NEI 08-09 Rev 6 – Requirements
LogRhythm meets, improves, or adheres to additional regulations outlined in NEI 08-09 REV 6. Commentary about regulations other than the ones handled by Reports, Investigations, and Alarms are noted in the following table.
NEI 08-09 REV 6 | Setting / Commentary |
|---|---|
D.1.11 | LogRhythm collects all access activity. LogRhythm reports provide easy and independent review of access control settings and enforcement. |
D.2.4 and D.2.11 | Management of Log storage is a primary feature of LogRhythm, including retention of raw log data after being sent to the LogRhythm Mediator Service. This has the effect of moving log management off individual systems and onto a central system built for the task which includes log archiving and retention, part of which is, adjustment of retention periods. |
D.2.6 and D.2.7 | LogRhythm provides a wide range of analysis, reporting and alarming tools to meet D.2.6 |
D.2.8 and D.2.10 | Timestamps are recorded both with the time reported by the origin log source and the time the LogRhythm Mediator receives the log. This prevents falsification of time stamps. Rapid collection of logs from systems, including real-time and near-real time, prevent the compromise and reconfigure approach toward altering log data. It creates as accurate a log trail as possible up to the point of compromise, often sending critical information about the event to LogRhythm before the attacker has time to modify the system. |
E.2.2 | LogRhythm can be used to monitor usage compliance for terminated employees and 3rd party users through investigations and security event reporting. |
E.3.5 | LogRhythm can alert on specific intrusion related activity. Users can be notified based on department or role. LogRhythm’s integrated knowledge base provides information and references useful in responding to and resolving intrusions |
E.4.2 & E.4.3 | LogRhythm can provide monitoring support for information system maintenance tools through interpretation of log data. |
E.7.6 | LogRhythm’s integrated knowledge base provides information useful in responding to and resolving incidents. |
E.10.4 | LogRhythm’s file integrity monitoring can be used to detect file system additions, modifications, deletions, and permissions. LogRhythm analysis & reporting capabilities can be used for monitoring configuration changes. LogRhythm alerting can be utilized to detect and notify of changes to specific configurations. |
E.10.6 | LogRhythm collects all access activity and changes to access controls. LogRhythm reports provide easy and independent review of access control settings and enforcement. |
Monitoring Note | NEI 08-09 REV recommendations typically have monitoring or inventory guidelines. LogRhythm provides the tools to perform custom investigations that can fulfill or assist in meeting NEI 08-09 REV 6 regulations. For example, it can be used to generate a list of systems seen that can be compared against the organizational inventory. LogRhythm can also show network connections between defined entities, zones, and networks to verify isolation of networks and/or appropriate segmentation. |
The deliverables that demonstrate adherence to NEI 08-09 REV 6 are shown in the following table.
NEI 08-09 REV 6 | Deliverable | |
|---|---|---|
D.1.2 | Disabled Accounts Account Management Activity New Account Summary | Terminated Account Summary Host Authentication Summary User Authentication Summary |
D.1.3 | Account Management Activity New Account Summary | Terminated Account Summary |
D.1.5 D.1.6 | Audit Failure By Host Audit Failure By User Failed Application Access Failed File Access Host Access Granted and Revoked | Object Access Summary Processes By User Usage Auditing Event Detail (by Date) Usage Auditing Event Detail (by User) User Object Access Summary |
D.1.7 | Failed Host Access | Account Lockout Summary |
D.1.17, D.1.19, D.1.21 | Audit Failure By Host Audit Failure By User Failed Application Access Failed File Access Host Access Granted and Revoked Object Access Summary | Processes By User Usage Auditing Event Detail (By Date) Usage Auditing Event Detail (By User) User Object Access Summary Host Authentication Summary User Authentication Summary |
D.1.22 | Network Connection Summary | Network Service Summary |
D.2.9 | File Integrity Monitor Log Detail File Integrity Monitor Log Detail (with file names and size) | File Integrity Monitor Summary |
D.3.13, E.7.4 | Attacks Detected Compromises Detected Security Event Summary (Entity, iHost) Security Event Summary (iApp) Security Event Summary (iHost) Security Event Summary (oHost) Suspicious Activity By Host | Suspicious Activity By User Top Attackers Top Suspicious Users Top Targeted Applications Top Targeted Hosts User Misuse Summary |
E.3.4 | Attacks Detected Compromises Detected Security Event Summary (Entity, iHost) Security Event Summary (iApp) Security Event Summary (iHost) Security Event Summary (oHost) Suspicious Activity By Host | Suspicious Activity By User Top Attackers Top Suspicious Users Top Targeted Applications Top Targeted Hosts User Misuse Summary |
E.3.7 | Configuration Change Summary | Policy Activity Summary |
E.5.8 | Door Access Summary | |
D.3.13 | Attacks Detected Compromises Detected Security Event Summary (Entity, iHost) Security Event Summary (iApp) Security Event Summary (iHost) Security Event Summary (oHost) Suspicious Activity By Host | Suspicious Activity By User Top Attackers Top Suspicious Users Top Targeted Applications Top Targeted Hosts User Misuse Summary |