MAS-TRMG User Guide – Compliance Maturity Model
LogRhythm’s approach to various compliance frameworks is to provide a dynamic and adaptable method of content delivery as the FI matures and grows its compliance practice. The following section highlights some of the concepts to consider as your organization grows and applies lessons learned to build a more robust MAS-TRMG compliance program.
Online Banking Systems
LogRhythm offers some content for use when monitoring Online Banking Systems. Because these types of systems are traditionally customized or in-house to the FI, we recommend initially scoping the objects based on the server side. This may include, but is not limited to compliance concepts of change control, user access management, information security, and patch/signature updates. Some approaches to consider include trend analysis and transactional monitoring to help detect and analyze fraudulent or abnormal activities. The organization can then apply monitoring approaches to the user interface or application side by working with LogRhythm’s Professional Services (ProServ) team. Many of the concepts applied to Production and Critical servers can be adopted within the Online Banking environments. LogRhythm’s goal is to work with and assist in the growth of monitoring various financial systems. Please contact LogRhythm’s ProServ or Labs Compliance team with any questions.
Use of Additional LogRhythm Features
As the FI begins to design and implement TRMG controls, the organization will be able to apply lessons learned and remediation to their use of the module components and additional features within LogRhythm’s SIEM. This begins the maturing process of the compliance program and we recommend working with LogRhythm’s ProServ team to cater these features. As risks and IT continually change a sound compliance program must be adaptable to the changing and dynamic landscape in which the FI conducts business and interacts with customers.
Case Management: Incident Response & Remediation
LogRhythm’s Case Management is a vital component in gathering forensic data around security incidents or audit remediation efforts. Organizations can add configured AIE rules/alerts and investigations from their MAS-TRMG environments to build an understanding and scope pertinent activities within the environment. Access limitations can also be applied to ensure sensitive log data is accessible on an as-needed basis according to roles and access within the LogRhythm SIEM. Some audiences to consider include IT security, IT Operations, Internal/External Audit, and Executive Management. Case Management can be utilized as a conduit to deliver pertinent log and forensic data for analysis.
Many compliance programs rely on Incident Response to address the global change for a cyber attack occurrence from a when, not if, perspective. To remediate and address security incidents, the organization must be able to demonstrate an understanding of the scope of the attack or breach. Case Management is a centralized platform for facilitating this effort in addition to building cases around remediation efforts when MAS-TRMG control failures occur.
LogRhythm’s Financial Fraud Detection Module
The Financial Fraud Detection module is intended to assist FIs that are collecting transactional dates with LogRhythm in identifying and preventing fraudulent activity on their customer’s accounts. This is accomplished using an AIE rule and alarm approach to detect patterns of known fraudulent activities as well as behaviour anomalies which may be indicative of fraud. Please contact LogRhythm’s ProServ team for assistance with this effort
CIS Critical Security Controls Module
The CIS Critical Security Controls Module is intended to help organizations detect and respond to the most important security and operational events and map to other controls like the NIST 800 series. This module leverages a broad array of analytics to detect various threats and operational events. Inventory of authorized assets and software, secure hardware and software configurations, log auditing and account compromises and privileged user abuse are just a few of the Critical Security Controls LogRhythm addresses. Some parts of this module require additional third-party tools to fully satisfy the LogRhythm rule. Most of the CIS Critical Security Controls Module can be utilized with log sources that are Open Source.
Network Monitor Freemium
Network Monitor provides real-time awareness and understanding of all data traversing the network, with application awareness and rich network session details. The Freemium edition of Network Monitor provides the following benefits:
- True application identification for over 2,900 applications out-of-the-box
- Unstructured search and powerful analysis across all network data
- Full-session packet capture in industry-standard PCAP format
- Continuous search-based alerting to immediately detect when specific conditions are met
Network Threat Detection Module
LogRhythm Network Threat Detection Module is designed to help organizations detect and respond to network-based security events. This module utilizes deep forensic visibility into network traffic to detect a wide variety of advanced threats including remote attacks, malware communications, botnets, inappropriate application use, and network data exfiltration attempts. The Network Threat Detection module performs best when paired with LogRhythm’s network forensics solution, Network Monitor.
User Threat Detection Module
The User Threat Detection Module (UTDM) is a collection of AI Engine rules designed to detect unusual or malicious activity that is occurring on a known host located within an organization’s network. User Behavior Analytics (UBA) provides deep visibility into user activity, helping customers discover threats originating from external cyber-attacks and rogue insiders alike. It illuminates threats like compromised accounts, insider threats, administrator abuse and misuse, and other suspicious user activity. Customers can achieve User Behavior Analytics with the LogRhythm platform by implementing the UTDM.
Endpoint Threat Detection Module
The Endpoint Threat Detection Module is a collection of AI Engine rules designed to detect unusual or malicious activity that is occurring on a known host located within an organization’s network, focusing on endpoint activity.