robert christian - Security Incident & Event Management (SIEM) and compliance to ISO 27001
Security Information Event Management & Regulatory Compliance Robert Christian MSc. Information Security RHUL
Agenda• Regulatory Compliance• ISO / IEC / JTC-1• ISO 27x Standards Series• ISO 27001 “ The Requirement Standard• SIEM• Compliance Monitoring with SIEM• Summary
Regulatory ComplianceRegulatory Compliance is rarely a question of technologybut mostly a question of documenting due process !
ISO• ISO (International Organization for Standardization) is the worlds largest developerand publisher of International Standards.• ISO is a network of the national standards institutes of 160 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system.• ISO is a non-governmental organization that forms a bridge between the public and private sectors. On the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations.• Therefore, ISO enables a consensus to be reached on solutions that meet both the requirements of business and the broader needs of society
ISO 27xISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form thespecialized system for worldwide standardization.National bodies that are members of ISO or IEC participate in the development of International Standards through technicalcommittees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technicalcommittees collaborate in fields of mutual interest.Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted bythe joint technical committee are circulated to national bodies for voting. Publication as an International Standard requiresapproval by at least 75 % of the national bodies casting a vote.
JTC-1• ISO 27000 Series is developed by JTC1-SC27• Certification is given for ISO 27001 Only• There are underlying sub- standards and best practises….
ISO 27x Series Information Security Management System Standards 27000 Overview and Vocabulary 27014 Governance Framework 27004 Measurements 27002 Controls Governance 31000 27003 Implementation GuidancePrinciples and Implement 27005 27001 27013 20000-1 + 27001guidelines Risk Management Requirements WG4 Controls ICT Readiness Guide 73 27031 for Business ContinuityVocabulary Certification Appliance 27032 Cyber Security Part 1: Overview and concepts Part 2: Guidelines for the Design & Implementation EA7/03 Part 3: Reference NetworkingBodies Operation 27033 Scenarios - Risks, design Telecommunications techniques and control issuesCertification/Registration Network 27006 Audit and certification + 27011 organizations based Part 4: Securing Security on ISO/IEC 27002 communications Part 5: Networks using 17021 + Heath using virtual private network 27007 Guidelines for ISMS + 27799Bodies providing ISO/IEC 27002 Part 6: IP Convergence Auditingaudit and certification Part 7: Wireless Financial andof management system 27008 Guidance for auditors 27015 Insurance services 27034 on ISMS Controls Part 1: Overview and Concepts sector Application and principles Security 19011 + Inter-sector and Part 2: Organization normative 27010 Inter organization frameworkQuality and/or environmental Part 3:security management communicationmanagement system auditing process Part 4: security validation 27035 27036 27037 Part 5: controls data structure Security Auditors on Identification, collection and/or incident ISMS controls acquisition and preservation of management digital evidence
ISO 27001• ISO/IEC 27000, Information security management systems — Overview and vocabulary• ISO/IEC 27001:2005, Information security management systems Requirements• ISO/IEC 27002:2005, Code of practice for information security management ⎯• ISO/IEC 27003, Information security management system implementation guidance• ISO/IEC 27004, Information security management — Measurement• ISO/IEC 27005:2008, Information security risk management• ISO/IEC 27006:2007, Requirements for bodies providing audit and certification of information security management systems• ISO/IEC 27007, Guidelines for information security management systems auditing• ISO/IEC 27011, Information security management guidelines for telecommunications organizations basedon ISO/IEC 27002
What is ISO 27001 about ?“….This International Standard has been prepared to provide a model for establishing,implementing, operating, monitoring, reviewing, maintaining and improving an InformationSecurity Management System (ISMS)…..”“…The design and implementation of an organization’s ISMS is influenced by their needs andobjectives, security requirements, the processes employed and the size and structure of theorganization.These and their supporting systems are expected to change over time.It is expected that an ISMS implementation will be scaled in accordance with the needs of theorganization…” Source: ISO/IEC FDIS 27001:2005(E)
PDCA (Plan-Do-Check-Act) Plan Establish ISMS Implement Maintain and Do and operate Improve the Act the ISMS ISMS Monitor and Review the ISMS Check
Compliance Monitoring & SIEM Security Information Event ManagementSIEMs have serve the objective to collect, analyse andcorrelate ALL relevant security information to enable theuser to prioritise information and alerts, as well as discoverpatterns ( e.g. of behavior ) normally not visible bycreating context…
Compliance Monitoring & SIEM False Positive Prioritization Cleaning Attack 30% 50% Effective 100% Vulnerability / Impact Analysis Threat Inventory 20%correlation Cross SIEM products have achieved great intelligence, but they are rarely fed with the information to use it