LogReview Standard Service Definition for <Customer>

Service Description and Approach

LogReview –Managed Security Operationsin the Cloud

Alert Logic LogReview™utilizes Alert Logic Log Manager™ to satisfy the log review and analysis component of security best practices. Eachday, ourSystem Security Analystswill useLogManagertoanalyze eventlogdata, trackandescalateincidents, andsendnotifications pertainingto systems that are generating logs. We utilize standards such as PCI-DSS to provide a prescriptive framework to generate reports. These reports address specific requirements within the standards. A more complete list of standards and guidelines that are addressed in whole or part by LogReview is available in the Compliance Coverage section of this document.

The LogReviewserviceisdesignedtomeetthe followingcompliancemandates (see Compliance Coverage Section for more detail):

  • Daily log review
  • Analyze event log data for potential security incidents
  • Send notification for incidents that warrant further investigation
  • Create an audit trail for auditors and regulators

StepstoReviewLogData:

1. Logsarecollectedcontinuously everydayfromconfiguredsources.

2. Daily reports are compiled.

3. Each report is reviewed by an Alert Logic System Security Analyst.

4. The analyst adds comments and determines whether an escalation is required.

5. Ifescalation is warranted, the analyst opens a case and works with defined <Customer>contacts on a resolution.

6. Reports and cases are stored with online access for activities like Audits.

LogReviewService Deliverables

Service Level Commitment

Every 24 hours a System Security Analyst will review the logs for the previous day and escalate any associated incidents in accordance with the <Customer> escalation process.

Daily Review Actions

If a security or compliance incident is identified, a System Security Analyst will contact <Customerwith the details of the alert and recommendations as defined in the Contact Process section. The analyst will maintain a full LogReviewaudit trail which is accessible through the Log Manager console for future audit reporting. The analysis will include only logs provided by active and configured hosts. Alert Logic will attempt to maintain Analyst continuity between reviews.

Audit Trail

For eachdailyLogReviewtask,a caseiscreatedand stored in theAlert LogicLogManager Portal.<Customer>will be able to view the following content for any date covered within the LogReview scope:

1. Reportresults

2. Analyst comments

3. Analyst actionstaken (ifany)

Reportscan beusedtoprovetoanauditorthat monitoring is taking place.Thisaudittrailis maintained fora minimum of 12 rolling months.

Monthly Summaries

Onamonthlybasis,AlertLogicwill send the Monthly Summary report via email to the designated contacts for the service. This report includes theSystem Security Analyst’ssummarycommentsforeachday. <Customer> may, at any time, request a report for any month or range of months that are covered within the retention period defined for the Log Manager contract.

Limitations to Alert Logic activity

Alert Logic System Security Analysts will never directly access <Customer> hosts or systems. Alert Logic activities are limited to log collection as configured by <Customer>. Alert Logic may utilize non-invasive techniques to analyze events that have occurred within the customer environment. Examples include reverse DNS lookups that may query nameservers within the <Customer>'s environment.

Customer Responsibilities and Interaction with Alert Logic

Alert Logic Log Manager is installed and configured

Log Managercollects and compresseslog data for encrypted transport to Alert Logic’s SSAE 16 Type II certified securedata centers. With universal access via a standard web browser, Log Manager provides the ability to conduct searches,forensic analysis,and reporting for compliance, security, and operations.

For the Log Review service, it is required to haveLog Managerinstalled with host sources configured.

Monitored networks are running properly

The LogReview service depends upon a reliable connection between the log source location and the Security Operations Center. If the source network is unavailable for any reason then Alert Logic will not be responsible for the SLA for that period. In the event of a continuity interruption, logs are cached on the appliance, subject to available disk space, and will be sent to Alert Logic when continuity is restored. Analysis of logs will only apply to logs received within the appropriate 24 hour period.

Monitored systems are running properly

LogReview does not include trend or system status analysis. As such, systems that are unavailable will not report logs and will be considered out of scope for LogReview during that period. The following items are the responsibility of <Customer>:

  • Ensure that desired hosts are included within the monitoring scopeEnsure that all included hosts are properly configured including ensuring that host audit log settings are configured and operating
  • Ensure that connectivity to all hosts and the Log Manager Appliance is maintained

Operational and Environment changes

Alert Logic recommends that <Customer> communicate all changes to the customer environment as they may impact the scope of monitoring. Changes include:

  • Addition or removal of hosts
  • Changes in network topology
  • Changes in firewall rules or configuration

Contact Process

Alert Logic will contact <Customer> in the event of an incident via the defined contact preferences. <Customer> is responsible for ensuring that the contact list is current. Contact may include primary and secondary methods that utilize the following communication channels: Phone or E-mail. Contact lists or preferences for daily log reviews, monthly reports, and incident escalation may be changed by the primary contact or any authorized signatory representing <Customer>.

Documented <Customer> representatives may contact a System Security or Technical Account Manager to:

  • Request further clarification or follow up on an open or closed incident case
  • Change contact or escalation preferences
  • Request assistance in providing evidence to an Auditor
  • Update network information
  • Update Administration contacts
  • Other requests, such as product enhancement or sales requests will be referred to the appropriate Alert Logic staff

Escalation Process

<Customer> will work with System Security Analyst to refine the types of incidents that warrant an escalation. . Escalations only occur if there are incidentsto escalate, therefore escalations and reports may not occur daily.

Incident Management and Closeout

All incidents will have an Alert Logic incident case created. If a case requires escalation, then the System Security Analyst will communicate the incident case via the defined contact methods. The case will include the following information, if available:

  • Incident type
  • Log source
  • Time Range
  • Risk
  • Impact
  • Possible solutions

The analyst will work with <Customer> to assist with the actions necessary to address the incident. Cases are closed after <Customer> is notified. <Customer> may reopen any case at any time within the Portal or by contacting Alert Logic.

Initial Provisioning responsibilities and Timelines:

R – Responsible: Required to perform work for the completion of the task

A – Accountable: Answerable for the correct and thorough completion of the task

C – Consulted: Subject Matter Expert necessary for completing the task

I – Informed: Notified of the status of the task

What We Review with LogReview

This list defines the events and activities that are analyzed in the LogReview service. A specific mapping of each event to specific compliance standards is available upon request.

Active Directory

ActiveDirectory GlobalCatalog Change– theMicrosoftActiveDirectory GlobalCatalogprovidessearchableinformation aboutevery object controlledwithin yourADforest. Additionally,itprovides theabilitytosearchacross multipledifferentdomainswithoutbeing required toaccess theAD for eachdomain directly.Thisreportdetailsallchangestothe AD Global Catalog that are recordedaslogmessages.

ActiveDirectory GlobalCatalog Demotion– theMicrosoftActive DirectoryGlobalCatalogprovidessearchableinformation abouteveryobjectcontrolledwithin your AD forest. Additionally,itprovidestheabilitytosearchacross multipledifferentdomainswithout being requiredtoaccesstheADfor eachdomaindirectly.Thisreportprovideslogmessage details each timeadomain controllerin yourADforest hasbeen demoted,andcannolonger serve the globalcatalog.

Databases

DatabaseFailedLogins–thisreportisgeneratedtoidentifyanddisplay databaselogin failurelogmessages receivedfromallmonitoredhosts. Thisreportisapplicableto OracleandSQLServer.

Network Devices

Network DeviceFailedLogins–thisreportisgeneratedtoidentifyand display networkdevicelogin failurelogmessagesreceivedfromallmonitoredhosts.

Network DevicePolicyChange)–thisreportisgeneratedwhenapolicyis added/changed/removed on networkdevices.

Windows Server (2008 R2, 2008, 2003)

ExcessiveWindowsAccountLockouts–thisreportisgeneratedwhena threshold of2logmessageshasbeenexceeded.Themessages indicatethat Windowsuser accountshave been lockedout.

ExcessiveWindowsAccountLockoutsbyAdministrativeUser–thisreport isgeneratedwhenathresholdof2logmessages hasbeen exceeded.The messagesindicatethat theWindowsAdministratoraccount hasbeen lockedout.

Excessive Windows Failed Logins– this report is generated to identify and display excessive Windows login failure log messages received from all monitored hosts with a threshold greater than 5 messages.

ExcessiveWindowsFailedLoginsby AdministrativeUser– this report isgeneratedwhenanexcessiveamountofWindowslogin failurelogmessages are receivedfromasinglehostfortheAdministratoraccount. The thresholdismessagesgreaterthan 5.

WindowsFTPFailed Logins–thisreport isgeneratedwhenlogmessages indicatethat accountshavefailedtosuccessfullylogin toIIS.

WindowsUserAccountCreated– thisreportisgeneratedwhenlog messagesindicatethat useraccountshavebeen successfullycreated.

WindowsUserAccountModified– thisreportisgeneratedwhenlog messagesindicatethat useraccountshavebeen modified(changed,createdanddeleted).

WindowsUserGroupCreated–thisreportisgeneratedwhenlog messagesindicatethat ausergrouphasbeen created.

WindowsUserGroup Modified–thisreportisgeneratedwhenlog messagesindicatethat usergroupshavebeenmodified(changed,createdanddeleted).

UNIX/Linux

FailedUNIXSwitch UserCommand-thisreportprovides details ofallrecorded faileduses oftheUNIX switchuser(su) command.

UNIX AccountCreated–thisreportisgeneratedwhenlogmessages indicatethecreation of UNIXaccounts.

UNIXFailedLogins)–thisreportisgeneratedwhenlogmessagesindicate thatlocalandremote accountshavefailedtosuccessfullylogin.

UNIXGroupCreated– thisreport isgeneratedwhenlogmessages indicatethat aUNIXusergroupwasadded.

UNIXSSHFailed Logins–thisreportisgeneratedtoidentifyanddisplay

SSHlogin failurelogmessages receivedfromallmonitoredhosts.

UNIXSudoAccess–thisreportisgeneratedwhenauser has executed theUNIXsudocommand.

UNIXSwitch UserCommandSuccess–thisreportisgenerated whenlogmessagesindicatethat auserhassuccessfullyexecutedtheUNIX switchuser(su) command.

Compliance Coverage

LogReview directly or indirectly addresses requirements for multiple compliance standards. The list below identifies the specific requirements, rules or guidelines for which LogReview is applicable to some of the most popular standards. Details for each rule are available from the respective standards documents.

SOX / HIPAA / PCI / ISO
Must provide a policy for LogReview / § 404(c ) / § 164.308(a)(1)(ii)(D), § 4.1.7 Bullet 1 / § 10.6.a / ¶ 8.2.2(2)(5),¶ 10.5.1
Must provide a defined process for LR / DS 5.5 / § 4.1.9 Bullet 1, CSR 1.6.1(4) / § 10.6.a, § 10.2, § 10.3 / ¶ 8.1.5(6) ,¶ 8.2.2(2)(5)
Must review logs within a specified time period / CSR 2.1.12 , CSR 10.2.3 / § 10.6 / § 4.2.3(b),
Technical Personnel must review / CSR 3.1.3 / ¶ 10.5.1
Supervisors must review abnormalities / CSR 4.2.2 / ¶ 10.5.1
Access events / § 164.308(a)(6)(1), CSR 7.3.6 / § 10.2.4 / § 10.10.2,¶ 9.2 ,¶ 10.3.4
Change events / § 164.312(b) / § 10.2.2, § 10.2.7 / § 10.10.2
Network and Wireless logging / CSR 10.10.5(10) / § 3.3.1.c
Maintain logs and audit trail for extended durations / § 10.7

Mappings of other standards to the specific requirements are available upon request.

Control Objectives for Information and Related Technology (CobiT)
Federal Financial Institutions Examination Council (FFIEC)
North American Electric Reliability Corporation – Critical Infrastructure Protection (NERC CIP)
Federal Information Processing Standards (FIPS)
Federal Risk and Authorization Management Program (FedRAMP)
US Internal Revenue Service (IRS)
National Institute of Standards and Technology (NIST)
International Guidance

1