Recording of Business Traffic Crossing a Boundary

By

Apr 18th, 2015


The objective of PMC2 is to define a set of Alerts and Reports that will identify authorized vs non-authorized business traffic across the network boundary.

This goal would be met if you can identify authorised vs non-authorised traffic, transportation of malicious code is prevented and alerted, and the identification of the manipulation of other business traffic.

Protective Monitoring, also known as Good Practice Guide 13, or GPG13, is a UK government recommended set of people and business processes and technology to improve company risk profiles.

The GPG13 standard includes twelve Protective Monitoring Controls,. The below section explains what requirements must be met to meet your obligations for Protective Monitoring Control number two.

Depending on the Impact Level of the organisations data that you are trying to protect you will have one of four recording profiles.

The required Recording Profiles for each Impact Level Data is described below:

Impact Level 1 Data – Recording Profile Aware

Impact Level 2 Data – Recording Profile Deter

Impact Level 3 Data – Recording Profile Deter

Impact Level 4 Data – Recording Profile Detect and Resist

Impact Level 5 Data – Recording Profile Defend

Impact Level 6 Data – Recording Profile Defend

Below is a summary of your obligations under each recording profile:

Aware

Report and Alert on Malware detected crossing the boundary

Deter

Ensure you meet the requirements of lower recording profiles

Report and Alert on blocked web browsing activities

Report and Alert on failed file imports and exports across boundary

Detect and Resist

Ensure you meet the requirements of lower recording profiles

Report on failed file imports and exports across boundary and keep a copy of file content for auditing purposes

Report on failed file imports and exports across boundary and keep a copy of file content, Security Label and File Signature, for auditing purposes

Report on accepted web traffic across boundary

Report on accepted incoming and outgoing file transfers across boundary

Defend

Ensure you meet the requirements of lower recording profiles

Report on accepted incoming and outgoing file transfers across boundary, including a copy of the file content

Report on accepted file imports and exports across boundary and keep a copy of file content, Security Label and File Signature, for auditing purposes

Report on files that have been placed in a file cache, including its URL, content, Security Label, Signature and time to live

Report on who has accessed file cache

Technology Required

Log Management Software

The Log Management Software should be able to digitally sign the logs. At the higher marked data levels it would also be recommended to support encryption and or a hashing function.

Important to ensure that the Log Management layer does NOT rely on Relational Databases, unless you are collecting logs from a very limited number of devices, as these types of systems will not scale in the majority of environments.

While Appliance based solutions have the advantage of being quick to install, they require specialist knowledge to maintain and support. Often it would be better to obtain software that will run on your current server technology, that can be easily scaled and more importantly, easily supported within the existing support structure.

Security Event Management Software

You need to be able to alert on a number of different criteria. Typically this would require a SEM that has the ability to Alert when a number of different criteria is met, rather than basic Alerts. One of the risks of the SEM solution is that you are overloaded with Alerts, that are not relevant, and hence ignored by the Security response team.

As an example, if an Admin user were to login out side of business hours, create a new user and add that user to a privilege group, it would be much more preferable to receive a single High Priority Alert, rather than a number of individual Alerts. This allows you to filter the number of Alerts created to a manageable number.

A second recommendation would be that your SEM software is able to automatically responded to Alerts by running scripts. This would allow you to automate responses for common tasks, for example if you get an Alert about a Virus that was blocked at the boundary , the typical response would be to ensure the boundary device has the latest Virus Signature. Rather than manually checking this every time a Virus is detected you could automatically script this response. The alternative us manual updates, which becomes a burden on the support staff.

Firewall with Anti-Virus Module

You will need to alert when a Virus is detected crossing the network boundary, the only way to achieve this is to have an Antivirus/Malware module installed on the Firewall.

Notes:

The biggest challenge with this Protective Monitoring Control is that files transfered in and out of the organisation must be intercepted and kept for auditing purposes. This will require technology outside of your reporting and alerting framework.

Leave a Reply

You must be Logged in to post comment.

 






© 2006-2017 Protective Monitoring – GPG13.