ICD503/DCID 6/3 Compliance

Requirement: (Audit1) (a) Provide the capability to ensure that all audit records include enough information to allow the ISSO to determine the date and time of action (e.g., common network time), the system locale of the action, the system entity that initiated or completed the action, the resources involved, and the action involved.

Solution: Netsurion Open XDR stores all received audit records in the EventVault, a secure, centralized and controlled compressed archive. Each file in the archive is striped with a SHA-1 checksum. Audit records are stored in their original form and preserve all information.

---

Requirement: (Audit1) (b) Protect the contents of audit trails against unauthorized access, modification, or deletion.

Solution: Audit logs within the EventVault are subject to periodic integrity checks (this can also be performed manually on demand); access to archives for reporting purposes automatically invoke the integrity check to validate results.

---

Requirement: (Audit1) (c ) Maintain collected audit data at least 5 years and reviewing at least weekly.

Solution: Netsurion Open XDR stores all received audit records in the EventVault, a secure, centralized and controlled compressed archive. This mechanism make use of any available storage visible to the host platform. Archives are compressed flat files and may be retained for any length of time. They may also be backed up to any storage media including tape for offline storage. Reports can be scheduled for delivery within the dashboard or to an external mailbox on a daily/weekly schedule including daily.

---

Requirement: (Audit1)(d) The system’s creating and maintaining an audit trail that includes selected records of: Successful and unsuccessful logons and logoffs, Accesses to security-relevant objects and directories, including opens, closes, modifications, and deletions, Activities at the system console (either physical or logical consoles), and other system-level accesses by privileged users.

Solution: Netsurion Open XDR includes a wide variety of data source integrations which are used to process inbound logs. These packs are used for alerting and reporting and cover logon/off from Cisco, Windows, VMware, Unix/Linux, Oracle/MS SQL, Juniper, Netscreen, Active Directory etc. Access to security relevant objects on Solaris (BSM), Windows, Linux and various Unix flavors is supported. Privileged user access reports are available as are alerts on direct access to console.

---

Requirement: (Audit2) (a) Individual accountability (i.e., unique identification of each user and association of that identity with all auditable actions taken by that individual).

Solution: Netsurion Open XDR stores audit logs in the original format, preserving unique identification. Flexible reporting sorted by user, action or system within a timeframe is provided.

---

Requirement: (Audit3) At the discretion of the DAA, audit procedures that include the existence and use of audit reduction and analysis tools.

Solution: This requirement explicitly authorizes the use of Netsurion to satisfy DCID 6/3.

---

Requirement: (Audit4) An audit trail, created and maintained by the IS, that is capable of recording changes to the mechanism’s list of user formal access permissions. (Note: Applicable only if the (Access3) access control mechanism is automated.)

Solution: Netsurion Open XDR records all logged changes to user permissions at both the Active Directory and individual server/workstation level and reports on such changes.

---

Requirement: (Audit5) (a) Individual accountability (i.e., unique identification of each user and association of that identity with all auditable actions taken by that individual).

Solution: Netsurion Open XDR stores audit logs in their original format, preserving unique identification. Flexible reporting sorted by user, action or system within a timeframe is provided.

---

Requirement: (Audit6) (a) Enforcement of the capability to audit changes in security labels.

Solution: Security labels are usually applied to folders or directories, specific db tables or the entire db or Groups in Active Directory. In all of these cases, changes to the contents can be logged and therefore tracked/reported by Netsurion Open XDR .

---

Requirement: (Audit6) (b) Enforcement of the capability to audit accesses or attempted accesses to objects or data whose labels are inconsistent with user privileges.

Solution: Netsurion Open XDR includes reports and alerts for “access denied” conditions. A comparison against user provided whitelist to determine consistent access is also available.

---

Requirement: (Audit6) (c ) Enforcement of the capability to audit all program initiations, information downgrades and overrides, and all other security-relevant events (specifically including identified events that may be used in the exploitation of covert channels).

Solution: Netsurion Open XDR can track the start/stop of all or a safe or unsafe list of applications; it also detects software install/removal attempts. Security-relevant events include any event that would cause a deleterious change in the system or its environment; the Change Audit feature is specifically designed for such requirements.

---

Requirement: (Audit7) (a) The capability of the system to monitor occurrences of, or accumulation of, auditable events that may indicate an imminent violation of security policies.

Solution: Netsurion Open XDR includes a correlation engine which is easily configured to support this requirement. A common example is a brute force password guess attempt which results in a large number of login failures from the same IP address source.

---

Requirement: (Audit7) (b) The capability of the system to notify the ISSO of suspicious events and taking the least-disruptive action to terminate the suspicious events.

Solution: Netsurion Open XDR includes a prioritization scheme which is governed by risk; elements are configurable and this is used to notify ISSOs of out-of-ordinary or new behavior or known alert conditions.

---

Requirement: (Audit8) (a) Individual accountability (i.e., unique identification of each user and association of that identity with all auditable actions taken by that individual).

Solution: Netsurion Open XDR stores audit logs in their original format, preserving unique identification. Flexible reporting sorted by user, action or system within a timeframe is provided.

---

Requirement: (Audit9) (a) The capability of the system to monitor, in real-time, occurrences of, or accumulation of, auditable events that may indicate an imminent violation of security policies.

Solution: Netsurion Open XDR includes a correlation engine which is easily configured to support this requirement. A common example is a brute force password guess attempt which results in a large number of login failures from the same IP address source.

---

Requirement: (Audit9) (b) The capability of the system to notify the ISSO of suspicious events and taking the least-disruptive action to terminate the suspicious event.

Solution: Netsurion Open XDR includes a prioritization scheme which is governed by risk; elements are configurable and this is used to notify ISSOs of out-of-ordinary or new behavior or known alert conditions.