Defined Categories of Service 2011 - Cloud Security Alliance
Defined Categories of Service 2011 - Cloud Security Alliance
Defined Categories of Service 2011 - Cloud Security Alliance
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CLOUD SECURITY ALLIANCE SecaaS | DEFINED CATEGORIES OF SERVICE <strong>2011</strong><br />
Category #7: <strong>Security</strong> Information & Event Management (SIEM)<br />
Description: <strong>Security</strong> Information and Event Management (SIEM) systems accept (via push or<br />
pull mechanisms) log and event information. This information is then correlated and analyzed<br />
to provide real-time reporting and alerting on incidents / events that may require intervention.<br />
The logs are likely to be kept in a manner that prevents tampering to enable their use as<br />
evidence in any investigations.<br />
Class: Detective<br />
CORE FUNCTIONALITIES<br />
Real time log /event collection, de-duplication,<br />
normalization, aggregation and visualization<br />
Log normalization<br />
Real-time event correlation<br />
Forensics support<br />
Compliance reporting & support<br />
IR support<br />
Email anomaly detection<br />
Reporting<br />
Flexible data retention periods and policies management,<br />
compliance policy management)<br />
OPTIONAL FEATURES<br />
Heuristic controls<br />
Specialized systems<br />
Physical log monitoring<br />
Access control system monitoring<br />
Physical security integration (cameras, alarms, phone, etc.)<br />
Integration with call / ticketing system<br />
CHALLENGES<br />
Standardization <strong>of</strong> log formats<br />
Timing lag caused by translations from native log formats<br />
Unwillingness <strong>of</strong> providers to share logs<br />
Scaling for high volumes<br />
Identification and visualization <strong>of</strong> key information<br />
Usable, segregated by client interface<br />
REFERENCES<br />
http://www.darkreading.com/securitymonitoring/167901086/security/securitymanagement/228000206/cloud-creates-siem-blind-spot.html<br />
http://securecloudreview.com/2010/08/service-provider-<strong>of</strong>tomorrow-part-9-as-the-cloud-thrives-siem-will-suffer/<br />
Continued on the following page…<br />
SERVICES<br />
Includes: Log management, Event<br />
correlation, <strong>Security</strong>/Incident response,<br />
Scalability, Log and Event Storage,<br />
Interactive searching and parsing <strong>of</strong> log<br />
data, Logs immutable (for legal<br />
investigations)<br />
Related <strong>Service</strong>s: Architectural<br />
considerations, Compliance reporting,<br />
S<strong>of</strong>tware inventory, Non-traditional<br />
correlation, On-traditional monitoring,<br />
Database monitoring, Request<br />
fulfillment<br />
Related Technologies and Standards:<br />
FIPS 140-2 compliant, Common Event<br />
Format (CEF), Common Event<br />
Expression (CEE), IF-MAP (TCG)<br />
<strong>Service</strong> Model: SaaS, PaaS<br />
CSA Domains (v2.1): 2, 3, 4, 5, 7, 9, 12<br />
THREATS ADDRESSED<br />
Abuse and Nefarious Use<br />
Insecure Interfaces and APIs<br />
Malicious Insiders<br />
Shared Technology Issues<br />
Data Loss and Leakage<br />
Account or <strong>Service</strong> Hijacking<br />
Unknown Risk Pr<strong>of</strong>ile<br />
Fraud<br />
Copyright © <strong>2011</strong> <strong>Cloud</strong> <strong>Security</strong> <strong>Alliance</strong> 20