WHAT NEEDS TO BE MONITORED AND ALERTED UPON
There is a minimum level of logging required to meet GPG 13 Standards. However a balance needs to be drawn on appropriate levels of monitoring and alerting; too little leads to non-compliance whilst too much makes log files and the devices use to manage them unwieldy. If too much logging is enabled it can also cause the logged OS/Application to crash or slow down.
In addition alerts are only useful if there is a process and personnel in place to intake, analyze, and respond to them on a timely basis. In short, the system has to be comprehensive but at the same time it has to be workable.
Therefore CNS consultants work closely with the customer to help ensure that the log monitoring technology is configured properly as each customer’s needs are different.
How This is Achieved
The Service uses the Mosaic COMPLY & SECURE platform to monitor, alert and indicate effective compliance to the standard required. Through this platform CNS is able to collect, aggregate, and pre-filter raw logs from the sources monitored. The technology then allows for logs to be stored locally, as well as forwarding them to the secure NOC for analysis and long-term storage.
Upon receipt of a security-relevant event (on a 24x7x365 basis), an alert is triggered. A CNS analyst then determines whether the event represents suspicious activity and is therefore deemed a legitimate threat or not, and, if so notifies the relevant personnel, irrespective of the time of day.
All CNS consultants who make up the Managed Service Offering are certified professionals who all have SC clearance and have either been NPPV or MV vetted.
Filtering
To ensure that the appropriate method of logging and alerting is configured filtering rules are applied on each device in question. These are to ensure that CNS both captures and reports on:
• Successful login/logoff (logged only)
• Unsuccessful login/logoff (logged and alerted)
• Unauthorised Application Access (logged and alerted)
• System Changes (logged and alerted)
Once all this is done the CNS Managed Service Team then evaluates data collected through the service; and promptly reports and responds to any security threat.
Determining Configuration
Determining the actual events to monitor and log upon varies on each system component deployed. GPG 13 defines a minimum list of system events to be logged (or, to allow “the events to be reconstructed”). Such requirements are motivated by the need to audit and monitor user actions as well as other events that can affect classified data (such as system failures).