CCTM IA Claims Document (ICD) LogRhythm - CESG
CCTM IA Claims Document (ICD) LogRhythm - CESG
CCTM IA Claims Document (ICD) LogRhythm - CESG
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>CCTM</strong> <strong>IA</strong> CLAIMS DOCUMENT (<strong>ICD</strong>)<br />
<strong>LogRhythm</strong><br />
<strong>LogRhythm</strong><br />
version 5.1.3<br />
VENDOR DETAILS TEST LABORATORY DETAILS<br />
<strong>LogRhythm</strong> Inc. SiVenture<br />
Siena Court<br />
The Broadway<br />
Maidenhead<br />
Berkshire<br />
SL6 1NJ<br />
Unit 6<br />
Cordwallis Park<br />
Clivemont Road<br />
Maidenhead<br />
Berkshire<br />
SL6 7BU<br />
Telephone Number: +44 (0) 1628 509 070 Telephone Number: +44 (0)1628 651 366<br />
Email: malcolm.skinner@logrhythm.com Email: simon.milford@siventure.com<br />
Website: www.logrhythm.com Website: www.siventure.com<br />
CERTIFICATE DETAILS<br />
<strong>CCTM</strong> Certificate Number 2011/06/0098<br />
<strong>CCTM</strong> Awarded on 09 June 2011<br />
<strong>CCTM</strong> Award Expires on 08 June 2012<br />
<strong>ICD</strong> Issue Date 09 June 2011
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
TABLE OF CONTENTS<br />
1 INTRODUCTION ..........................................................................3<br />
1.1 Background ............................................................................3<br />
1.2 Objectives...............................................................................3<br />
1.3 Purpose of <strong>Document</strong>.............................................................3<br />
1.4 Structure .................................................................................3<br />
2 IS PRODUCT/SERVICE DESCRIPTION .....................................4<br />
2.1 Product/Service Identification .................................................4<br />
2.2 Product/Service Overview ......................................................4<br />
2.3 Usage assumptions ................................................................8<br />
3 <strong>CCTM</strong> CLAIMS FOR THE IS PRODUCT OR SERVICE ............10<br />
3.1 <strong>Claims</strong> Statements................................................................10<br />
3.2 Existing assurance certificates .............................................12<br />
24 May 2011 Version 1-0 Page 2 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
1 INTRODUCTION<br />
1.1 Background<br />
This document outlines the <strong>IA</strong> claims, for <strong>CCTM</strong> <strong>Claims</strong> Testing, made by<br />
<strong>LogRhythm</strong> Inc. in regard to the suitability of <strong>LogRhythm</strong> for use by the<br />
UK Public Sector for Protective Monitoring. <strong>LogRhythm</strong> is a platform that<br />
seamlessly combines Log Management & SIEM 2.0, File Integrity<br />
Monitoring, and Network & User Monitoring into a single integrated<br />
solution. It is highly reliable and cost-effective, and can scale to fit the<br />
needs of any enterprise. With <strong>LogRhythm</strong>, you can invest in a single<br />
solution to address requirements and challenges throughout your<br />
organisation, whether they are related to compliance, security or IT<br />
operations. <strong>LogRhythm</strong> is deployed with an integral report package<br />
developed specifically to address the needs of the UK Public Sector for<br />
compliance with <strong>CESG</strong>'s Good Practice Guide 13 (GPG 13).<br />
1.2 Objectives<br />
1.2.1 The objectives of this <strong>ICD</strong> are to provide:<br />
• a product overview, detailing the functionality and security<br />
architecture of <strong>LogRhythm</strong>;<br />
• identification of the assets to be protected and the threats to<br />
these assets;<br />
• a description of the expected operational environment,<br />
organisational security policies and environmental security<br />
requirements;<br />
• the security claims for <strong>LogRhythm</strong>.<br />
1.3 Purpose of <strong>Document</strong><br />
1.3.1 This document is the <strong>ICD</strong> for <strong>LogRhythm</strong><br />
1.3.2 This <strong>ICD</strong> is the baseline document for the <strong>CCTM</strong> <strong>Claims</strong> Test of<br />
<strong>LogRhythm</strong>.<br />
1.4 Structure<br />
The structure of this <strong>ICD</strong> is as follows:<br />
• Section 1 (this section) contains the introductory material.<br />
• Section 2 contains the description of functionality of <strong>LogRhythm</strong> and<br />
all the information related to the security of this product.<br />
• Section 3 details the security functionality claims that are being made.<br />
24 May 2011 Version 1-0 Page 3 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
2 IS PRODUCT DESCRIPTION<br />
2.1 Product Identification<br />
Product Name: <strong>LogRhythm</strong><br />
Version: 5.1.3<br />
Log Manager, Event Manager:<br />
Operating System Version<br />
Windows Server 2003 64bit<br />
Console:<br />
Operating System Version<br />
Windows Server 2003 64bit<br />
Windows Vista 32bit<br />
System Monitor Agent:<br />
Operating System Version<br />
Windows Server 2003 64bit<br />
Windows Vista 64bit<br />
Linux kernel 2.6 Ubuntu 9 32 bit<br />
2.2 Product/Service Overview<br />
2.2.1 Security architecture<br />
A <strong>LogRhythm</strong> deployment consists of three components, the<br />
Event Manager (EM), Log Manager (LM), and System Monitor<br />
Agent.<br />
The Event Manager is a Windows Server system running SQL<br />
Server and the <strong>LogRhythm</strong> Alarming and Response Manager<br />
(ARM) service. There is only one EM per deployment. The EM is<br />
sent logs that are determined to be important or interesting, called<br />
Events, which it maintains. The ARM is a windows service<br />
responsible for processing alarm rules and taking the appropriate<br />
response, such as sending e-mails to people on a notification list.<br />
The Log Manager is a Windows Server system running SQL<br />
Server and a single server process, the <strong>LogRhythm</strong> Mediator<br />
Server. There can be one or many LMs in a deployment. In<br />
medium to large deployments Log Managers should be dedicated<br />
systems, however in small deployments a Log Manager can<br />
coexist on the same system as the Event Manager. The Mediator<br />
Server takes in log messages, processes them against rules which<br />
24 May 2011 Version 1-0 Page 4 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
identify the log message and determine if it will be forwarded to<br />
the EM as an Event.<br />
<strong>LogRhythm</strong> System Monitor Agents collect and forward log data to<br />
Log Managers. They can be configured to collect log data in a<br />
wide variety of formats and include a Syslog server and a Netflow<br />
server. LMs usually have an Agent running on them. Agents are<br />
also deployed on hosts that are to be monitored, where they can<br />
also collect log data from flat files and perform File Integrity<br />
Monitoring. Windows Agents include a Data Loss Defender (DLD)<br />
feature to monitor, log and protect against external data device<br />
connections.<br />
There is one Graphical User Interface, known as the <strong>LogRhythm</strong><br />
Console, through which users interact with the deployment. A user<br />
can be assigned one of three roles: Global Admin, Global Analyst,<br />
or Restricted Analyst. A Global Admin is a system administrator<br />
and has full control of the deployment using the Deployment<br />
Manager function of the Console. A Global Analyst has no access<br />
to Deployment Manager and has read-only access to log sources,<br />
allowing them to perform investigations and generate reports. A<br />
Restricted Analyst has no access to Deployment Manager and has<br />
read-only access to specific log sources, determined by a Global<br />
Admin, allowing them to perform investigations and generate<br />
reports using the data from those log sources only.<br />
24 May 2011 Version 1-0 Page 5 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
<strong>LogRhythm</strong> can be purchased as a software-only solution, but is<br />
more typically purchased as a turn-key solution installed on one or<br />
more <strong>LogRhythm</strong> Appliances. A <strong>LogRhythm</strong> Appliance is a server<br />
designed and offered by <strong>LogRhythm</strong> which is delivered with the<br />
system and <strong>LogRhythm</strong> components pre-installed. Appliances are<br />
available in EM, LM, XM (EM+LM), and SLF (Agent-only log<br />
collection machine) configurations; they are also offered in a<br />
number of sizes to meet varying collection-volume needs.<br />
2.2.2 Hardware requirements<br />
Log Manager, Event Manager:<br />
Processor 2 x E5540 Xeon Processor, 2.53GHz 8M<br />
Cache, 5.86 GT/s QPI, TurboHT<br />
Disk Space 970GB<br />
Memory 24GB<br />
Console:<br />
Disk Space 300MB available<br />
Memory 1GB (Administration)<br />
2GB (Analysis & Reporting)<br />
System Monitor Agent:<br />
Processor 1GHz or better (minimal)<br />
2GHz or better (optimal)<br />
Memory 1GB or more (minimal)<br />
2GB or more (optimal)<br />
Disk Space 10MB for installation<br />
~5GB for temporary log data storage<br />
2.2.3 Software requirements<br />
Log Manager, Event Manager:<br />
SQL Server 2005-SP3<br />
Console:<br />
Microsoft .NET Framework 3.5<br />
Microsoft Data Access Components (MDAC)<br />
System Monitor Agent:<br />
Microsoft .NET Framework 3.5 SP1<br />
24 May 2011 Version 1-0 Page 6 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
2.2.4 Out of Scope<br />
The cryptographic algorithms used in IS Products are not tested<br />
under the <strong>CCTM</strong> Scheme. The <strong>LogRhythm</strong> checksum option for<br />
archives uses the SHA1 hashing algorithm provided by Windows.<br />
While SSL protection for communications between Agents and<br />
Log Managers, is claimed in CS_transit, it uses algorithms<br />
provided by the underlying operating system, which means that<br />
the use of SSL protection is within the scope of testing but the<br />
algorithms used are out of scope. If the underlying system is FIPS<br />
enabled the <strong>LogRhythm</strong> component will be operating in a FIPS<br />
compliant mode of operation.<br />
If a FIPS compliant mode of operation is a requirement then<br />
clients must take steps to satisfy themselves that the services<br />
providing the relevant encryption are covered by a valid FIPS<br />
certificate.<br />
The testing for this <strong>ICD</strong> has been conducted using a <strong>LogRhythm</strong><br />
Appliance which is a dedicated Windows Server, running the Log<br />
Manager and Event Manager together in a configuration identified<br />
as an XM appliance.<br />
Although the individual components can also be distributed across<br />
multiple appliances for volume, performance or resilience<br />
purposes they have not been tested in such configurations for this<br />
<strong>ICD</strong>.<br />
<strong>LogRhythm</strong> is also available as a software-only installation to run<br />
on server(s) under Microsoft Windows Server 2003 32bit or 64bit,<br />
but that installation option has not been tested for this <strong>ICD</strong>.<br />
Similarly the Console can be installed on a PC running:<br />
Microsoft Windows XP 32bit,<br />
Microsoft Windows Vista 32bit or 64bit,<br />
Microsoft Windows Server 2003 32bit or 64bit;<br />
but for this <strong>ICD</strong> has only been tested on the platforms listed in 2.1<br />
above.<br />
The System Monitor Agent is available for a range of Windows,<br />
Unix and Linux platforms, including:<br />
Microsoft Windows XP 32bit,<br />
Microsoft Windows Vista 32bit or 64bit,<br />
Microsoft Windows Server 2003 32bit or 64bit;<br />
Solaris Sparc 8,9,10;<br />
Solaris x86 10;<br />
AIX 5.2, 5.3, 6.1;<br />
HP-UX 11i v1, v2, v3 - PA-RISC;<br />
HP-UX 11i v2, v3 - Itanium;<br />
Linux kernel 2.4 Red Hat Enterprise 9 32bit,<br />
Linux kernel 2.6 CentOS 5.1 32bit,<br />
Linux kernel 2.6 Debian 5.0.3 32 bit,<br />
Linux kernel 2.6 Red Hat Enterprise 5 32 bit,<br />
24 May 2011 Version 1-0 Page 7 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
Linux kernel 2.6 SUSE Linux Enterprise 9 64bit,<br />
Linux kernel 2.6 Ubuntu 9 – 32bit,<br />
Linux kernel 2.6 Ubuntu 10 – 32bit;<br />
but has only been tested for this <strong>ICD</strong> on the platforms listed in 2.1<br />
above.<br />
The installation includes a variety of standard report packages<br />
designed to meet the requirements for compliance with various<br />
regulations and guidelines including GPG 13, GCSX, PCI and<br />
ISO27000. These report packages are out of scope of the testing<br />
in this <strong>ICD</strong>.<br />
The <strong>CCTM</strong> is aimed primarily at IS Products and Services to meet<br />
<strong>IA</strong> requirements at Government Impact Levels 1 and 2, therefore<br />
use of <strong>LogRhythm</strong> to meet <strong>IA</strong> requirements at higher Impact<br />
Levels is outside the scope of this <strong>ICD</strong>.<br />
2.3 Usage assumptions<br />
2.3.1 Assets<br />
<strong>LogRhythm</strong> protects the logs created by applications, servers,<br />
systems and other devices within an organisation by collecting<br />
them from the various sources around the organisation and<br />
archiving them centrally with consistent timestamps and<br />
checksums to protect integrity.<br />
By consolidating and aggregating log data from across the<br />
organisation and providing real-time and trend analysis,<br />
<strong>LogRhythm</strong> enables an organisation's security personnel to<br />
identify events or activity that needs to be investigated, thus<br />
facilitating the protection of both physical and information assets<br />
within the organisation.<br />
2.3.2 Threat scenario<br />
Threats to assets which are countered are:<br />
• Tampering with log data to disguise or hide events and<br />
activity that would provide forensic evidence;<br />
• Attacks against an organisation's network, systems or<br />
information assets which may otherwise be undetected.<br />
2.3.2.1 Expected operational environment<br />
<strong>LogRhythm</strong> can be used in any environment where log<br />
data is produced and needs to be analysed and stored. It<br />
collects logs from virtually any source and turns raw log<br />
data into useful and actionable information.<br />
<strong>LogRhythm</strong> offers turnkey Log Management/SIEM<br />
solutions for businesses of all sizes. The highperformance<br />
appliance line incorporates a highly flexible<br />
and scalable architecture that provides for a wide range of<br />
deployment options, from the single all-in-one appliance<br />
tested in this <strong>ICD</strong> to multi-tier enterprise-wide solutions.<br />
24 May 2011 Version 1-0 Page 8 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
2.3.2.2 Organisational security policies<br />
The use of <strong>LogRhythm</strong> to protect logs relies upon the<br />
deployment of organisational security policies to ensure<br />
that security relevant events and activities are monitored<br />
and logged, and that those logs are securely delivered to<br />
the <strong>LogRhythm</strong> Log Manager.<br />
2.3.2.3 Security requirements on the environment<br />
Procedures should be in place to control physical and<br />
logical access to the <strong>LogRhythm</strong> Log Manager(s), Event<br />
Manager and Console(s).<br />
The Event Manager is a Windows server running SQL<br />
Server 2005 and must be deployed accordingly in a<br />
secure internal network.<br />
Log Managers should also be deployed in a secure<br />
internal network, although some may be operated in a<br />
DMZ if Agents will be used to collect log data from remote<br />
sites across a public network. The Log Manager is a<br />
Windows server running SQL Server 2005 and must be<br />
protected with strict access controls placed on devices<br />
that can connect to its database.<br />
Communications to a Log Manager in a DMZ or un-trusted<br />
network from the Event Manager should be protected<br />
using an IPSec policy between the Event Manager and<br />
the Log Manager.<br />
Communications to a Log Manager in a DMZ or un-trusted<br />
network from Consoles should be protected using an<br />
IPSec policy between the Console and the Log Manager.<br />
Communications to a Log Manager in a DMZ or un-trusted<br />
network from a System Monitor Agent should be protected<br />
using an IPSec policy between the System Monitor Agent<br />
and the Log Manager. Alternatively System Monitor<br />
Agents can be configured to protect log data transmitted<br />
to a Log Manager using SSL.<br />
If log data will be transmitted across an un-trusted<br />
network, the communications should be protected using<br />
an IPSec policy.<br />
24 May 2011 Version 1-0 Page 9 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
3 <strong>CCTM</strong> CLAIMS FOR THE IS PRODUCT OR SERVICE<br />
3.1 <strong>Claims</strong> Statements<br />
Unique<br />
Reference<br />
<strong>Claims</strong> Statements<br />
CS_admin Only a user assigned the Global Admin role has access to the<br />
administrative functions of the <strong>LogRhythm</strong> Console<br />
The <strong>LogRhythm</strong> Console provides the Graphical User Interface for users.<br />
Only users that have been assigned the Global Admin role can use the<br />
Deployment Manager functions of the Console, which is the only means<br />
of configuration and management of the components of the <strong>LogRhythm</strong><br />
deployment, log sources, users, and alarm recipients.<br />
CS_analyst User access is controlled, with ability to restrict an individual<br />
analyst's access to specific log sources<br />
An administrator assigns roles to users. Only a user that has been<br />
specifically assigned a role can use the <strong>LogRhythm</strong> Console to access<br />
the deployment. An analyst may be assigned a Global Analyst role<br />
enabling them to use the <strong>LogRhythm</strong> Console in order to perform<br />
investigations and generate reports using data from any available log<br />
source. Alternatively an analyst may be assigned a Restricted Analyst<br />
role enabling them to use the Console to perform investigations and<br />
generate reports using only data from log sources specifically made<br />
available to them by the administrator.<br />
CS_logs Collect log data from multiple log sources<br />
The System Monitor Agent can collect log data from multiple log sources.<br />
It can collect flat files from the host, and includes a Syslog server<br />
enabling remote log sources to deliver log data directly to the Agent.<br />
The Syslog server is purely a receiver and has no control over the<br />
application or device creating and delivering the Syslog entries; equally<br />
the application or device creating the Syslog entries has no control over<br />
the Syslog server in the System Monitor Agent.<br />
CS_logsW Collect log data from multiple log sources on a Windows host<br />
The Windows System Monitor Agent can also collect log data from<br />
multiple log sources using additional mechanisms. It can collect<br />
Windows Event Logs from the host and from remote systems; log<br />
collection from a database using UDLA; and includes a Netflow server<br />
enabling devices to deliver Netflow records to the Agent.<br />
CS_host Monitor and log activity on a host<br />
The System Monitor Agent can monitor processes, user activity, and<br />
network connections on a host.<br />
CS_FIM File Integrity Monitoring<br />
The System Monitor Agent can monitor file access, modifications, or<br />
deletions, and directory modifications on a host.<br />
24 May 2011 Version 1-0 Page 10 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
Unique<br />
Reference<br />
<strong>Claims</strong> Statements<br />
CS_DLDmon Monitor and log use of external data devices on a Windows host<br />
The Data Loss Defender (DLD) feature of the Windows System Monitor<br />
Agent can monitor and log connection and disconnection of external<br />
USB data devices to the host, as well as transmissions of files to an<br />
external storage device.<br />
CS_DLDprot Protect against external data device connections on a Windows<br />
host<br />
The Data Loss Defender (DLD) feature of the Windows System Monitor<br />
Agent can protect against external USB data device connections by<br />
ejecting specified devices upon detection.<br />
CS_transit Protect collected data in transit using SSL<br />
Where data being sent by the System Monitor Agent to the Log Manager<br />
is required to be protected whilst in transit (for example logs being sent<br />
from a remote location across a public network), the communications can<br />
be protected using SSL.<br />
NOTE: communications between or with <strong>LogRhythm</strong> components<br />
outside a secure internal network should be protected using IPSec<br />
policies as described in section 2.3 above.<br />
CS_heartbeat Warn when Agent is not functioning<br />
A heartbeat signal is sent from each Agent to the Log Manager. If the<br />
heartbeat is late by a specified period a Warning event is generated.<br />
CS_timestamp Ensure all logs have accurate timestamps<br />
<strong>LogRhythm</strong> collects logs with their own provided time stamps, but takes<br />
the added step of including a UTC-validated, independent time stamp<br />
that offsets time differentials, such as differing time zones or internal<br />
server clock variations. This ensures all logs have accurate timestamps<br />
without compromising the integrity of the original log data.<br />
CS_checksum Archive logs with a checksum to assure integrity<br />
<strong>LogRhythm</strong> preserves raw log data in its original form, archiving logs with<br />
a checksum applied so that chain of custody can be maintained and<br />
tampering can be detected.<br />
CS_realtime Real-time monitoring<br />
The Console's Dashboard overview of the organisation's deployment<br />
presents a summary that includes details about the status of log sources,<br />
such as time of last log collection and last heartbeat received.<br />
CS_analysis Centralised analysis and investigation<br />
The Console enables centralised analysis and investigation of data from<br />
across an organisation for both immediate and historical analysis.<br />
Identifying the type of log for each log source enables aggregation,<br />
consolidation, and analysis. Built-in support is included for log types<br />
from a wide variety of security devices, network devices, access control<br />
systems, workstations, servers, operating systems, applications and<br />
databases. In addition rule building technology enables support for<br />
custom log formats from otherwise unsupported devices.<br />
24 May 2011 Version 1-0 Page 11 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
Unique<br />
Reference<br />
<strong>Claims</strong> Statements<br />
CS_alerts Automated alerts<br />
The Event Manager's Alarming and Reporting Manager (ARM) service<br />
applies definable rules to determine if an event should trigger an alarm.<br />
Alarm notifications can be tuned to throttle multiple messages within a<br />
customisable time period, as well as establishing thresholds before<br />
alarms will be triggered. Alarm notifications are sent to specified<br />
recipients via email and/or SNMP traps. The alarm notifications can be<br />
configured to contain all or part of the associated log message(s). Alarm<br />
notifications can also be forwarded to McAfee ePolicy Orchestrator.<br />
CS_reports Reports can be scheduled or run on demand to analyse data<br />
according to pre-defined or custom criteria<br />
Analysts can define a custom report or use a pre-defined report. Predefined<br />
reports include packages of standard reports that are included in<br />
the deployment at installation, as well as custom reports that have been<br />
previously defined by analysts in the organisation. .<br />
CS_sanitised Sanitised reports can be produced<br />
Provides multiple report formats that can omit sensitive data but still<br />
retain the same search criteria as detailed reports, enabling sanitised<br />
reports to be distributed.<br />
3.2 Existing assurance certificates<br />
None<br />
24 May 2011 Version 1-0 Page 12 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
ANNEX A GLOSSARY OF TERMS<br />
Agent System Monitor Agent, collects log data and forwards it to a Log<br />
Manager (see section 2.2.1 for details)<br />
Appliance A turn-key <strong>LogRhythm</strong> Server available in various configurations and<br />
sizes (see section 2.2.1 for details)<br />
ARM Alarming and Response Manager (see section 2.2.1 for details)<br />
DLD Data Loss Defender, Agent feature to monitor (dis)connection of<br />
external data devices to the host<br />
EM Event Manager (see section 2.2.1 for details)<br />
GCSX Government Connect Secure Extranet<br />
GPG 13 <strong>CESG</strong> Good Practice Guide 13<br />
LM Log Manager (see section 2.2.1 for details)<br />
Netflow Network protocol for collecting IP traffic information<br />
PCI Payment Card Industry<br />
SIEM Security Information and Event Management<br />
SLF An Appliance configured as an Agent-only log collection machine (see<br />
section 2.2.1 for details)<br />
SMTP Simple Mail Transfer Protocol used for email<br />
SNMP Simple Network Management Protocol used for managing network<br />
devices and delivering device status and event information<br />
SSL Secure Sockets Layer, protocol for communications security<br />
Syslog A standard for logging program messages<br />
TCP Transmission Control Protocol (part of the Internet Protocol suite)<br />
UDLA Universal Database Log Adapter<br />
UDP User Datagram Protocol (part of the Internet Protocol suite)<br />
UTC Coordinated Universal Time<br />
XM An Appliance configured as both EM and LM (see section 2.2.1 for<br />
details)<br />
24 May 2011 Version 1-0 Page 13 of 14
<strong>CCTM</strong> <strong>ICD</strong> <strong>LogRhythm</strong> v5.1.3<br />
ANNEX B MARKETING STATEMENT TO BE USED (IF THE CLAIM IS<br />
SUCCESSFUL)<br />
<strong>LogRhythm</strong> provides a Log Management, Log Analysis and SIEM 2.0 solution<br />
that helps organisations comply with regulations, and provides information to<br />
help them to secure their networks and optimise IT operations. As a platform<br />
for Protective Monitoring using centralised architecture, users can:<br />
• securely collect log data from a multitude of sources;<br />
• monitor in real time - user activity, processes, applications, devices<br />
and network connections across an enterprise;<br />
• enhance data loss prevention capabilities utilising Data Loss<br />
Defender;<br />
• ensure accurate timestamp and integrity of collected logs;<br />
• create role-based Admin accounts;<br />
• monitor directories and files for access, modifications and deletions,<br />
ensuring integrity of key assets;<br />
• run out-of-the-box or customised reports to be saved into a repository,<br />
shared via email, or imported into other applications;<br />
• automatically alert authorised operators on events that trigger an<br />
alarm, based on pre-defined thresholds.<br />
For items which are out of scope please refer to section 2.2.4 of the <strong>ICD</strong>.<br />
24 May 2011 Version 1-0 Page 14 of 14
Filename: LLGT-CD-0001 v1-0 FINAL 2.doc<br />
Directory: C:\<strong>Document</strong>s and Settings\pmason\Local<br />
Settings\Temporary Internet Files\OLK274A<br />
Template: \\piacheadm01\officetemplatesv1\Normal.dot<br />
Title: [Insert Test Laboratory logo here]<br />
Subject:<br />
Author: buckp<br />
Keywords:<br />
Comments:<br />
Creation Date: 07/06/2011 2:58 PM<br />
Change Number: 2<br />
Last Saved On: 07/06/2011 2:58 PM<br />
Last Saved By: User<br />
Total Editing Time: 5 Minutes<br />
Last Printed On: 07/06/2011 4:27 PM<br />
As of Last Complete Printing<br />
Number of Pages: 14<br />
Number of Words: 3,350 (approx.)<br />
Number of Characters: 19,099 (approx.)