In this continuing article series, Wipfli explores the list of HITRUST CSF assessment domains and describes the potentially beneficial compliance tools the firm has encountered most frequently.
Today’s Domain: Audit Logging and Monitoring
Audit logging and monitoring tools are available in vast quantities. There are tools to monitor applications, logs, servers, cloud environment health, users, email, and more. There are also tools available for Security Information and Event Management (SIEM). These tools take data from all of the above-mentioned audit logging and monitoring tools, bring all of that data together, correlate events, and produce manageable analysis workloads.
Here are some key insights into the most prevalent solutions available:
- Azure/AWS. Both products include some basic performance dashboards. Included is information for uptime, performance, alerts, and other environment health statistics.
- New Relic. This product includes modules for monitoring applications, synthetics (software workflow monitoring), Web apps, servers, and mobile apps. It also has a module called Insights that collects data from all the above-mentioned components and brings the data together for focused analytics. So it acts much like a SIEM tool, but solely for the New Relic environment.
- AppDynamics. This solution is advertised for use with both AWS and Azure, with the ability to work with both IaaS and PaaS machines. It’s a tool for monitoring performance, user experience, and application behavior.
- AlienVault. This product is also considered an SIEM solution. In addition to its vulnerability management features, AlienVault can be leveraged for event correlation. So while it monitors for things like asset discovery and inventory, possible intrusions, net flow, and vulnerabilities, it also will bring all of that data together and determine whether there is some relation and whether a bigger issue is occurring. All other organizational logs can be fed into this tool for correlation and analysis as well. AlienVault as a product is available in three forms: a preconfigured virtual machine (VM), an AWS cloud appliance, or an actual piece of hardware that can be hooked up within an organization. A standout factor for this product is that it is significantly cheaper than a lot of other available SIEM tools. There is also an opensource version of AlienVault that can be used at no cost. Keep in mind, however, that it does not include many of the commercial features.
- LogRhythm. Similar in scope to AlienVault, LogRhythm contains a variety of monitoring modules with the capacity to bring all the data together to determine whether bigger issues are at hand. Other logs from outside LogRhythm can also be fed into this tool for analytics and correlation. Among the modules LogRhythm offers are threat management, user behavior analytics, network threat detection, endpoint threat detection, cyber crime detection, threat intelligence, honeypot and deceptive analytics, file integrity monitoring, and a security operations center. While this product offers a wide variety of services, there is also significant cost associated with using all or most of them.
- HP’s Arcsight, Splunk, SolarWinds, and IBM’s QRadar. All of these products are advertised as SIEM tools. When considering any of these options, however, it’s essential to know your security objectives and perform the research necessary to ensure the selected product will be a good fit.
Next in the series: Exploring compliance tools for the CSF assessment domains of Configuration Management and Vulnerability Management.