The Event Management Policy establishes for the effective management and response to events within the Netspective Communications LLC Its purpose is to capture, analyze, and address significant changes in the state of configuration items to ensure the security and integrity of systems and data.
Security Event Logging [FII-SCF-007-MON-02]
-
The Netspective Communications LLC will establish security event logs to store messages regarding system crashes, unsuccessful login attempts by authorized users, and unsuccessful changes to access privileges. These logs will be supported by documented standards and procedures [AEC-AC3M-SOC2-CC-EMP-001].
-
The standards and procedures will cover:
- Identifying tools, types of events, actions, and reporting mechanisms.
- Managing security event logging.
- Identifying business applications and technical infrastructure systems where event logging will be enabled to identify security-related events.
- Configuring information systems to generate security-related events, including event types like failed login attempts, system crashes, deletion of user accounts, and event attributes such as date, time, UserID, file name, and IP address.
- Storing security-related events within event logs.
- Analyzing security-related event logs, including normalization, aggregation, and correlation.
- Protecting security-related event logs.
- Retaining security-related event logs to comply with legal, regulatory, and business requirements for potential forensic investigations.
-
Security event log management will involve utilizing tools, defining roles and responsibilities, ensuring the availability of necessary resources, and providing guidance on the frequency and content of reports.
-
Information systems critical to Netspective Communications LLC (e.g., financial databases or key network devices) that store, process, or transmit information classified as confidential or above will perform security event logging.
-
Security event logging will also be conducted on information systems that have experienced a major information security incident and those subject to legislative or regulatory mandates.
-
Business applications and technical infrastructure systems will be configured to:
- Enable event logging using a standard format such as syslog or an equivalent.
- Generate appropriate event types, including service creation, system crashes, object deletion, and failed login attempts.
- Include relevant event attributes in event entries such as IP address, username, time and date, protocol used, accessed port, method of connection, device name, and object name.
- Utilize a consistent and trusted date and time source, such as the Network Time Protocol (NTP) supported by GPS, atomic clocks, or an internet time server, to ensure accurate timestamps in event logs.
-
The Netspective Communications LLC will enable security-related event logging at all times.
-
Measures will be implemented to protect security-related event logs from unauthorized access, accidental or deliberate modification, or overwriting. This may include using write-only media or dedicated event log servers.
-
Mechanisms will be established to ensure appropriate storage space is allocated based on expected volumes of event information.
-
When event logs reach their maximum size, the system will continue logging without disruption, and lack of disk space will not halt system operations.
-
Regular analysis of security-related event logs will be conducted, utilizing automated security information and event management (SIEM) tools or equivalent.
-
The analysis will involve processing key security-related events using techniques such as normalization, aggregation, and correlation.
-
Key security-related events will be interpreted to identify unusual activity.
-
In the event of key security-related events, the relevant details from the event log will be passed to an information security incident management team for appropriate response.
-
The Netspective Communications LLC will configure SIEM tools to:
- Identify expected events, aiming to reduce the need for extensive review and investigation of legitimate business events.
- Detect unexpected events, minimizing the occurrence of false positives and false negatives.
-
Security-related event logs will undergo the following actions: [FII-SCF-007-MON-01.8]
- Regular reviews will be conducted to ensure their integrity and relevance.
- Regular archiving will take place, following a rotation schedule, and the logs will be digitally signed before storage.
- Secure storage will be implemented to preserve the logs for potential future forensic analysis.
- The retention of the logs will adhere to established retention standards and procedures.
System / Network Monitoring [FII-SCF-007-MON-06]
-
The Netspective Communications LLC will monitor the performance of business applications, information systems, and networks against agreed thresholds to identify irregularities that may indicate a compromise. This will be achieved through the following activities:
- Reviewing the utilization of systems during normal and peak periods.
- Utilizing automated monitoring software that generates alerts, such as through a management console, email messages, or SMS text messages to mobile telephones.
- Regularly reviewing event logs of system and network activity to identify suspicious or unauthorized activity.
- Investigating bottlenecks and overloads.
-
Regular system and network monitoring activities will be conducted, which include:
- Checking for the presence of disabled powerful system utilities/commands on attached hosts, utilizing a “network sniffer” tool.
- Verifying the existence and configuration of unauthorized wired and wireless networks through automated discovery/mapping tools.
- Identifying the presence of unauthorized systems using automated discovery/mapping tools.
- Detecting unauthorized changes to software, electronic documents, and configuration files using file integrity checking software.
File Integrity monitoring →
-
Identifying potential unauthorized disclosure of information, such as transfers of large volumes of data, anomalies in network traffic, or unauthorized use of network protocols like FTP.
-
Reviewing DNS logs to identify outbound network connections to malicious servers, including those associated with botnet command and control servers.
-
Conducting network sniffing and surveillance activities.
-
The Netspective Communications LLC will conduct system/network monitoring activities to aid in the identification of:
- Unauthorized scanning of business applications, information systems, and networks.
- Successful and unsuccessful attempts to access protected resources, such as DNS servers, web portals, and file shares.
- Unauthorized changes to user accounts and access rights, enabling the detection of privilege escalation.
- Extraction or modification of sensitive information, which can be achieved by checking file timestamps and utilizing file integrity checking software.
- Attempts to conceal unauthorized access and activity, including the deletion or tampering of event logs to cover tracks.
- The creation of backdoors that grant unauthorized privileged access to business applications, information systems, and networks at a later time.
-
The usage of network analysis/monitoring tools will be limited to a select number of authorized individuals, such as network administrators or staff in an information security function.
Fail2Ban: →
ClamAV: →
PSAD Alert: →
PSAD Error: →
PSAD Status: →
- The owners of business applications, information systems, and networks will review the results of monitoring activities.
Intrusion Detection [FII-SCF-007-MON-01.1]
-
The Netspective Communications LLC will implement intrusion detection mechanisms for critical business applications, information systems, and networks to identify both predetermined and new types of attacks.
-
The intrusion detection methods will be guided by documented standards/procedures, which will address:
- Methods of identifying unauthorized activity.
- Analysis of suspected high-risk and impactful intrusions.
- Appropriate responses to different types of attacks, such as following an information security incident management process.
-
The intrusion detection mechanisms will identify:
- Unexpected termination of processes or applications.
- Activity commonly associated with malware or traffic originating from known malicious IP addresses or network domains, such as those linked to botnet command and control servers.
- Known attack characteristics, including denial of service and buffer overflows.
- Unusual or abnormal system behavior, like keystroke logging, process injection, and deviations in the use of standard protocols.
- Unauthorized access or attempted access to systems or information.
-
The intrusion detection mechanisms will be configured to:
- Incorporate new or updated attack characteristics.
- Generate alerts when suspicious activity is detected, supported by documented processes for responding to suspected intrusions.
- Safeguard the intrusion detection software against attacks, such as by concealing its presence.
-
The intrusion detection methods will be supported by specialized software, such as host intrusion detection systems (HIDS) and network intrusion detection systems (NIDS).
-
Network intrusion detection sensors (dedicated hardware used to identify unauthorized activity in network traffic) will be protected against attacks, such as by preventing the transmission of outbound network traffic or by employing a network tap to conceal the presence of the sensor.
-
The Netspective Communications LLC will ensure that intrusion detection software:
- Receives automatic updates within defined timescales, such as delivering attack signature files to intrusion detection sensors through a central management console.
- Is configured to generate alerts when suspicious activity is detected, using methods such as a management console, email messages, or SMS text messages to mobile phones.
-
IT Services will conduct regular reviews to:
- Verify that the configuration of intrusion detection software meets requirements.
- Confirm that the intrusion detection software has not been disabled or tampered with.
- Ensure that updates have been applied within defined timescales.
-
IT Services will analyze suspected intrusions and assess their potential business impact. The initial analysis will involve:
- Verifying whether an actual attack is taking place, by eliminating false positives.
- Identifying the type of attack, such as worms, buffer overflows, or denial of service.
- Determining the original point of attack.
- Quantifying the potential impact of the attack.
-
The status of an attack will be evaluated based on:
- The time elapsed since the attack started and since its detection.
- The scale of the attack, including the number and types of affected systems and networks.
-
A documented method, such as an escalation process, will be established for reporting serious attacks to the information security incident management team and/or the Serious/Major Incident Management team.