(3rd in a series of 3)
Today’s blog entry is the third and final blog in the series on SIEM features which support continuous monitoring requirements. The past two blog entries covered situational awareness, threats, assessing security controls, and collecting, correlating, and analyzing security information. In today’s entry I will cover security status communication and risk management requirements for continuous monitoring.
The FIFTH requirement is “providing actionable communication of security status across all tiers of the organization.” This requirement has to do with the organizations capability to provide accurate communication on the current security status of the organization at all levels within the organization and provide recommended action when needed. This particular requirement is focused on defining, providing, and communicating security status and metrics. A SIEM should be capable of providing notification of security-related issues to owners of particular systems allowing them to take remediation action as necessary. The more advance SIEMs actually have the capability to provide automated remediation actions when specific issues are identified. The metric portion of the requirement quantifies the current status of information security at all levels of the organization. The SIEM at a minimum should be able to provide an audit trail of the actual uses of the SIEM as part of a metric. The SIEM should audit alerts generated by critical events, the analyst’s acknowledgment of the alert, investigations initiated by the analyst in response to the event, and actions taken to remediate the threat of the event, and review of the event by management.
The SIXTH and final requirement is “active management of risk by organizational officials.” This particular requirement indicates that management must actively manage organizational risks. This is really an extension of the risk assessment process which ensures all risks are identified, mitigated, and acknowledged by management. A SIEM should extend managements view of the organizations risk landscape by providing a view of critical risks such as threats and vulnerabilities, and provide visibility to the effectiveness of mitigating controls such as anti-malware, firewalls, IDS, patch management, vulnerability scanners, etc…
A SIEM can be a powerful tool to meet continuous monitoring requirements through automated means. Keep in mind not all SIEMs are created equally and some provide limited functionality at a premium price. Ensure the organization performs an in-depth review of the regulatory requirements along with functional requirements before a SIEM selection is made. Robust SIEMs often provide mappings of key features directly to regulatory control requirements which they meet or supplement. Advance SIEMs which provide capability such as built-in alerts, threat advisories, and automated remediation functionality can help organizations stay informed and better prepared to quickly remediate security risks.