View current NitroSecurity product certifications
By definition, Security Information & Event Management systems (SIEMs) are used for the collection of events and logs pertaining to sensitive or protected information. A SIEM attempts to collect as much information as possible to determine security threats, and to help mitigate and remediate those threats by making as much forensic evidence available for analysis as is possible. Logically, SIEM systems represent the nexus of protected information, because evidence pertaining to that information--and in many cases the protected information itself--may be stored and made available by the SIEM.
Because of the centralized nature of SIEM, the security of the SIEM itself is paramount. Certifications such as Common Criteria and FIPS, though often not associated with SIEM, are relevant, and should be used to verify the integrity of these critical systems. This becomes even more important as the National Institute of Standards and Technology (NIST), which drives the standards defined by FIPS, expands its role under the Cybersecurity Act of 2009 to include a wider range of critical information systems, including healthcare and financial systems.
Why are these certifications so important? Consider the use of various internal applications, which reference sensitive information (SI). The applications and systems store the SI in appropriate ways, perhaps using disk encryption. If user behavior (malicious or benign) attempts to transmit that SI outside of the network, it might be captured by a firewall, which is also adequately protected within an encrypted boundary. Events and logs, which are generated by servers, applications, firewalls, and even the storage systems--might reference or contain the sensitive information. Collected by the SIEM, for the explicit purpose of increasing visibility to information security personnel, this information is now at risk, unless the SIEM is also fully protected by an encrypted boundary.
Cynthia Reese, SAIC CSTL Laboratory Director
The obvious solution, of course, is to adequately certify the SIEM to same standards used by the rest of the system, including the operational validation of Common Criteria, and the validation of an encrypted security boundary as defined by FIPS 140-2 level 2.
The Federal Information Security Management Act (FISMA) is legislation, and it is therefore mandatory that the requirements established in FISMA be met, where applicable. The security requirements for Federal Information Processing Standards (FIPS) are derived from FISMA by the National Institute of Standards and Technology (NIST). The FIPS 199 and FIPS 200 standards establish a security 'category,' and an applied set of security requirements, respectively. Under these guidelines, a SIEM, which by nature is collecting confidential and sensitive information from various network devices for security management, requires that security measures be implemented in accordance with NIST Special Publication 800-53. Because the various publications are inter-related, the specific requirements can be difficult to determine.
To summarize: the combined requirements of FISMA, NIST, and FIPS require by law that sensitive data within an information system be protected. This protection is best exemplified in FIPS 140-2, which defines the requirements for cryptographic modules within a given product--including physical security, encryption methods, and key management--to ensure that a product is secure.
Federal Information Processing Standard
As a result, many software based data encryption tools, secure network transmission tools, firewalls, intrusion prevention systems, and like devices are certified under the requirements of 140-2. FIPS standards are compulsory and binding for federal agencies. FISMA requires that federal agencies comply with these standards, and therefore, agencies may not waive their use. Because a Security Information & Event management system (SIEM) collects information from many of these devices, and makes them highly visible for purposes of analysis and incident response, the SIEM must ensure protection under FIPS 140-2, as well. FIPS 1402- level 2, which defines the encryption boundary to include an entire system, including physical appliances and all data access and authentication mechanisms, is the preferred level of validation for key systems such as a SIEM.
Common Criteria for Information Technology Security Evaluation is an international standard for security certification defined by ISO/IEC 15408. Common Criteria certification assures a product against a specific protection profile, warranting that it meets targeted security properties and functional requirements. Specific protection profiles identify the security requirements for a class of security devices, such as firewalls, intrusion prevention systems (IPS), etc. In addition, validation can occur to varying degrees. The Evaluation Assurance Level, or EAL, determines the depth to which testing and validation occurred.
Federal Information Processing Standard
The certification of SIEM is most relevant under the Intrusion Detection System Protection Profile (pp_ids_sys), ensuring that all security event management functions are validated. In the case of NitroSecurity's SIEM (NitroView ESM), the system provides web-based administrator console interfaces that can be used to manage NitroSecurity IPS services, as well as to manage collected data from IPS devices; without the inclusion of SIEM in the Common Criteria certification process, therefore, critical functions of the IPS would be invalidated. In this example, both the NitroGuard IPS and NitroView SIEM were certified to Evaluation Assurance Level 3 (EAL3).
Because SIEMs collect protected data as part of a system, even if the specific tactical devices (the IPS) is certified, the encrypted transmission from this device, through the SIEM, to the management console, must meet the requirements of FIPS 140-2. If that encrypted session is terminated after transmission to the SIEM, and stored or otherwise accessed in an unprotected, unencrypted manner, the sensitive information is put at risk--potentially undermining all of the best-practice security efforts enforced elsewhere in the network.
|
Log in
