The objective of PMC4 is to define a set of Alerts and Reports that will identify configuration and status changes on internal workstations, servers and network devices.
Protective Monitoring, also known as Good Practice Guide 13, or GPG13, is a UK government recommended set of people and business processes and technology to improve company risk profiles.
The GPG13 standard includes twelve Protective Monitoring Controls,. The below section explains what requirements must be met to meet your obligations for Protective Monitoring Control number four.
Depending on the Impact Level of the organisations data that you are trying to protect you will have one of four recording profiles.
The required Recording Profiles for each Impact Level Data is described below:
Impact Level 1 Data – Recording Profile Aware
Impact Level 2 Data – Recording Profile Deter
Impact Level 3 Data – Recording Profile Deter
Impact Level 4 Data – Recording Profile Detect and Resist
Impact Level 5 Data – Recording Profile Defend
Impact Level 6 Data – Recording Profile Defend
Below is a summary of your obligations under each recording profile:
Aware
Report and Alert on all Critical and above messages from hosts in scope
Report and Alert on all detected Malware on hosts in scope
Report on all Error messages from hosts in scope
Report on changes in status to Malware signature base
Deter
Ensure you meet the requirements of lower recording profiles
Report on Failed access attempts to files
Report on changes to File or directory access rights of system folders
Report on change to status of networked hosts
Report on change in status of attached devices connected to controlled hosts
Report on status of storage volumes of monitored hosts
Report on changes to software configuration of monitored hosts
Detect and Resist
Ensure you meet the requirements of lower recording profiles
Report and Alert on changes to system files or folders
Report on all critical messages below Warning level from hosts in scope
Report on changes to system configuration on monitored hosts
Report on changes to system processes on monitored hosts
Defend
Ensure you meet the requirements of lower recording profiles
Report on changes to software configuration of monitored hosts, including software inventory
Report on changes to system files, including before and after content
Report on changes to system configuration on monitored hosts, including before and after content
Technology Required
Log Management Software
The Log Management Software should be able to digitally sign the logs. At the higher marked data levels it would also be recommended to support encryption and or a hashing function.
Important to ensure that the Log Management layer does NOT rely on Relational Databases, unless you are collecting logs from a very limited number of devices, as these types of systems will not scale in the majority of environments.
While Appliance based solutions have the advantage of being quick to install, they require specialist knowledge to maintain and support. Often it would be better to obtain software that will run on your current server technology, that can be easily scaled and more importantly, easily supported within the existing support structure.
Security Event Management Software
You need to be able to alert on a number of different criteria. Typically this would require a SEM that has the ability to Alert when a number of different criteria is met, rather than basic Alerts. One of the risks of the SEM solution is that you are overloaded with Alerts, that are not relevant, and hence ignored by the Security response team.
As an example, if an Admin user were to login out side of business hours, create a new user and add that user to a privilege group, it would be much more preferable to receive a single High Priority Alert, rather than a number of individual Alerts. This allows you to filter the number of Alerts created to a manageable number.
A second recommendation would be that your SEM software is able to automatically responded to Alerts by running scripts. This would allow you to automate responses for common tasks, for example if you get an Alert about a Virus that was blocked at the boundary , the typical response would be to ensure the boundary device has the latest Virus Signature. Rather than manually checking this every time a Virus is detected you could automatically script this response. The alternative us manual updates, which becomes a burden on the support staff.
Configuration Change Software
PMC 4 requires a number of settings to be checked and reported on if changes occur, for example, you need to Alert of permissions change on System files, or if Registry settings change or if Configuration of installed Applications changes.
This requires specialist software, Operating System and Device Auditing rarely provide you with this level of auditing.
At the higher marked data levels this software should be able to capture the content of the configuration files. This does not mean capturing binary files, although a backup should exist of these, but it does require a copy of the original configuration file, so that it can be verified against known good copies. When in doubt, if the file changes, under normal operating circumstances, a copy should be kept.
Notes:
The biggest challenge with this Protective Monitoring Control is detecting changes to permissions and rights on system folders and files. Microsoft Windows for example, makes it difficult to audit for these changes in a single record. The second challenge is keeping content, before and after changes to these files. This would typically require specialist software, such as Trend Micro.