When we consult with clients who fall under a regulatory compliance, one of the most common points of failure is around the requirement to monitor their network. While the specific monitoring requirements vary per compliance, there is a misconception that simply adding a tool or third-party service to monitor is all that is needed to meet all of the requirements. Here are some key points you need to consider to confirm that your monitoring solution is in fact both meeting the requirement and helping to protect your data.
Scope – Do you have the proper scope of the devices that need to be monitored? For example, for the Payment Card Industry Data Security Standard (PCI DSS), you need to include all devices in the Cardholder Data Environment (CDE). This includes not only the devices that store or transmit the credit card data, but also any devices that can affect those devices.
Configuration – A solution that is not configured properly cannot meet the requirements. Compliance regulations will mandate what elements of a log need to be collected and maintained. NIST recommends that all logging include at a minimum time stamp event, status and/or error codes, service/command/application name user or system account associated with device (source and destination IPs). You also need to confirm what specific actions require monitoring and/or logging, such as access of a specific file or changes to the firewall configuration. Making sure that the business rules are configured properly is critical to achieving compliance.
Tuning – This is another area where monitoring solutions often fail. No matter how well tuned the initial configuration may be, the threats and compliance requirements change over time, and so the monitoring solution needs to be constantly tuned. You also want to be sure to tune out false positives. If the standard configuration generates alerts when a user logs in remotely, and you have hundreds of users who regularly use remote access, the “noise” generated from all of these false positives will result in one of two outcomes. Either the monitoring alerts become “the boy who cried wolf”, and no one pays attention to them anymore, or the rule may get shut off completely and fail to be able to alert you to unusual behavior that could signify a threat – such as a user being logged in multiple times, or a user being logged in from an IP in another country. Business rules should allow you to fine tune them, and resources need to be reviewing alerts on an ongoing basis and continuing to tune as needed.
Reporting and Archiving – Should you be subject to a compliance audit, you will need to be able to provide reporting to prove that your monitoring solution is meeting the compliance requirements. You may also be asked to provide this detail for the past 12 months or past 6 years depending on the archiving requirement of the compliance. Be certain that you can produce reports and have access to archival data.
It’s not as simple as buying a tool, but you don’t have to go it alone. Find out how our ProVision solution provides both the tools and the resources to help you successfully deploy device monitoring and management to protect your organization.
