SOX compliance

SOX or The Sarbanes-Oxley Act (SOX) was passed in 2002 in the USA and requires that all publicly traded companies implement and affirm a framework of internal controls supporting accountability and integrity of the financial reporting process. In practice, this means that as an effort to “protect shareholders and the general public from accounting errors and fraudulent practices in enterprises, and to improve the accuracy of corporate disclosures.”(Source: Digital Guardian: What is SOX Compliance? 2019 SOX Requirements & More, Juliana De Groot). Organizations must be able to present where sensitive data is stored, how it is stored and who has access to it. As keeping track of your sensitive data and regulate access to your network and systems is the cornerstone of SOX compliance, having a SIEM to gather, analyze and visualize this information for you makes compliance more effortless and efficient than ever.

Monitoring of critical systems

Critical systems containing sensitive information should be constantly monitored to detect any suspicious activity. LogPoint supports dynamic list and tables, ensuring constant risk assessment. In LogPoint, dynamic lists collect and store specific values from events and allow for dynamic updates using values from log messages, while dynamic tables store specified fields and field values during runtime to be used as enrichment sources. By enabling analysts to define dynamic lists and tables, organizations can reduce the time to detect and respond to incidents faster. By combining dynamic lists with static enrichment, we also empower our customers to build self-configuring analytics to automatically react to new observations on the data, thus accelerating response.

Example

Un-privileged connections to critical systems

LogPoint SIEM use cases: Un-privileged connections to critical systems

Log sources: Firewall

Query

label=Connection label=Allow destination_address IN CRITICAL_SYSTEMS -source_address IN PRIVILIGE_SYSTEMS | chart count() by source_address order by count() desc

Ensuring network security

Network security ensures that CIA triad for network infrastructure and related data is fulfilled. The three components of the triad are Confidentiality, Integrity, and Availability. Confidentiality ensures that your network is not being accessed by unauthorized users or from unauthorized networks. Integrity guarantees that files or data either in rest or motion is protected from unauthorized modification. Availability guarantees that the system and network are up and running whenever needed.

LogPoint integrates with a wide range of network and firewall devices. The data from these devices can be normalized, aggregated, enriched, and correlated to ensure security inside the network. Furthermore, Threat Intelligence feeds can be used to enrich the log data to understand if the network is being targeted by an external attacker. LogPoint can check various activities such as allowed and denied connections, usage of data and applications, connection to threat sources, or any other suspicious activities. Any asset, system, or device in a network activity when associated with multiple high-risk indicators, suggests that the network’s security posture is at risk. LogPoint can identify such threats through the use of join queries between the firewall and vulnerability scanning records. Also, the results matching this condition can be checked for association with an indicator of compromise. This activity can be simplified through the use of dynamic lists, where a list of vulnerable systems is constantly maintained, and an alert is fired every time a connection from an IOC is made to the values in the list.

LogPoint SIEM use cases: Network security

Log sources: Firewall, Vulnerability scanning

Query

[norm_id=PaloAltoNetworkFirewall label=Threat source_address IN HOMENET -destination_address IN HOMENET destination_address=* | process ti(destination_address)] as s1 join [(col_type=qualys_fetcher OR col_type=tenablesecuritycenter_fetcher OR norm_id=VulnerabilityManagement) source_address=* severity>4] as s2 on s1.source_address=s2.source_address | rename s1.et_ip_address as DestinationAddress, s1.cs_ip_address as DestinationAddress, s2.source_address as SourceAddress, s1.et_category as ThreatCategory, s1.cs_category as ThreatCategory, s1.et_score as ThreatScore, s1.cs_score as ThreatScore, s2.title as VulnerabilityPresent | chart max(ThreatScore) as ThreatScore by SourceAddress, VulnerabilityPresent, DestinationAddress, ThreatCategory order by ThreatScore desc limit 10

Policy monitoring

IT policies define what security-related guidelines employees should comply with in order to maintain the highest level of security. Any change to an organization’s IT policies is critical and therefore should be closely monitored. LogPoint can easily detect policy changes such as audit, authentication, authorization, filtering and many more.

Example

Audit policy changes

LogPoint SIEM use cases: Audit policy changes

Log sources: Windows Server

Query

label=Audit label=Policy label=Change | chart count() by log_ts, user, message

Role-based access control

LogPoint provides you with flexible yet powerful User and Account Management driven by a role-based access control mechanism where user access can be tied to AD via LDAP for a simplified user account creation. These users can then be assigned to LogPoint specific groups. Group permissions to the system are aligned with a role-based approach to administrative rights, giving the full control over access to the log repositories and the dashboard usage, operator rights for data and analytical purposes and user account administration for managing user, groups, and permissions.