siem in nist cyber security framework
TRANSCRIPT
© 2014 Cognizant 1
FISMA – How does SIEM fit in?Bernie Leung, CISSP, SOC Lead, Architect
[email protected]@gmail.com
© 2014 Cognizant 2
DefinitionsEGov Act 2002 –Title III is the law that enacted FISMAFISMA is part of this law to ensure security for computer systems (H/W, S/W and operations). NIST is called upon to created the standards.
NIST SP800-xxx are the standards. In particular SP800-53 specifies the various security controls.
NIST Risk Management Framework addresses the security controls according to:• Identify• Protect• Detect• Respond • Recover
FIPS addresses the requirement and process that a federal computer system can be operated.
FIPS 199 - Classification of system impactFIPS 200 – Application of NIST to system according to FIP 199 classification Circular A130 re-affirms the NIST Risk Management Framework – an operations view of the NIST SP800-53. .
© 2014 Cognizant 3
Federal and Regulatory Requirement Flow Down
Requirement How it applies to Cognizant US SOC Considerations Outcome
FISMA – Federal
Information Security
Management Act
- Applies to US government agencies and contractors
- Relies on NIST
- Is client a Federal agency or contractor?
- SOC must comply with NIST
Cognizant Confidential and Internal Use only
FedRAMP -Federal Risk
Operation and Mangement Program
- Applies to Cloud Service Providers to US Government Agencies
- Based on certified 3rd part accreditation
- Even though contractor is not a Federal agency, it provides servive to Federal agencies
- SOC should comply with FedRAMP requirements.
Data Governance
- Applies to data storage, retention periods, eDiscovery and legal hold.
- SOC is the guardian of configuration data.
- International law complicates data stored outside of US.
- Data will reside within US border.
© 2014 Cognizant 4
SIEM Can Not operate as an Island!
SIEM
© 2014 Cognizant 5
People, Process, Technology
© 2014 Cognizant 6
SIEM Technology
SIEM
© 2014 Cognizant 7
Process
© 2014 Cognizant 8
NIST Risk Management Framework
© 2014 Cognizant 9
Step 1 Categorization
FIPS 199NIST SP800-60
© 2014 Cognizant 10
Step 2 & 3 - Security Controls
© 2014 Cognizant 11
Step 6 Monitoring
© 2014 Cognizant 12
Information Security Continuous Monitoring
© 2014 Cognizant 13
ISCM and Security Automation
© 2014 Cognizant 14
CAESARS block architecture
© 2014 Cognizant 15
© 2014 Cognizant 16
References
NIST Special Publication 800-xxxhttp://csrc.nist.gov/publications/PubsSPs.html
NIST FIPS-199http://csrc.nist.gov/publications/PubsSPs.html
CAESARS reference architecturehttp://scap.nist.gov/events/2012/itsac/presentations/day3/5Oct_330pm_Sell.pdf
NIST CyberSecurity Framework Reference Tool http://www.nist.gov/cyberframework/csf_reference_tool.cfm.