© 2014 Cognizant 1

FISMA – How does SIEM fit in?Bernie Leung, CISSP, SOC Lead, Architect

takming.leung@cognizant.comleung.bernie@gmail.com

© 2014 Cognizant 2

DefinitionsEGov  Act 2002 –Title III is the law that enacted FISMAFISMA is part of this law to ensure security for computer systems (H/W, S/W and operations). NIST is called upon to created the standards.

NIST SP800-xxx are the standards. In particular SP800-53 specifies the various security controls.

NIST Risk Management Framework addresses the security controls according to:• Identify• Protect• Detect• Respond • Recover

 FIPS addresses the requirement and process that a federal computer system can be operated.

FIPS 199 - Classification of system impactFIPS 200 – Application of NIST to system according to FIP 199 classification    Circular A130 re-affirms the NIST Risk Management Framework – an operations view of the NIST SP800-53. .

© 2014 Cognizant 3

Federal and Regulatory Requirement Flow Down

Requirement How it applies to Cognizant US SOC Considerations Outcome

FISMA – Federal

Information Security

Management Act

- Applies to US government agencies and contractors

- Relies on NIST

- Is client a Federal agency or contractor?

- SOC must comply with NIST

Cognizant Confidential and Internal Use only

FedRAMP -Federal Risk

Operation and Mangement Program

- Applies to Cloud Service Providers to US Government Agencies

- Based on certified 3rd part accreditation

- Even though contractor is not a Federal agency, it provides servive to Federal agencies

- SOC should comply with FedRAMP requirements.

Data Governance

- Applies to data storage, retention periods, eDiscovery and legal hold.

- SOC is the guardian of configuration data.

- International law complicates data stored outside of US.

- Data will reside within US border.

© 2014 Cognizant 4

SIEM Can Not operate as an Island!

SIEM

© 2014 Cognizant 5

People, Process, Technology

© 2014 Cognizant 6

SIEM Technology

SIEM

© 2014 Cognizant 7

Process

© 2014 Cognizant 8

NIST Risk Management Framework

© 2014 Cognizant 9

Step 1 Categorization

FIPS 199NIST SP800-60

© 2014 Cognizant 10

Step 2 & 3 - Security Controls

© 2014 Cognizant 11

Step 6 Monitoring

© 2014 Cognizant 12

Information Security Continuous Monitoring

© 2014 Cognizant 13

ISCM and Security Automation

© 2014 Cognizant 14

CAESARS block architecture

© 2014 Cognizant 15

© 2014 Cognizant 16

References

NIST Special Publication 800-xxxhttp://csrc.nist.gov/publications/PubsSPs.html

NIST FIPS-199http://csrc.nist.gov/publications/PubsSPs.html

CAESARS reference architecturehttp://scap.nist.gov/events/2012/itsac/presentations/day3/5Oct_330pm_Sell.pdf

NIST CyberSecurity Framework Reference Tool http://www.nist.gov/cyberframework/csf_reference_tool.cfm.