Protective monitoring: GPG 13 compliance solutions
AlienVault® Unified Security Management™ (USM™) delivers the essential security controls you need to accelerate and simplify your compliance with the twelve protective monitoring controls within the Good Practice Guide 13 (GPG 13).
Understand Who is Accessing Your Organisation’s Sensitive Data
Achieving compliance with GPG 13’s twelve Protective Monitoring Controls (PMC) is challenging—especially for organisations managing competing priorities, limited budgets, and small IT security teams. The secret to success is to consolidate, automate, and simplify the essential security controls and data analysis to quickly detect threats and prioritise your response.
AlienVault’s USM platform is designed specifically for IT teams with limited resources to deliver the protective monitoring you need to achieve GPG 13 compliance and reduce risk.
Its built-in data sources eliminate the need to purchase and manage multiple security point products, and the integrated threat intelligence automatically alerts you to emerging threats.
Comprehensive Visibility
- Gain operational insight with built-in security controls that provide essential monitoring
- Understand who is accessing your organisation’s sensitive data
- Import data from your existing systems quickly to supplement AlienVault USM’s data sources
- Manage all configuration, analysis and reporting from a single console
Integrated Threat Intelligence
- Focus on responding to threats rather than researching every alert
- Eliminate the need to create correlation rules to detect related events across your network
- Utilise context-specific response guidance to know where and how to respond to threats
Comprehensive Visibility
The AlienVault USM platform puts up-to-the-minute security and threat information about systems, data, and users at your fingertips. You access this information via a single management console, which gives you complete security visibility and provides you with a unified threat detection and GPG 13 compliance management solution.
AlienVault Labs Threat Intelligence keeps the security controls built into AlienVault USM up to date. These continuous updates, coupled with a robust, customizable reporting engine, provides the protective monitoring you need.
The AlienVault USM platform also tells you what assets are in your environment, their status and location, the severity of any vulnerability on those assets, and changes to any critical files or configuration. Additionally, it automatically detects suspicious and malicious traffic in your network and displays alarms in a ‘kill chain taxonomy’ that describes attack severity and attacker intent, minimizing the need for your IT team to research new threats.
AlienVault USM Covers All 12 Protective Monitoring Controls
Provide a means to ensure that accounting and auditing logs record accurate timestamps.
- Ensure all accounting and audit logs include a timestamp
- Any Alerts generated must be timestamped and should reference the original audit log
All of the necessary “Aware” recording requirements are satisfied within the USM solution. AlienVault’s Logger preserves the integrity of all audit logs collected, and timestamps each audit log, as well as any alerts that are generated related to the audit log.
- Ensure you meet the requirements of lower recording profiles
- Digitally sign the timestamp as a minimum
- Hash the log file that stores the collected audit log
All of the necessary “Deter” recording requirements are satisfied within the USM solution. Built-in host-based IDS alerts on policy violations such as failed access attempts to files on critical systems. Built-in file integrity monitoring captures anomalous changes to critical files and file systems such as access rights modifications, software configuration, and changes to storage volumes. Additionally, USM alerts when an attached device (e.g. USB drive) connects to a monitored host.
- Ensure you meet the requirements of lower recording profiles
- Hash the transaction and digitally sign, plus retain a copy of the audit log
All of the necessary “Detect and Resist” recording requirements are satisfied within the USM solution. AlienVault’s Logger preserves the integrity of all audit logs collected, which includes a digital signature, hash code and checksum. Additionally, the original audit log is retained.
- Ensure you meet the requirements of lower recording profiles
All of the necessary “Defend” recording requirements are satisfied within the USM solution. AlienVault’s Logger preserves the integrity of all audit logs collected, which includes a digital signature, hash code and checksum. Additionally, the original audit log is retained.
Define a set of Alerts and Reports that will identify authorized vs. non-authorized business traffic across the network boundary. This requires the ability to identify authorised vs. non-authorised traffic, transportation of malicious code is prevented and alerted, and the identification of the manipulation of other business traffic.
- Report and Alert on Malware detected crossing the boundary
All of the necessary “Aware” recording requirements are satisfied within the USM solution. AlienVault’s built-in IDS (network and host-based) will report and alert on detected malware—wherever it is on the network.
- Ensure you meet the requirements of lower recording profiles
- Report and Alert on:
- Blocked web browsing activities
- Failed file imports and exports across boundary
All of the necessary “Deter” recording requirements are satisfied within the USM solution. Provided the gateway firewall or filtering proxy is configured properly, USM will report and alert on blocked activities and failed file imports and exports.
- Ensure you meet the requirements of lower recording profiles
- Report on:
- Failed file imports and exports across boundary and keep a copy of file content for auditing purposes
- Failed file imports and exports across boundary and keep a copy of file content, Security Label and File Signature, for auditing purposes
- Accepted web traffic across boundary
- Accepted incoming and outgoing file transfers across boundary
All of the necessary “Detect and Resist” recording requirements are satisfied within the USM solution. Provided the gateway firewall or filtering proxy is configured properly, USM will report and alert on blocked activities and failed file imports and exports—through the correlation of the firewall/ proxy logs. Additionally, any accepted incoming and outgoing file transfers and web activity will also generate alerts and can be investigated using USM’s single-pane-of-glass incident response workflow, reporting and dashboards.
- Ensure you meet the requirements of lower recording profiles
- Report on:
- Accepted incoming and outgoing file transfers across boundary, including a copy of the file content
- Accepted file imports and exports across boundary and keep a copy of file content, Security Label and File Signature, for auditing purposes
- Files that have been placed in a file cache, including its URL, content, Security Label, Signature and time to live
- Who has accessed file cache
All of the necessary “Defend” recording requirements are satisfied within the USM solution. Provided the gateway firewall or filtering proxy is configured properly, USM will report and alert on blocked activities and failed file imports and exports—through correlation of the firewall/proxy logs. Additionally, any accepted incoming and outgoing file transfers and web activity will also generate alerts and can be investigated using USM’s single-pane-of-glass incident response workflow, reporting and dashboards.
Define a set of alerts and Reports that will identify suspicious network traffic crossing the network boundary.
- Report Deny or Dropped packets on Firewall
Provided the firewall is configured properly, USM will report and alert on all deny or dropped packets from the firewall.
- Ensure you meet the requirements of lower recording profiles
- Report and Alert on Critical console messages from boundary devices
- Report and Alert on Authentication failures on boundary devices and systems
- Report and Alert on suspected Attacks at the boundary
- Report on:
- Error console messages from boundary devices
- User sessions on boundary devices and consoles
- Changes to Firewall and boundary device rule base, including in response to a detected Attack
- Status Change to security software monitoring tools, such as your Security Incident and Event Management, Intrusion Detection Software, Intrusion Prevention Software, etc.
All of the necessary “Deter” recording requirements are satisfied within the USM solution. Quickly identify and isolate suspicious network traffic leveraging built-in security controls such as IDS, netflow analysis, event correlation, and log analysis. Additionally, dynamic incident response templates provide customized guidance for each alert.
- Ensure you meet the requirements of lower recording profiles
- Report on:
- Warning console messages from boundary devices
- All commands issued to boundary devices or boundary consoles
- Packets traversing the boundary device, including packet header, size and firewall interface
- Packets traversing the boundary device, including full packet capture, size and firewall interface
All of the necessary “Detect and Resist” recording requirements are satisfied within the USM solution. Specifically, enabling sniffing on the AlienVault Sensor will provide full packet capture for in-depth network flow analysis and granular event correlation.
- Ensure you meet the requirements of lower recording profiles
- Report and Alert on all automated responses at the boundary
All of the necessary requirements for the lower recording profiles are satisfied with the USM solution. Specifically, reports and alerts can be easily set up to fire for all automated responses at the network boundary.
Define a set of Alerts and Reports that will identify configuration and status changes on internal workstations, servers and network devices.
- Report and Alert on all Critical and above messages from hosts in scope
- Report and Alert on all detected Malware on hosts in scope
- Report on all Error messages from hosts in scope
- Report on changes in status to Malware signature base
All of the necessary “Aware” recording requirements are satisfied within the USM solution. Quickly identify and isolate malware outbreaks throughout your network leveraging built-in security controls such as host-based IDS, netflow analysis, event correlation, and log analysis.
- Ensure you meet the requirements of lower recording profiles
- Report on:
- Failed access attempts to files
- Changes to File or directory access rights of system folders
- Change to status of networked hosts
- Change in status of attached devices connected to controlled hosts
- Status of storage volumes of monitored hosts
- Changes to software configuration of monitored hosts
All of the necessary “Deter” recording requirements are satisfied within the USM solution. Built-in host-based IDS alerts on policy violations such as failed access attempts to files on critical systems. Additionally, built-in file integrity monitoring captures anomalous changes to critical files and file systems such as access rights modifications, software configuration, and changes to storage volumes.
- Ensure you meet the requirements of lower recording profiles
- Report and Alert on changes to system files or folders
- Report on:
- All critical messages below Warning level from hosts in scope
- Changes to system configuration on monitored hosts
- Changes to system processes on monitored hosts
All of the necessary “Detect and Resist” recording requirements are satisfied within the USM solution. Built-in host-based IDS and file integrity monitoring technologies alert on critical changes to system files and folders. These changes may include configuration changes as well as changes to key processes, critical for service availability monitoring and management.
- Ensure you meet the requirements of lower recording profiles
- Report on:
- Changes to software configuration of monitored hosts, including software inventory
- Changes to system files, including before and after content
- Changes to system configuration on monitored hosts, including before and after content
All of the necessary “Defend” recording requirements are satisfied within the USM solution. Built-in host-based IDS and file integrity monitoring technologies alert on critical changes to system files and folders.
Define a set of Alerts and Reports that will identify suspicious activity across internal network boundaries from either internal or external agents.
- Report on all Deny or Dropped packets on the Firewall
All of the necessary “Aware” recording requirements are satisfied within the USM solution. Provided the firewall is configured properly, USM will report and alert on all deny or dropped packets from the firewall.
- Ensure you meet the requirements of lower recording profiles
- Report and Alert on:
- All Critical and above console messages from internal Firewalls
- All Authentication Failures from internal network devices and monitoring consoles
- Report on:
- All Error status messages from the console or internal Firewalls
- User sessions on the console or internal Firewalls
- Change of status of Rule base on internal Firewalls and network devices
All of the necessary “Deter” recording requirements are satisfied within the USM solution. Provided the firewall is configured properly, USM will report and alert on all necessary activities for the “Deter” recording profile. Specifically, USM will report and alert on error messages, authentication failures, user sessions, and rule base changes on firewalls and network devices. Additionally, these activities can be correlated against other relevant data to provide a full picture of suspicious network activity.
- Ensure you meet the requirements of lower recording profiles
- Report and Alert on suspected internal Attacks
- Report on:
- All Warning messages from internal network devices
- All commands sent to network devices or firewalls
- Accepted packets being transferred by internal firewalls
- All Deny or Dropped packets on internal Firewall, including full packet capture
- Response to internal attacks and actions undertaken
- Status Change to internal security software monitoring tools, such as your Security Incident and Event Management, Intrusion Detection Software, Intrusion Prevention Software, etc.
All of the necessary “Detect and Resist” recording requirements are satisfied within the USM solution. Provided the firewall is configured properly, USM will report and alert on all necessary activities for the “Detect and Resist” recording profile. Specifically, our built-in threat detection and behavioral monitoring technologies are combined with event correlation rules to provide the security intelligence needed to identify suspected internal attacks.
- Ensure you meet the requirements of lower recording profiles
- Report and Alert on all automated response by internal IPS
- Report on Accepted packets being transferred by internal firewalls, including full packet capture
All of the necessary “Defend” recording requirements are satisfied within the USM solution. Specifically, enabling sniffing on the AlienVault Sensor will provide full packet capture for in-depth network flow analysis and granular event correlation.
Define a set of Alerts and Reports that will identify temporary connections to the network, such as those made via a VPN or wireless connection.
- Report and Alert on all remote Authentication Failures
- Report and Alert on failed attempts to connect to the VPN
- Report on:
- DHCP assigned IP registration
- Remote Access User sessions
- Changes to VPN Node registrations
All of the necessary “Aware” recording requirements are satisfied within the USM solution. Built-in log management and event correlation enables the collection and analysis of valid and invalid authentication attempts to VPN and other network devices. Other activities such as DHCP assignments, remote access user sessions, and changes to VPN node registrations are also logged and collected.
- Ensure you meet the requirements of lower recording profiles
- Report and Alert on:
- Failed equipment connection attempts to protected network attachment points
- Critical and above messages
- Authentication Failures on network consoles
- Report on:
- Error messages from network consoles
- All connection attempts to Wireless Access Points
- User sessions to network connection consoles
All of the necessary “Deter” recording requirements are satisfied within the USM solution. Specifically, failed connection attempts and authentication failures are captured and securely logged via AlienVault’s Logger.
- Ensure you meet the requirements of lower recording profiles
- Report and Alert on all suspected wireless attacks
- Report on:
- Commands issued on network connection consoles
- Remediation steps taken in response to internal attack notification
- Status changes to IPS, IDS signatures
All of the necessary “Detect and Resist” recording requirements are satisfied within the USM solution. Additionally, built-in log management records commands issued on network connection consoles and dynamic incident response templates provide the detailed remediation steps needed for any internal or external attack activity. Finally, status changes to IDS signatures are also logged.
- Ensure you meet the requirements of lower recording profiles
- Report and Alert on non-approved wireless interfaces and wireless access points
All of the necessary “Defend” recording requirements are satisfied within the AlienVault USM solution.
Define a set of Alerts and Reports that will identify suspect user activity or allow forensic analysis of user activity within the network.
- Report on:
- User network sessions
- User Account changes
- User privilege or group changes
- Administrator or super user application management
All of the necessary “Aware” recording requirements are satisfied within the AlienVault USM solution. AlienVault’s built-in log management and event correlation engine collects, correlates and analyses logs from directory servers, Windows and Unix servers, and other devices to capture the full context of user activity.
- Ensure you meet the requirements of lower recording profiles
- Alert on User account lockouts
- Report on User privilege escalation on critical workstations and all servers
- Report on execution of accountable User transactions
All of the necessary “Deter” recording requirements are satisfied within the AlienVault USM solution. Specifically, user account activity such as lockouts, transactions, and escalation of privilege will signal alerts.
- Ensure you meet the requirements of lower recording profiles
- Report on User sessions on critical workstations
- Report on local User account changes on critical workstations
- Report on changes to local user account or group membership changes on critical workstations
- Report on execution of all network commands and executables
All of the necessary “Detect and Resist” recording requirements are satisfied within the AlienVault USM solution. Specifically, user account and administration activities such as session activity, changes on critical workstations, local user account and group membership changes as well as network commands will produce alerts and can be displayed in dashboard views and reports.
- Ensure you meet the requirements of lower recording profiles
- Report on execution of accountable User transactions including the content of the transaction
- Report on execution of all Workstation critical commands and executables
All of the necessary “Defend” recording requirements are satisfied within the AlienVault USM solution. Specifically, user transactions and critical commands and executables are logged, and these events are processed and analysed by AlienVault’s event correlation engine to produce alerts and user activity reports.
Ensure a backup and recovery process is defined and adhered to, such that business can be confident of integrity and availability of the network resources.
- Report on Backup, Test and Recovery operations
- Alert on Backup, Test and Recovery operation failures
All of the necessary “Aware” recording requirements are satisfied within the AlienVault USM solution. Notably, as long as backup, test and recovery operations are logged then AlienVault’s USM server can produce alerts when failures occur.
- Ensure you meet the requirements of lower recording profiles
All of the necessary “Deter” recording requirements are satisfied within the AlienVault USM solution.
- Ensure you meet the requirements of lower recording profiles
- Report on Backup, Test and Recovery operations including catalog details
- Ensure you meet the requirements of lower recording profiles
- Report on Backup, Test and Recovery operations including catalog details, site information and version information
All of the necessary “Defend” recording requirements are satisfied within the AlienVault USM solution. Specifically, as long as backup, test, and recovery operations (including catalog details, etc.) are logged, AlienVault’s USM server can produce alerts if any failure occurs during these operations.
Define a set of real-time Alerts and Reports that will identify events classified as “Critical” by the organisation.
- Report and Alert on all Alert messages generated by the SIEM solution
All of the necessary “Aware” recording requirements are satisfied within the AlienVault USM solution. Built-in asset discovery, vulnerability assessment, threat detection and behavioral monitoring data provide a rich set of environmental information to be analyzed by AlienVault’s built-in SIEM and event correlation engine.
- Ensure you meet the requirements of lower recording profiles
- Reports and Alerts to be delivered by secondary delivery mechanisms, such as email, SMS etc.
- Report on changes to Alert rule base
All of the necessary “Deter” recording requirements are satisfied within the AlienVault USM solution. AlienVault supports secondary delivery mechanisms for alerts such as email, SMS, and will report on changes to the alert rule base.
- Ensure you meet the requirements of lower recording profiles
- Ensure Alerts are visible on consoles and or wall displays
All of the necessary “Detect and Resist” recording requirements are satisfied within the AlienVault USM solution. AlienVault’s all-in-one console provides flexible dashboards and reporting views to ensure prioritized follow-up to all alerts.
- Ensure you meet the requirements of lower recording profiles
- SIEM solution should allow multicasting of Alerts to several locations
All of the necessary “Defend” recording requirements are satisfied within the AlienVault USM solution. Specifically, sending alerts to multiple destinations is fully supported by AlienVault’s built-in SIEM engine.
Define a set of Alerts and Reports that will allow confidence in the integrity of the auditing system, such that the output of this system can be relied upon in a court of law.
- Report and Alert on Log Cleared or Reset, Log collection errors, and threshold exceptions
- Report on status of active log storage, space allocated, space used, space remaining and total record count
All of the necessary “Aware” recording requirements are satisfied within the AlienVault USM solution. AlienVault’s USM will report on status of active log storage, total record count, and other details regarding space available and usage metrics.
- Ensure you meet the requirements of lower recording profiles
- Report on status of active log storage, space allocated, space used, space remaining and total record count trended in a graph over time
- Report on status of active log storage, space allocated, space used, space remaining and total record count, plus log rotation information
- Your SIEM solution should be able to prove chain of custody, including each part of the chain adds source and origin information. Original timestamps should not be modified
- Report on log sources
- Your SIEM solution should be able to prove chain of custody, including each part of the chain adds source and origin information, trended in a graphical format over time
All of the necessary “Deter” recording requirements are satisfied within the AlienVault USM solution. Specifically, AlienVault’s Logger preserves the integrity of all audit logs collected to prove chain of custody and the SIEM engine provides the full source and origin information for each event log collected and analyzed. Trending and graphical reports are available through AlienVault’s single management console.
- Ensure you meet the requirements of lower recording profiles
- Report and Alert on integrity checking failures anywhere within the chain of custody
- Report on log access requests via queries or reports
- The SIEM should have the capability to search online and archived log data
All of the necessary “Detect and Resist” recording requirements are satisfied within the AlienVault USM solution. Specifically, AlienVault’s Logger preserves the integrity of all audit logs collected, and alerts on any failures that are generated related to the audit log. Additionally, AlienVault’s USM solution will also report on log access requests and provides easy online searches for all archived raw log data.
- Ensure you meet the requirements of lower recording profiles
All of the necessary “Defend” recording requirements are satisfied within the AlienVault USM solution.
Define a set of Reports that will provide feedback to management on the performance of the Protective Monitoring system effectiveness.
- Report must be sanitised and omit identifying and sensitive information such as Username, IP addresses, Workstation names and Server names
- If web reports are produced these must also be sanitised
All of the necessary “Aware” recording requirements can be satisfied within the AlienVault USM solution. Specifically, the 100+ built-in reports can be easily customized to anonymise specific information.
- Ensure you meet the requirements of lower recording profiles
- If external managed security service providers are used they might include custom reports that can be used directly for management
All of the necessary “Deter” recording requirements can be satisfied within the AlienVault USM solution. For example, customizing the built-in reports, templates, and dashboards can provide the specific views required for your management team.
- Ensure you meet the requirements of lower recording profiles
- It is expected that an enterprise solution is deployed to meet your GPG 13 requirements, most likely a SIEM working with a number of other technologies, such as an IPS, IDS, and Anti-Virus etc.
- A complete Protective Monitoring Solution is likely to include an audit or compliance check software
All of the necessary “Detect and Resist” recording requirements can be satisfied within the AlienVault USM solution. In fact, AlienVault’s USM combines built-in security controls such as IDS, log management, netflow analysis, file integrity monitoring, and vulnerability assessment with a SIEM engine to provide complete protective monitoring.
- Ensure you meet the requirements of lower recording profiles
- It is required to use defense in depth at this segment level, meaning different vendors for the different technologies required for a complete Protective Monitoring Solution, such as a different SIEM vendor from Anti-virus, IPS, IDS and Audit or compliance check software
While AlienVault’s USM provides all of the built-in essential security controls necessary for protective monitoring, our open API allows for easy integration with additional data sources from other security vendors.
Define a requirement that will ensure all monitoring is conducted in a legal manner, and that the collected data is, in itself, protected and treated as sensitive data.
- No recording profile required at this segment level
Not applicable.
- Report on user sign up activity to defined terms and condition of network usage terms
This requirement is more of a procedural one than one that can be satisfied with technology alone. However, AlienVault USM can track user activity to verify compliance with network usage terms and conditions.
- Report on user sign up activity to defined terms and condition of network usage terms, to include digital user signatures
- Any re-affirmation should also be logged and reported
This requirement is more of a procedural one than one that can be satisfied with technology alone. However, AlienVault USM can track user activity to verify compliance and re-affirmation with network usage terms and conditions.
- Report on user sign up activity to defined terms and condition of network usage terms, to include digital user signatures and hardware tokens or smart card reference
- Any re-affirmation should also be logged and reported
This requirement is more of a procedural one than one that can be satisfied with technology alone. However, AlienVault USM can track user activity to verify compliance and re-affirmation with network usage terms and conditions.