Financial Institutes recommendations needed
I have these questions from a client of ours, it is a Financial Institute, so I need your help regarding: 1. To create a monthly report that contains overall security status, that can be presented to top management. enVision doesn’t have something by default (I tried to find something like this but with no luck), so I guess that we need to create one. 2. They would like to have some recommendations to use enVision, some best practices for Financial Institutes, like: what logs should collect, what alerts to define, what reports to run, etc. 3. Run Basel II and ISO 27001 reports. I read that for PCI DSS reports, the user has to define a device group called “Cardholder data” or something like this, and after that the report will have expected results. So, my question is if there are some prerequisites like this one that should be fulfilled in order to run Basel II and ISO 27001 reports? I didn’t read anything like this so any opinion will be life saver. 4. In enVision GUI: "Overview" - "System Configurations" - "Directories" - "manage storage locations" if Rotate is set to 85% signifies that enVision will rotate database when it reaches 85%? I mean that it will automatically delete old logs in order to free up some space? Many thanks, Catalin Neacsu
Also, there is other spect that we are interesed in:
5. Correlating Active Directory logs with Acces Control Logs. We are interesed in collecting logs from acces control and integrating enVision with AD, so we can identify when: if a user logs to a station but didn't perform a badge authentication first.
Can LDAP requests be sent to AD to verify if a user is currently logged on?
What is the level of integration and what can we obtain from this?
Couple of thoughts.
1.) Exec's are targeting progress and high level metrics. Showing them how many failed login's or top 10 would mean nothing. If you are doing incident resolution or mitigation, I would recommend providing reporting on trending of how many incidents are resolved over a week period, maybe compare this to how many are opened. Other ideas are showing collection stats. How many EPS does the organization produce? How successful is the SIEM? (What were the original business definition or purpose for the SIEM? Show progress towards that goal. Show alert trending? Write up a summary of a incident the SIEM helped resolve with charts and graphs.
2.) There are various blogs out there that could assist in developing use cases
And/or, leverage RSA professional Services to help tailor the solution. Use case development could even start at reviewing the previous set of security incidents of 2010, and determine how one could leverage the SIEM to pro-actively either report or mitigate them.
3.) Also, for PCI or SOX definition, one must define what is In-Scope (What assets are required for compliance). Setting up proper groups and filters should be done during implementation or pre imp. Phase. Configuring a set of reports to run every day is a good start. These reports should map to the various compliance controls with the week ending reports running on Sunday AM for review on Monday.
4.) Capacity Planning is often overlooked. I recommend you develop weekly reporting on total events collected, average EPS, storage growth snapshot, and ETA on run out of space. Answering the question of what happens should never happen if you properly plan