WHITE PAPER MEETING ISO 27002 STANDARDS September 2018 SECURITY GUIDELINE COMPLIANCE Organizations have seen a rapid increase in malicious insider threats, sensitive data exfiltration, and other advanced threats targeting. They not only need security technologies to protect themselves from such threats, but also need to comply with security regulations and follow best practices in managing cyber risks. Traditional security is insufficient to protect presentday hybrid infrastructures. With increasingly dynamic environments enabled by trends such as bring your own technology (BYOT), more data in the cloud, and a growing number of points of entry, pervasive, sophisticated threats can do major damage to any entity. They could take years to discover and stop. This white paper focuses on some of the main information security controls and requirements addressed by ISO 27002. It maps key Exabeam solution capabilities to ISO 27002 controls, describing how they can be used to manage risk to information systems and prove compliance. What is ISO 27002 Standard? ISO 27002 is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation s information risk management processes. According to its documentation, 1 ISO 27002 was developed to provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system. 1 HTTPS://WHATIS.TECHTARGET.COM/DEFINITION/ISO-27001
MEETING ISO 27002 STANDARDS WITH EXABEAM Organizations often begin with a gap assessment to examine compliance across their entire infrastructure. Exabeam offers solutions to satisfy many threat detection use cases and meet your security and compliance needs. Here is an Exabeam product line overview: Exabeam Data Lake - A security data lake that helps enterprises to collect and store unlimited amounts of data to detect threats and meet compliance use cases; all for a predictable flat rate. Exabeam Advanced Analytics - A user and entity behavior analytics (UEBA) solution that can be deployed on top of Exabeam Data Lake or legacy SIEM tools. It detects malicious insiders, compromised and rogue insiders, data exfiltration, malware, and other advanced threats. Exabeam Entity Analytics - Focuses on tracking your organization s assets. It provides end-to-end network visibility, establishes baseline behavior (using communication patterns, ports and protocols, servers, and operating activity), and automatically identifies irregular activities that are indicative of a security incident. Exabeam Incident Responder - A security orchestration and automated response tool (often called a SAO or SOAR solution). It provides a case management a central console to track and manage incidents and automated response, which collects evidence for investigations using response playbooks and centralized workflows. Exabeam Threat Hunter - Not requiring a complex query language, Threat Hunter provides SOC with a simple GUI. This gives analysts of any ability level to run complex searches with context-aware data. Exabeam Security Management Platform A modern SIEM that combines end-to-end data collection, analysis, and response in a single management and operations platform. A.6 Organization of information security Controls on how roles and responsibilities are defined and assigned to protect internal organization and remote devices. A.6 ORGANIZATION OF INFORMATION SECURITY A.6.1.1 A.6.1.2 Define roles and responsibilities Segregation of duties Exabeam provides access to information and actions that administrators take based on roles. It enables security control separation by providing role-based access control, with roles having separation of duties A.6.2.2 Security controls for teleworking Exabeam tracks the behavior of internal users as well as remote employees. It issues alerts for any unauthorized access to assets as well as abnormal remote logins. It monitors your network and assets, tracking suspicious activities 2 HTTPS://WWW.NIST.GOV/CYBERFRAMEWORK MEETING ISO 27002 STANDARDS WITH EXABEAM 2
A.7 Human Resources Security Controls on how employees and contractors comply with organization policies and regulations as well as workers leaving or moving (laterally or vertically). A.7 HUMAN RESOURCES SECURITY A.7.2.1 A.7.3.1 Employees and contractors to comply with established policies and procedures of the organization Information security controls for workers leaving the organization or moving within the organization Exabeam meets these security control by reporting and alerting about access management activities by employees and contractors. Monitor privileged accounts Track user access to high-value assets Monitors terminated or departed accounts Tracks user activities and baselines normal behavior for new, existing, and promoted employees. Provides user activity reports Tracks any lateral movements of user access across your organization A.8 Asset Management Controls related to policies related to ownership of assets, use of assets and media handling. A.8 ASSET MANAGEMENT A.8.1.2 A.8.1.3 Asset ownership Acceptable asset use Exabeam s Entity Analytics is part of a behavior analytics portfolio. It provides end-to-end network visibility, establishes baseline behavior, and identifies irregular activities indicative of a security incident. Assets are classified based on ownership, servers, workstations, groups, etc. Tracks user access to both internal and remote assets. It issues alerts A.8.3.1 Management of removable media regarding unacceptable asset use. Controls movement of removable media such as USB sticks, removable disk packs, and others; alerts regarding unauthorized movement from one location to another. MEETING ISO 27002 STANDARDS WITH EXABEAM 3
A.9 Access Control Controls for access management and provisioning policy, system and application access control, and user responsibilities. A.9 ACCESS CONTROL A.9.1.2 A.9.2.1 A.9.2.2 A.9.2.4 A.9.2.6 A.9.3.1 A.9.4.1 A.9.4.2 A.9.4.4 A.9.4.5 Access to networks and network services User registration and de-registration User access provisioning process to assign or revoke access rights for all user types to all systems and services. Management of secret authentication information of users Removal or adjustment of access rights Follow practices in the use of secret authentication information Information access restriction Controls on secure log-on procedures Use of privileged utility programs Access to program source code shall be restricted Exabeam monitors for authentication failures and remote logon activities. It can detect compromised user accounts and monitors high-value or critical assets for unauthorized access. Exabeam monitors and immediately issues alerts for unauthorized user access. Monitors unauthorized access to business applications, network, or systems. Monitors networks and systems for suspicious/anomalous activities. Monitors and alerts for access from blacklisted or terminated users. Ability to define rules on access controls. All logs access, audit, change, and event are made available to IT administrators. Provides ability to define rules for who can access privileged utilities; issues alerts for authorized access. MEETING ISO 27002 STANDARDS WITH EXABEAM 4
A.11 Physical and Environmental Security Controls defining physical security, entry controls, protection against external threats, equipment security, secure document disposal, clear desk and clear screen policy. A.11 PHYSICAL AND ENVIRONMENTAL SECURITY A.11.1.1 A.11.1.2 A.11.1.3 A.11.1.5 A.11.2.2 A.11.2.6 A.11.2.8 A.11.2.9 Physical security perimeter Physical entry controls Physical security for offices, rooms, and facilities Procedures for working in secure areas Monitor systems/ equipments from power failures and other disruptions Security of equipment and assets off-premises Unattended user equipment A clear desk policy for papers and removable storage media and a clear screen policy for information processing facilities Exabeam monitors all access to the organization s security perimeter, as well as cloud access and other public domains. Anomalous access or sensitive data transfers are detected and alerts are issued. Monitors badge access: Tracks users entries and exits to create a user session. Monitors systems/equipment from disruptions and issues alert about them. Monitors unauthorized physical access to devices. Monitors data transfer to insecure digital media such as USB memory sticks, etc. MEETING ISO 27002 STANDARDS WITH EXABEAM 5
A.12 Operational Security Controls related to operational procedures - change management, capacity management; protection from malware, logging, monitoring, installation, and vulnerability management. A.12 OPERATIONAL SECURITY A.12.1.2 A.12.1.3 A.12.2.1 A.12.3.1 A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.5.1 A.12.6.1 A.12.6.2 A.12.7.1 Change management: Assess risks and impacts due to changes Capacity management: Review asset usage, SLAs Controls against malware Information backup policies and procedures Event logging Protection of log information System administrator and operator activity logs The clocks of all relevant systems within security domain shall be synchronized. Control of operational software Management of technical vulnerabilities Restrictions on software installation Information systems audit controls Set of controls to detect suspicious activities by monitoring users and assets by tracking deviations from baseline behavior such as changes in roles and responsibilities, high-value and critical system changes, threats, and various administrator and operator activities. Exabeam ingests logs from various data sources, creates a baseline of normal behavior for users and associated assets. Any deviations or changes from the baseline is alerted and the events are stitched into a timeline. Analysts or IT administrators can easily pinpoint anomalous activities and respond to the alerts. Takes baseline of various activities like - normal logon to assets, remote logins, normal working hours, web activity time, VPN source IP, VPN session time etc. Monitor and log access activities, network access, key changes in parameters to high-value assets, processes and users accessing the systems. Detect insider threats and compromised insiders Detect advanced threats and malware Monitor and log privileged system activities. Check for only authorised personnel having appropriate system privileges are able to install software on systems and alert them if there are any unauthorized use. Use native Threat Intelligence services to detect threats and malware. Use machine learning to detect phishing and malicious domain access. MEETING ISO 27002 STANDARDS WITH EXABEAM 6
A.13 Communications Security Controls related to network security, network services, segregation of network services, and information transfer. A.13 COMMUNICATIONS SECURITY A.13.1.1 A.13.2.1 A.13.2.3 Networks managed and controlled, so as to be protected from threats, and to maintain security Policies, procedures, and controls shall be in place to protect the exchange of information Protect information involved in electronic messaging Exabeam checks for adequate network security mechanisms. It provides realtime monitoring of the network and its devices. Sends alerts for unauthorized access of network access points. Monitors unsupported and unauthorized transfer of data to cloud services, USB, web, etc. Monitors unauthorized of data transfer protocol use. A.14 System Acquisition, Development and Maintenance Controls defining security requirements of information systems, and security in development and support processes. A.14 SYSTEM ACQUISITION, DEVELOPMENT AND MAINTENANCE A.14.1.1 A.14.1.2 A.14.2.2 A.14.2.3 A.14.2.4 Information security requirements analysis and specifications Securing application services on public networks System change control procedures Review of applications after operating platform changes Restrictions on changes to software packages Exabeam provides continuous monitoring to assess risks on high-value assets, file systems, databases, and server controls. Exabeam alerts on any abnormal data transfer or application access. Exabeam can check and alert regarding: Unauthorized access to systems and applications. Sensitive data transfer to cloud systems and public domain. Unauthorized and unencrypted usage of protocols (e.g., http, ftp) if they are part of policy. Exabeam tracks deviations from a normal baseline for assets. Significant changes to assets are logged and alerts are issued. Assess risks associated with any changes to systems or applications; issue alert if they are risky. Assess risks associated with any changes made to systems and issue alert if built-in controls are compromised. MEETING ISO 27002 STANDARDS WITH EXABEAM 7
A.16 Information Security Incident Management Controls defining management of information security incidents and improvements. A.16 INFORMATION SECURITY INCIDENT MANAGEMENT A.16.1.2 Reporting information security events Exabeam provides a case management console to handle security incidents. It provides tools to respond to incidents by playbook integrations and automated response capabilities. A.16.1.3 A.16.1.5 A.16.1.6 Reporting information security weaknesses Response to information security incidents Learning from information security incidents Exabeam logs and alerts system admins regarding abnormal system logons, as well as issues alerts for phishing emails and unusual or anomalous user activities. Exabeam provides automated response capabilities. To each security incident it attaches risk scores and reasons, in addition to smart event timelines so as to easily pinpoint anomalous events that led up to it. Security incident reports include open and closed incidents, work distribution, and metrics such as mean-time-to-respond (MTTR), are which made available to responders or analysts.. Exabeam can realign the baseline based on analyst input for events. For example, if a security alert within a user session is marked as a non-risky event, Exabeam takes that into account. A.16.1.7 Collection of evidence Exabeam provides an integrated platform a central incident tracking console collects evidence through centralized workflows, automates responses, and collaborates across your SOC team. A.17 Business Continuity Management Controls requiring the planning of business continuity, planning, procedure, and monitoring of capacity, performance and resilience of disaster recovery or fall-back systems. A.17 BUSINESS CONTINUITY MANAGEMENT A.17.1.1 A.17.2.1 Business continuity planning Availability of information processing facilities Exabeam can identify and alert about potential risks to high availability and fallback systems in place. Their baseline activity is tracked and deviations are logged and alerted. By identifying and collecting details around anomalous activities, appropriate actions can be taken by your operations team to prevent adverse effects, and ensure the recovery of high-availability systems. MEETING ISO 27002 STANDARDS WITH EXABEAM 8
A.18 Compliance and Protection of Critical Data Controls requiring personal data protection, intellectual property protection, identification of applicable laws and regulations, reviews of information security responsibilities. A.18 COMPLIANCE AND PROTECTION OF CRITICAL DATA A.18.1.3 A.18.1.4 A.18.2.1 A.18.2.2 Protection of system records Privacy and protection of personally identifiable information Independent review of information security Compliance with security policies and standards Exabeam complies with various security regulations. Compliance reports are provided out of the box, with controls tagged to make it easier for administrators to run customized reports. Exabeam meets and augments ISO controls by monitoring and protecting sensitive and critical data. It issues alerts for: Abnormal file and system access by unauthorized user(s) Sensitive data loss risks and detection Abnormal lateral movement detection Unencrypted protocol usage MEETING ISO 27002 STANDARDS WITH EXABEAM 9
CONCLUSION Exabeam has a rigorous testing methodology and quality assurance process implemented throughout its software development lifecycle. Accelerating your deployment with quick time-to-value, it provides prepackaged security reports, search capabilities and threat detection techniques. Also, customers can quickly and painlessly satisfy ISO 27002 along with other security requirements to secure related information and information systems. TO LEARN MORE ABOUT HOW EXABEAM CAN HELP YOU, VISIT EXABEAM.COM TODAY. Exabeam is a modern SIEM that combines end-to-end data collection, analysis, and response in a single management and operations platform. It offers a single, fully integrated, and centrally managed solution that reduces TCO while enabling phased, seamless deployment.