This document discusses logging monitoring and file integrity monitoring solutions for compliance with various regulations. It provides an overview of certifications like PCI DSS, ISO 27001, and HIPAA. It describes the components of a logging and file integrity monitoring solution including asset lists, reporting, alarms, and dashboards. It also discusses challenges in the logging and monitoring space and introduces the ControlCase solution which uses agents, a log collector, security information and event management console, and security operations center monitoring to provide a compliant logging and file integrity monitoring solution.

1. Logging Monitoring & File Integrity
Monitoring
Presented by ControlCase

2. ControlCase
Introduction
Relevance of
logging
About Certifications
- PCI DSS
- ISO 27001
- HIPAA
Components of
logging/FIM
solution
AGENDA
Challenges Q&A
2

3. CORPORATE OVERVIEW
ControlCase™
Making Compliance Effortless
Over 500 clients across the
US, CEMEA, Europe, Latin
America and Asia/Pacific
regions,
Headquartered in the
Washington, DC
metro area (Fairfax,
VA)
ControlCase office or
partnership locations
include the US, Canada,
Colombia, India, UK, KSA,
Japan, Indonesia, Vietnam,
Philippines, Kuwait,
Malaysia, Brazil and Dubai
Unique offerings
brings Peace of Mind
to Compliance
3

4. PCI DSS
Qualified Security
Assessor (QSA) Company
ASV: Authorized Security
Vendor
ISO 27001 & 27002
International
Organization for
Standardization
SOC 1, SOC 2, SOC
3, & SOC for
Cybersecurity
Service Organization
Controls (AICPA)
HITRUST CSF
Health Information Trust
Alliance Common
Security Framework (CSF)
HIPAA
Health Insurance
Portability and
Accountability Act
NIST 800-53
National Institute of
Standards and Technology
GDPR
General Data Protection
Regulation
MARS-E
Minimum Acceptable
Risk Standards for
Exchanges
PCI PIN
PIN Audit
Microsoft SSPA
Supplier Security and
Privacy Assurance
Third Party Risk
Assessor
Shared Assessments
Program Certified product
licensee for SIG and AUP
PA-DSS
Payment Application
Qualified Security
Assessor (QSA)
CREDENTIALS
4

5. About PCI DSS, FISMA, HIPAA and ISO
27001

6. What is PCI DSS
Payment Card Industry Data Security Standard:
• Guidelines for securely processing, storing, or transmitting
payment card account data
• Established by leading payment card issuers
• Maintained by the PCI Security Standards Council (PCI SSC)
6

7. What is FISMA
• Federal Information Security Management Act (FISMA)
of 2002
– Requires federal agencies to implement a
mandatory set of processes, security controls and
information security governance
• FISMA objectives:
– Align security protections with risk and impact
– Establish accountability and performance measures
– Empower executives to make informed risk
decisions
7

8. What is HIPAA
• HIPAA is the acronym for the Health Insurance Portability
and Accountability Act that was passed by Congress in
1996. HIPAA does the following:
– Provides the ability to transfer and continue health
insurance coverage for millions of American workers and
their families when they change or lose their jobs;
– Reduces health care fraud and abuse;
– Mandates industry-wide standards for health care
information on electronic billing and other processes;
and
– Requires the protection and confidential handling of
protected health information
8

9. What is ISO 27001/ISO 27002
ISO Standard:
• ISO 27001 is the management framework for implementing
information security within an organization
• ISO 27002 are the detailed controls from an implementation
perspective
9

10. Compliance and Security Topics covered
by log monitoring & File Integrity
Monitoring (FIM)

11. Logging and Monitoring
11
Reg/Standard Coverage area
ISO 27001 A.7, A.12
PCI 6, 11
EI3PA 10, 11
HIPAA 164.308a1iiD
FISMA SI-4
 Logging
 File Integrity Monitoring
 24X7 monitoring
 Managing volumes of data

12. Change Management and Monitoring
12
Escalation to incident for unexpected logs/alerts
Response/Resolution process for expected logs/alerts
Correlation of logs/alerts to change requests
Change Management ticketing System
Logging and Monitoring (SIEM/FIM etc.)
Reg/Standard Coverage
area
ISO 27001 A.10
PCI 1, 6, 10
EI3PA 1, 9, 10
FISMA SA-3

13. Incident and Problem Management
13
 Monitoring
 Detection
 Reporting
 Responding
 Approving
Lost Laptop
Changes to
firewall
rulesets
Upgrades
to
applications
Intrusion
Alerting
Reg/Standard Coverage area
ISO 27001 A.13
PCI 12
EI3PA 12
HIPAA 164.308a6i
FISMA IR Series

14. Logging Monitoring & FIM solution
components

15. Components of a Solution
15
In Scope
Asset List
Status of
Reporting
Logging &
Monitoring
Matrix
Alarms
Daily Reports
Dashboards
Triangulation
Discrepancy
Updating
Asset List

16. In Scope Asset List
16

17. Status of Reporting
17
Reporting assets
Not reporting assets
Sample reasons why assets stop
reporting
- FIM agent disconnection
- Misconfigured firewall ruleset
- Loss in network connectivity
- Change is server or device configuration
- Change in log settings

18. Logging and Monitoring Matrix
18
- PCI 10.2.x
- PCI 12.10.5
- PCI 10.7
- PCI 10.8
- PCI 11.5
- PCI 1.3.x
- PCI 8.1.5
- Other compliance use
cases
- Disconnected Systems
- Surge in traffic
- Other Business as Usual
cases
Use Cases
- Servers
- IDS/IPS
- Databases
- Antivirus
- Firewalls
Source of Log
- Individual Access to PII
- Actions by root/admin
- Failed login attempts
- Monitor IDS/IPS events
- Malware Events
- Disconnected Systems
- File Integrity Monitoring
- User Access
Trigger Points

19. Alarms – Security Use Cases
19
Monitor IDS/IPS
events
Customer IDS/IPS 12.10.5
List of malware
infected systems
Customer Antivirus
Solution
10.7
List of systems not
within baseline of
log volume
Customer Servers and
Databases, Firewalls
Monitor surge in log
traffic
Customer Servers and
Databases, Firewalls

20. Daily Reports – Compliance Use Cases
20
Trigger points Source of log PCI
Requirement
Individual user
access to card data
Customer Servers and
Databases
10.2.1
Actions taken by
root or admin access
Customer Servers and
Databases, Firewalls,
IDS/IPS
10.2.2
Failed login attempts Customer Servers and
Databases, Firewalls,
IDS/IPS
10.2.3

21. Centralized Dashboard
21

22. Updating Asset List using Triangulation
22
Updated Asset List
Identity and
Access
Management
Data
Asset List
Vulnerability
Data

23. Challenges in Logging and Monitoring Space

24. #ALLMYDATA
24
#ALLMYDATA
• Long deployment cycles
• Skills to manage the product(s)
• Management of infrastructure
• Disparate components – FIM, syslog etc.
• 24X7X365 monitoring
• Increased regulations
• Reducing budgets (Do more with less)
Challenges

25. ControlCase Solution

26. YOU SEE IT IN NEW
REGULATIONS
ControlCase Solution
ISO
•Agents are installed on
each Workstation
•Agents monitor File
changes for the File
Integrity Monitoring
(FIM) requirement and
also gather and
transmit all logs
relevant from a
compliance perspective
to the Log
Collector/Sensor on our
Appliance
• ControlCase appliance
registers and tracks all
agents in the field
•The sensor/collector
collects and
compresses logs
coming in from the
various agents
•The logs are finally
transported securely to
our SIEM console in our
Security Operations
Center (SOC)
•The SIEM console
gathers all the logs,
correlates them and
identifies threats and
anomalies as required
by compliance
regulations
•SOC personnel
monitor the SIEM
console 24x7x365 and
alert our clients and
our Analyst teams
about any potential
issues related to
compliance reporting
Customer Location Service Provider ControlCase SOC

27. THANK YOU
Q&A
ControlCase: Making Compliance Effortless