cloud applications including Office 365 and G Suite, into long term log storage Maintain searchable database of incidents for the full-service period, accessible in the Sentor Portal.




PHONE +46 (0)8-545 333 00


Documents

ACCELERATE ISO 27001 COMPLIANCE WITH SIEM · 2020-02-24 · ADDRESS Sentor Managed Security Services AB Björns Trädgårdsgränd 1 116 21 STOCKHOLM MAPPING SIEM & ISO 27001 EMAIL