How to satisfy this control?

That Random GuyThat Random Guy Member Posts: 72 ■■■□□□□□□□
Long story short: company went through a review for ISO 27001 and was recommended to employ a SIEM.

We're using Symantec for our Anti-Virus and I'm thinking I might be able to find something that supports the SIEM functionality from them.

There's just one problem: the auditor said the SIEM must support some protection of logs that include tampering from admins.

In my mind, I don't know how that would be possible considering we're to be the ones to set it up in the first place. We're holding all the keys.

Any tips?

Comments

  • scascscasc Member Posts: 465 ■■■■■■■□□□
    Consider:

    1. Enforce logging for all respective servers, hosts, network devices whereby they generate log events and send to a WORM device (log server) which is essentially a hardened host that prevents even admin from having permissions to tamper with the logs. Least privilege permissions for all. 

    2. From this device securely send the logs to your SIEM which will be able to perform log analysis to identify deviances to baseline/anomalies that need to be investigated. 

    3. Consider using TLS over TCP sys log where applicable (6514 I believe)

    4. If you ever require protection from tampering deploy FIM technology like tripwire.
    AWS, Azure, GCP, ISC2, GIAC, ISACA, TOGAF, SABSA, EC-Council, Comptia...
  • JDMurrayJDMurray Admin Posts: 13,099 Admin
    It really depends on what your budget is for supporting a SIEM, your security logging and log retention policies, and how much logging information (such as syslog, Netflow, SNMP traps, etc.) is produced by your environment. An enterprise-class SIEM, like Splunk or QRadar, can be your log storage, log processing, and log monitoring solution all in one. Smaller SIEMs can't handle very much log storage and another solution (such as LogLogic) must handle the aggregation of all your log sources instead. If your collected logging data are stored outside of your SIEM then the log data protection will come from your storage solution (such as AWS S3) rather than from your SIEM.
  • UnixGuyUnixGuy Mod Posts: 4,570 Mod
    ^^ what everyone said.

    Having Splunk as SIEM and configure proper access management for Splunk.
    Certs: GSTRT, GPEN, GCFA, CISM, CRISC, RHCE

    Learn GRC! GRC Mastery : https://grcmastery.com 

  • LonerVampLonerVamp Member Posts: 518 ■■■■■■■■□□
    Some (most/all?) SEIMs should disallow tampering of the log files. For instance, if you do backups of log files into flat files on network storage, it should have hashes of the output so it will know if something has changed and won't support re-importing them. Something to that effect.

    Security Engineer/Analyst/Geek, Red & Blue Teams
    OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
    2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs?
Sign In or Register to comment.