The major regulatory compliance schemes do not mention Security Incident and Event Management (SIEM) systems by name, but in reality, SIEM tools are essential for achieving compliance and passing their certification audits. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (NIST CSF), for example, which is used for PCI-DSS and Sarbanes Oxley (SOX) among others, mandates continuous monitoring, detection processes and the ability to analyze anomalies and events. These are tasks arguably SIEM tools do better than any other security tool, which is one of the many benefits of SIEM.
SIEM Is Critical For Compliance
A SIEM solution is an absolutely critical tool for complying with security regulations promulgated by regulatory bodies. To understand why this is the case, it is first helpful to grasp how cybersecurity technologies and practices actually enable compliance. The regulations tend to be general, not prescriptive. The specifics of implementing the controls required by the law, testing them and passing an audit are left up to the organization that needs to comply with them. To achieve compliance, organizations rely on frameworks and standards like NIST CSF. However, it’s a subjective and sometimes messy, confusing process.
The Sarbanes Oxley Act does not say, “Install a SIEM system and monitor your network.” Rather, Section 404 of the law itself actually just says that a publicly-traded company should issue “an internal control report, which shall…contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.” SOX says very little about IT, but the accounting industry, along with various industry bodies, have developed a SOX compliance framework that requires IT departments to pass an audit verifying that an organization has:
- Established physical and electronic controls that will prevent users lacking credentials from accessing sensitive information.
- Maintained secure locations for servers and data centers.
- Ensured that proper controls for IT assets containing financial information are in place to protect these digital assets from breach.
Using SIEM software, you are able to monitor the underlying security policies that enable such controls to exist. For instance, a firewall is an electronic control that prevents unauthorized users from accessing sensitive information. That’s great. How will a company pass an audit that wants to check how well that control is working? Enter the SIEM. The SIEM can aggregate, correlate and analyze multiple firewall logs. From this process, it can produce an audit report demonstrating how the company has been implementing the control required for SOX compliance.
SIEM Compliance Requirements
Compliance programs that follow NIST CSF try to snap to the framework’s functional categories. The categories span the security lifecycle, starting with Identify (ID), Protect (PR), Detect (DE), Respond (RE) and Recover (RC). In this way, each stage of security is covered by the framework. The security team first identifies risks, then endeavors to protect them. If there is an incident, it responds and then tries to recover.
Not every category and sub-category relates to SIEM. However, SIEMs are foundational to achieving compliance with the framework across multiple categories and their respective requirements. They do this with compliance reporting, endpoint detection and response (EDR), threat intelligence gathering, monitoring, log management, analysis and visualization. In particular, SIEM is instrumental in meeting the requirements defined for the following NIST CSF category/sub-categories:
- Protect (PR)/Access control—SIEMs can produce audit reports based on multiple access control system logs.
- Protect (PR)/Information protection processes and procedures—Having a SIEM in place as a countermeasure against intrusion is an application of this framework sub-category.
- Protect (PR)/Protective technology—SIEM serves as protective technology in multiple senses of the term. It is part of the Security Operating Center’s (SOC’s) toolset for guarding against improper access to data and systems of record.
- Detect (DE)/Anomalies and events—SIEMs detect anomalies and issue alerts to SOC analysts.
- Detect (DE)/Security continuous monitoring—SIEMs perform continuous monitoring, staying on top of multiple other systems of continuous monitoring.
- Detect (DE)/Detection processes—SIEMs detect attacks and threats and alert SOC analysts when they find one.
- Respond (RS)/Analysis—SIEMs create reports used in forensic analysis of security events.
- Recover (RC)/improvements—SIEM reports give analysts and security managers the insights they need to improve incident responses process after an event has occurred.
Regulations Requiring Compliance
Nearly all regulations that mandate IT compliance have a requirement of logging all relevant events and then operationalizing an incident response process that handles the threats—and documents the entire series of response activities. After that, the regulations set out the expectation that the company will maintain records of its incident responses. SIEM performs all of these tasks. This is relevant across multiple sets of regulations.
The Federal Information Security Modernization Act (FISMA)
FISMA security practices cover “any federal agency document and implement controls of information technology systems which are in support to their assets and operations.” According to NIST, compliance contains the following tasks that are the province of SIEM:
- Continuously monitoring security controls.
- Refining controls using risk-assessment procedures.
- Documenting controls in the security plan.
The Payment Card Industry Data Security Standard (PCI DSS)
PCI DSS sets out security standards to establish a secure environment for businesses that accept, process, store or transmit payment card information. SIEMs helps with PCI DSS by:
- Helping protect networks on which payment card information is stored or processed.
- Providing the basis for passing a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).
- Comprising the threat detection aspects of the PCI DSS standard.
General Data Protection Regulation (GDPR)
GDPR covers data protection and privacy in the EU and the European Economic Area, along with transfers of personal data outside these regions. SIEMs are essential for GDPR compliance because they:
- Enable companies to process personal data securely by what the law calls “appropriate technical and organizational measures.”
- Provide a key element of “confidentiality, integrity and availability” of systems and services that process personal information.
- Help data custodians restore access and availability to personal data in a timely manner if there is a security incident.
Health Insurance and Portability Accountability Act (HIPAA)
HIPAA protects the private, individually identifiable health information, or protected health information (PHI). With a SIEM, an entity needing to comply with HIPAA can:
- Identify and defend against threats to the PHI.
- Secure systems that ensure the confidentiality, integrity and availability of PHI.
- Monitor systems to mitigate the risk of impermissible uses or disclosures of PHI.
SIEMs are integral to compliance. Without a SIEM, it would be difficult in the extreme to meet the criteria set down by the dominant standards such as NIST CSF. It’s an ever-evolving situation, in any event. As networks and infrastructure grows more complex, SIEMs will be even more useful in enabling companies to keep up with compliance audits.