Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Deployment Guide
09/18/2014
DPG-201_CMR_17-Compliance-Package-v004-20140918
- 201 CMR 17 Compliance Module: Deployment Guide
Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no
warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied
warranty of merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any
direct, indirect, incidental, consequential, or other damages alleged in connection with the furnishing or use of
this information.
Trademark
LogRhythm® is a trademark of LogRhythm, Inc.
LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com
1.303.413.8745 SUPPORT@LOGRHYTHM.COM
- 201 CMR 17 Compliance Module: Deployment Guide
Contents
201 CMR 17 Package Pre-Implementation .............................................................................................. 1
Pre-Implementation Checklist ............................................................................................................. 1
201 CMR 17 Package Implementation .................................................................................................... 1
Installation of the Compliance Module ................................................................................................. 1
Verification of the Installation ............................................................................................................. 1
Intelligent Indexing ........................................................................................................................... 1
Check Investigations ...................................................................................................................... 1
Check Lists.................................................................................................................................... 1
Check Reports ............................................................................................................................... 1
Check Reporting Package ................................................................................................................ 1
Configuration of the Compliance Module .............................................................................................. 2
Population of Lists .......................................................................................................................... 2
Activation and Configuration of Alarms ............................................................................................. 2
201 CMR 17 Package Post-Implementation ............................................................................................. 3
Compliance Module Noise Mitigation .................................................................................................... 3
List Updating ................................................................................................................................. 4
Filter Usage ................................................................................................................................... 4
Suppression Usage ......................................................................................................................... 5
Threshold Usage ............................................................................................................................ 6
201 CMR 17 Reporting Package Scheduling .......................................................................................... 7
201 CMR 17 Module Reporting Package ............................................................................................ 7
201 CMR 17 Package Usage ............................................................................................................... 8
201 CMR 17 Package Usage for Security Operations ........................................................................... 8
201 CMR 17 Package Usage for Security Management ........................................................................ 8
Appendix A: Pre-Implementation Checklist ............................................................................................. 9
Appendix B: 201 CMR 17 Module Elements ........................................................................................... 10
Appendix C: 201 CMR 17 Requirements Matrix ...................................................................................... 15
Appendix D: Data Management Settings............................................................................................... 17
Global Data Management Settings .................................................................................................... 17
Classification Based Data Management Settings.................................................................................. 18
Global Classification Settings (GCS) .................................................................................................. 18
1.303.413.8745 SUPPORT@LOGRHYTHM.COM
- 201 CMR 17 Compliance Module: Deployment Guide
Pre-Implementation Checklist
The Pre-Implementation Checklist (Appendix A: Pre-Implementation Checklist) is used to collect all necessary
infrastructure details used to configure the 201 CMR 17 Compliance Module. During this phase the following
items should be collected:
1. Follow the instructions listed in Help to import the latest Knowledge Base.
2. When you are asked to configure the new Knowledge Base Modules, enable the following:
Compliance: 201 CMR 17
Intelligent Indexing
Intelligent Indexing allows Reports, Investigations, and Tails to keep the appropriate log data online in the Log
Manager. Care must be taken when choosing which object to allow Intelligent Indexing as broad criteria can
cause an exceptional amount of online data and overwhelm the Log Manager. Please see Appendix B for a list
of Intelligent Indexing-capable objects and their recommended setting.
Check Investigations
Verify forty-six Investigations (see Table 5) are contained in the Investigate tab of the LogRhythm Console.
Check Lists
Verify twelve Lists (see Table 7) are contained in the List Manager tab.
Check Reports
Verify eighty-seven Reports (see Table 6) are contained in the Reports tab of the Report Center tab.
Population of Lists
Importing of Layouts
Activation and Configuration of Alarms
Activation and Configuration of AIE Rules
Population of Lists
Each 201 CMR 17 Compliance List must be populated with data collected using the Pre-Implementation
Checklist. Complete the following sections to populate all required lists.
1. Open the LogRhythm Console, click Deployment Manager, and then click Alarm Rules.
2. Select the check box for all of the 201 CMR 17 alarms that share notification personnel (Table 1),
right-click the Alarm Manager, click Actions, and then click Batch Notification Editor (Figure 1).
Table 1
Alarm Rules Notification Area
201 CMR 17: Attack Alert Security Operations
201 CMR 17: Compromise Alert Security Operations
201 CMR 17: Denial Of Service Alert Security Operations
201 CMR 17: Malware Alert Security Operations
201 CMR 17: Vulnerability Alert Security Operations
3. Select the check box for all of the relevant notifies, then click OK to save the notifications.
4. Repeat Step 3 for all common notifies until all 201 CMR 17 alarms are configured for notifications (see
Table 4).
5. Select the check box for all of the 201 CMR 17 alarms.
6. Right-click on the Alarm Manager, click Actions, and then click Enable.
Noise Mitigation
Scheduling
Package Usage
List Updating
Filters
Suppression
Thresholds
List Updating
Keeping Compliance Module lists updated is a vital part of decreasing false positives within the 201 CMR 17
Compliance Module. An organization’s applications, IP addresses, and users are dynamic for this reason the
Compliance Module utilizes lists which can be dynamically updated as needed. There are many conditions
which would require a list to be updated. The following section highlights a few instances where lists must be
updated and direction on how to update the lists. Refer to Table 9Table 9 for specific AIE Rules and
Investigations and Table 10Table 10 for specific Reports and Tails where the lists are utilized.
1. Open the LogRhythm Console and click the Report Center tab.
2. Click the Reports tab, right-click on the 201 CMR 17: Disabled/Locked Account Summary report,
and then click Run.
3. Click Next until you reach the Configuration screen, set the date range to Past Month, and then click
OK.
4. Click the name of the report in the Report Viewer.
5. Search for “Account Disabled” common events to identify when an account may have been enabled or
disabled.
6. Follow steps 1-7 in Populating Users Lists to add applicable, disabled accounts to the 201 CMR 17:
Disabled And Terminated Accounts list.
Filter Usage
Adjusting filter criteria is a vital part of decreasing the number of false positives within the 201 CMR 17
Compliance Module. Exclude filters can remove applications, common events, hosts, IP addresses, etc. from
search criteria. There are many conditions in which an exclude filter can decrease the number of false
positives in a search criteria; the following section highlights how to create exclude filters for AIE Rules,
investigations, reports, and tails.
1. Open the LogRhythm Console, click Deployment Manager, and then click Alarm Rules.
2. Right-click on a 201 CMR 17 alarm on which an exclude filter should be configured, then click
Properties.
3. Click the Exclude Filters tab.
4. Click the New icon on the top menu.
5. Specify the details for the desired exclude filter criteria.
6. Click OK on the Log Message Filter.
7. Click OK on the Alarm Rule.
NOTE: To specify exclusions, select the Filter Out (Is Not) Filter Mode.
5. Click Next two times to reach the Save Investigation Configuration screen, then click Save.
6. Click Cancel.
1. Open the LogRhythm Console and click the Report Center tab.
2. Click the Reports tab.
3. Right-click on the report which needs the exclude filter, then click Properties.
4. Click Next two times to reach the Specify Additional Report Criteria Screen.
5. Specify the details for the desired exclude filter criteria from the Add New Field Filter drop down.
NOTE: To specify exclusions, select the Filter Out (Is Not) Filter Mode.
6. Click Next to reach the Report Details screen, click Apply, and then click then OK.
Suppression Usage
Adjusting suppression values is a vital part of adjusting the alarming configuration within the 201 CMR 17
Compliance Module. Suppression values are used to suppress the number of alarms generated from the same
type of event occurring numerous times within a specified time window. The following section highlights how
to adjust suppression values for AIE rules.
1. Open the LogRhythm Console, click Deployment Manager, and then click Alarm Rules.
2. Right-click on a 201 CMR 17 alarm on which an Exclude Filter should be configured, then click
Properties.
3. Click the Settings tab.
4. Fill in the Suppression Period (see Figure 2).
NOTE: The Suppression Period is the amount of time in which an alarm will be suppressed after the
first occurrence. When the Suppression Period has elapsed, another alarm will occur if identical events
occur.
Threshold Usage
Adjusting threshold values is a vital part of adjusting the alarming configuration within the 201 CMR 17
Compliance Module. Threshold values are used to specify the amount of occurrences of an event which must
occur before a specific alarm is executed. The following section highlights how to adjust threshold values for
alarms.
1. Open the LogRhythm Console, click Deployment Manager, and then click Alarm Rules.
2. Right-click on a 201 CMR 17 alarm on which an exclude filter should be configured, then click
Properties.
3. Click the Aggregation tab (see Figure 3).
NOTE: The threshold is the number of events which must occur prior to an alarm occurrence. When
the threshold has been exceeded an alarm will occur.
7. Specify a name for the report schedule, and then click OK.
8. Select the action box for the schedule report, right-click on the report name, click Action, and then
click Enable.
Security Operations
Security Management
Compliance Monitoring
Compliance Incident Handling
24x7x365 monitoring
Review of the information being collected by LogRhythm
Monitoring requirements are located throughout the 201 CMR 17 Standards. Per 201 CMR 17 Requirement
17.03.2.h, “Regular monitoring to ensure that the comprehensive information security program is operating in
a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal
information; and upgrading information safeguards as necessary to limit risks.”
The most effective way to meet the monitoring requirements is for the security operations personnel to
monitor alarms, dashboard activity, and review reports produced by the security operations daily reporting
package on a daily interval. The 201 CMR 17 Alarms are configured to notify security operations personnel in
the event of a security related event (see Figure 1).
The process of monitoring security operations functions involves monitoring of the security posture of the
organization as a whole and also monitoring of security operations processes such as incident response. The
most effective way to monitor both the security posture of the organization and security operations functions
is through the daily monitoring of dashboard activity, weekly reviewing of reports produced by the security
management weekly reporting packages. The LogRhythm 201 CMR 17 Reporting Package (see Table 8) is
configured to send security management security related reports on a weekly interval.
FIM Systems
Security Systems
Table 3
201 CMR 17 Users List Users
Disabled And Terminated Accounts List
Table 5
Investigations Augment Data Source Intelligent Classifications Log Sources
Requirements Indexing
201 CMR 17: Network 17.04.3 Log Manager No Network Allow, Network Deny, 201 CMR 17: Security
Service Detail Network Traffic Systems
201 CMR 17: Network 17.04.3 Log Manager No Network Allow, Network Deny, 201 CMR 17: Security
Connection Detail Network Traffic Systems
Table 6
Reports Directly Meet Augmented Data Source Intelligent Classifications Log Sources
Requirements Requirements Indexing
201 CMR 17: Account 17.03.2.h, Log Manager Yes Access Failure, 201 CMR 17: Account
Access Summary 17.04.4 Access Success Access Summary
201 CMR 17: Account 17.03.2.h, Log Manager Yes Authentication 201 CMR 17: Account
Authentication Summary 17.04.4 Failure, Authentication Summary
Authentication
Success
201 CMR 17: Account 17.03.2.e, Log Mart No Account Deletion 201 CMR 17: Account
Deletion Summary 17.04.1.d Deletion Summary
201 CMR 17: Alarm And 17.03.2.j Event Manager N/A N/A 201 CMR 17: Alarm And
Response Activity Response Activity
201 CMR 17: Antivirus 17.04.7 Log Manager Yes Information 201 CMR 17: Antivirus
Information Summary Information Summary
201 CMR 17: Antivirus 17.04.7 Log Mart No Critical, Error, 201 CMR 17: Antivirus
Issue Summary Warning Issue Summary
201 CMR 17: 17.03.2.b.3 Log Mart No Critical, Error 201 CMR 17:
Critical/Error Condition Critical/Error Condition
Summary Summary
Reports Directly Meet Augmented Data Source Intelligent Classifications Log Sources
Requirements Requirements Indexing
201 CMR 17: Default 17.04.2.b Log Manager Yes Access Failure, 201 CMR 17: Default
Account Access Summary Access Success Account Access Summary
201 CMR 17: Default 17.04.2.b Log Manager Yes Authentication 201 CMR 17: Default
Account Auth Summary Failure, Account Auth Summary
Authentication
Success
201 CMR 17: 17.03.2.e, Log Mart No Access Revoked 201 CMR 17:
Disabled/Locked Account 17.04.1.d, Disabled/Locked Account
Summary 17.04.1.e Summary
201 CMR 17: File 17.04.2.a Log Manager No Activity 201 CMR 17: File
Integrity Monitoring Integrity Monitoring
Summary Summary
201 CMR 17: Host 17.04.6 Log Mart No Critical, Error, 201 CMR 17: Host
Firewall Error Summary Warning Firewall Error Summary
201 CMR 17: Host 17.04.6 Log Mart No Information 201 CMR 17: Host
Firewall Information Firewall Information
Summary Summary
201 CMR 17: Network 17.04.3 Log Manager No Network Allow, 201 CMR 17: Network
Connection Summary Network Deny, Connection Summary
Network Traffic
201 CMR 17: Network 17.04.3 Log Manager No Network Allow, 201 CMR 17: Network
Service Summary Network Deny, Service Summary
Network Traffic
201 CMR 17: Non- 17.04.3 Log Manager Yes Network Allow, 201 CMR 17: Non-
Encrypted Protocol Network Deny, Encrypted Protocol
Summary Network Traffic Summary
201 CMR 17: Security 17.03.2.b Log Mart No Activity, Attack, 201 CMR 17: Security
Event Summary by Compromise, Denial Event Summary by
Application Of Service, Application
Malware, Misuse,
Reconnaissance,
Suspicious,
Vulnerability
201 CMR 17: Security 17.03.2.b Log Mart No Activity, Attack, 201 CMR 17: Security
Event Summary by Entity Compromise, Denial Event Summary by Entity
Of Service,
Malware, Misuse,
Reconnaissance,
Suspicious,
Vulnerability
Reports Directly Meet Augmented Data Source Intelligent Classifications Log Sources
Requirements Requirements Indexing
201 CMR 17: Security 17.03.2.b Log Mart No Activity, Attack, 201 CMR 17: Security
Event Summary by Compromise, Denial Event Summary by
Impactd Host Of Service, Impactd Host
Malware, Misuse,
Reconnaissance,
Suspicious,
Vulnerability
201 CMR 17: Security 17.03.2.b Log Mart No Activity, Attack, 201 CMR 17: All Log
Event Summary by Origin Compromise, Denial Sources
Host Of Service,
Malware, Misuse,
Reconnaissance,
Suspicious,
Vulnerability
201 CMR 17: Signature 17.04.7 Log Mart No Configuration, Error 201 CMR 17: All Log
Update Summary Sources
201 CMR 17: Software 17.04.6 Log Mart No Configuration, Error 201 CMR 17: Access
Update Summary Control Systems
201 CMR 17: Terminated 17.03.2.e, Log Manager Yes Access Failure, 201 CMR 17: All Log
Account Access Summary 17.04.1.d Access Success Sources
201 CMR 17: Terminated 17.03.2.e, Log Manager Yes Authentication 201 CMR 17: Security
Account Auth Summary 17.04.1.d Failure, Systems
Authentication
Success
Table 7
List Name List Type Type of Item
201 CMR 17: All Log Sources Log Sources Pre-populated log source list (201 CMR 17: Access Control Systems, 201 CMR 17: FIM Systems, 201
CMR 17: Security Systems)
201 CMR 17: Access Control Log Sources Log source systems which handle access control (Example: Active Director Domain Controllers, Single
Systems Sign-on Servers, Radius Servers)
201 CMR 17: FIM Systems Log Sources Log source systems which contain file integrity monitoring software (Example: Laptops, Servers,
Workstations)
201 CMR 17: Security Systems Log Sources Log source systems which contain network security services (Example: Anti-SPAM, Content Filters,
Firewalls, Intrusion Detection Systems/Intrusion Prevention Systems, Routers, Switches, Virtual Private
Networking, and Wireless)
201 CMR 17: Disabled And Users List all shared user accounts (Example: Pat_Intern)
Terminated Accounts List
Table 8
Reporting Packages Interval Functional Area Reports
201 CMR 17: Account Access Summary
201 CMR 17: Account Authentication Summary
201 CMR 17: Account Deletion Summary
201 CMR 17: Alarm And Response Activity
201 CMR 17: Antivirus Information Summary
201 CMR 17: Antivirus Issue Summary
201 CMR 17: Critical/Error Condition Summary
201 CMR 17: Default Account Access Summary
201 CMR 17: Default Account Auth Summary
201 CMR 17: Disabled/Locked Account Summary
201 CMR 17: File Integrity Monitoring Summary
201 CMR 17: Host Firewall Error Summary
LogRhythm 201 CMR 17 Reporting Package Weekly Audit, IT, Security
201 CMR 17: Host Firewall Information Summary
201 CMR 17: Network Connection Summary
201 CMR 17: Network Service Summary
201 CMR 17: Non-Encrypted Protocol Summary
201 CMR 17: Security Event Summary by Application
201 CMR 17: Security Event Summary by Entity
201 CMR 17: Security Event Summary by Impactd Host
201 CMR 17: Security Event Summary by Origin Host
201 CMR 17: Signature Update Summary
201 CMR 17: Software Update Summary
201 CMR 17: Terminated Account Access Summary
201 CMR 17: Terminated Account Auth Summary
Table 9
Lists Alarms Investigations
201 CMR 17: Security Systems 201 CMR 17: Attack Alert
201 CMR 17: Compromise Alert
201 CMR 17: Denial Of Service Alert 201 CMR 17: Network Connection Detail
201 CMR 17: Malware Alert 201 CMR 17: Network Service Detail
201 CMR 17: Vulnerability Alert
Table 10
Lists Reports
201 CMR 17: All Log Sources 201 CMR 17: Account Access Summary
201 CMR 17: Account Authentication Summary
201 CMR 17: Alarm And Response Activity
201 CMR 17: Critical/Error Condition Summary
201 CMR 17: Default Account Access Summary
201 CMR 17: Default Account Auth Summary
201 CMR 17: Host Firewall Error Summary
201 CMR 17: Host Firewall Information Summary
201 CMR 17: Software Update Summary
201 CMR 17: Terminated Account Access Summary
201 CMR 17: Terminated Account Auth Summary
201 CMR 17: Access Control Systems 201 CMR 17: Account Deletion Summary
201 CMR 17: Disabled/Locked Account Summary
201 CMR 17: FIM Systems 201 CMR 17: File Integrity Monitoring Summary
201 CMR 17: Security Systems 201 CMR 17: Antivirus Information Summary
201 CMR 17: Antivirus Issue Summary
201 CMR 17: Network Connection Summary
201 CMR 17: Network Service Summary
201 CMR 17: Non-Encrypted Protocol Summary
201 CMR 17: Security Event Summary by Application
201 CMR 17: Security Event Summary by Entity
201 CMR 17: Security Event Summary by Impactd Host
201 CMR 17: Security Event Summary by Origin Host
201 CMR 17: Signature Update Summary
201 CMR 17: Disabled And Terminated Accounts List 201 CMR 17: Terminated Account Access Summary
201 CMR 17: Terminated Account Auth Summary
Table 12
201 CMR 17 Requirements Support Investigations
17.04.3: Encryption of all transmitted records and files containing personal information Augment 201 CMR 17: Network Connection Detail
that will travel across public networks, and encryption of all data containing personal 201 CMR 17: Network Service Detail
information to be transmitted wirelessly.
Table 13
201 CMR 17 Requirements Support Reports
17.03.2.b: Identifying and assessing reasonably foreseeable internal and Direct 201 CMR 17: Critical/Error Condition Summary
external risks to the security, confidentiality, and/or integrity of any 201 CMR 17: Security Event Summary by Application
electronic, paper or other records containing personal information, and 201 CMR 17: Security Event Summary by Entity
evaluating and improving, where necessary, the effectiveness of the
current safeguards for limiting such risks. 201 CMR 17: Security Event Summary by Impactd Host
201 CMR 17: Security Event Summary by Origin Host
17.03.2.b.3: Means for detecting and preventing security system failures. Direct 201 CMR 17: Critical/Error Condition Summary
17.03.2.e: Preventing terminated employees from accessing records Augment 201 CMR 17: Account Deletion Summary
containing personal information. 201 CMR 17: Disabled/Locked Account Summary
201 CMR 17: Terminated Account Access Summary
201 CMR 17: Terminated Account Auth Summary
17.03.2.h: Regular monitoring to ensure that the comprehensive Direct 201 CMR 17: Account Access Summary
information security program is operating in a manner reasonably 201 CMR 17: Account Authentication Summary
calculated to prevent unauthorized access to or unauthorized use of
personal information; and upgrading information safeguards as necessary
to limit risks.
17.03.2.j: Documenting responsive actions taken in connection with any Direct 201 CMR 17: Alarm And Response Activity
incident involving a breach of security, and mandatory post-incident
review of events and actions taken, if any, to make changes in business
practices relating to protection of personal information.
17.04.1.d: Restricting access to active users and active user accounts Augment 201 CMR 17: Account Deletion Summary
only. 201 CMR 17: Disabled/Locked Account Summary
201 CMR 17: Terminated Account Access Summary
201 CMR 17: Terminated Account Auth Summary
17.04.1.e: Blocking access to user identification after multiple Augment 201 CMR 17: Disabled/Locked Account Summary
unsuccessful attempts to gain access or the limitation placed on access
for the particular system.
17.04.2.a: Restrict access to records and files containing personal Augment 201 CMR 17: File Integrity Monitoring Summary
information to those who need such information to perform their job
duties.
17.04.2.b: Assign unique identifications plus passwords, which are not Augment 201 CMR 17: Default Account Access Summary
vendor supplied default passwords, to each person with computer access, 201 CMR 17: Default Account Auth Summary
that are reasonably designed to maintain the integrity of the security of
the access controls.
17.04.3: Encryption of all transmitted records and files containing Augment 201 CMR 17: Network Connection Summary
personal information that will travel across public networks, and 201 CMR 17: Network Service Summary
encryption of all data containing personal information to be transmitted 201 CMR 17: Non-Encrypted Protocol Summary
wirelessly.
17.04.4: Reasonable monitoring of systems, for unauthorized use of or Direct 201 CMR 17: Account Access Summary
access to personal information. 201 CMR 17: Account Authentication Summary
17.04.6: For files containing personal information on a system that is Augment 201 CMR 17: Host Firewall Error Summary
connected to the Internet, there must be reasonably up-to-date firewall 201 CMR 17: Host Firewall Information Summary
protection and operating system security patches, reasonably designed to 201 CMR 17: Software Update Summary
maintain the integrity of the personal information.
17.04.7: Reasonably up-to-date versions of system security agent Augment 201 CMR 17: Antivirus Information Summary
software which must include malware protection and reasonably up-to- 201 CMR 17: Antivirus Issue Summary
date patches and virus definitions, or a version of such software that can 201 CMR 17: Signature Update Summary
still be supported with up-to-date patches and virus definitions, and is set
to receive the most current security updates on a regular basis.
Ensure Classification Based Data Management (CBDM) is enabled, with all Global CBDM Settings check boxes
enabled as shown below:
Table 14
Classification Type Classification Online Archive LogMart
Audit Startup and Shutdown NR R NR
Audit Configuration O R R
Audit Policy O R NR
Audit Account Created O R NR
Audit Account Modified O R NR
Audit Account Deleted O R NR
Audit Access Granted O R NR
Audit Access Revoked R R R
Audit Authentication Success R R NR
Audit Authentication Failure R R NR
Audit Access Success R R NR