WHITEPAPER

NIST Cyber Security Framework

Automation Suite for NIST

Cyber Security Framework

NOVEMBER 2014
WWW.LOGRHYTHM.COM
WHITEPAPER - NIST CYBER SECURITY FRAMEWORK

Automation Suite for

NIST Cyber Security Framework
The National Institute of Standards and Technology (NIST)
Cyber Security Framework (CSF) establishes information
security standards and guidelines for critical infrastructure as
defined within Executive Order 13636 from the President of the
United States. NIST-CSF guides critical infrastructure agencies
in documenting and implementing controls for information
technology systems that support their operations and assets.
These published guidelines cover many areas surrounding
access control, audit and accountability, incident ensure you meet your reporting requirements.
response, and system and information integrity. Each
agency is responsible for implementing the minimum security
requirements as outlined by NIST. Agencies are periodically
scored to determine their compliance level. Although
compliance is currently voluntary, the government is likely
to pursue passing law to enforce legal ramifications for non-
compliance. Given the origin of the bills creation, it is likely
that some form of enforcement or incentive will be established.
LogRhythm can help. Log collection, archiving, and recovery
are fully automated across the entire IT infrastructure.
LogRhythm automatically performs the first level of log
analysis. Log data is categorized, identified, and normalized for
easy analysis and reporting. LogRhythms powerful alerting
capability automatically identifies the most critical issues
and notifies relevant personnel. With the click of a mouse,
LogRhythms out-of-the box NIST-CSF reporting packages
NIST-CSF require organizations implement and perform
procedures to effectively capture, monitor, review,
and retain log data. The remainder of this paper lists the
applicable NIST-CSF control requirements and enhancements,
that LogRhythm helps address. For each requirement, an
explanation of how LogRhythm supports compliance is
provided.

The collection, management, and analysis of log data is Learn how LogRhythms comprehensive log management and
integral to meeting many NIST-CSF requirements. The use analysis solution can help your organization meet or exceed
of LogRhythm satisfies some requirements and decreases NIST-CSF guidelines.
the cost of complying with others. IT
environments consist of heterogeneous
devices, systems, and applications - all
reporting log data. Millions of individual log
entries can be generated daily if not hourly
and the task of organizing this information
can be overwhelming in itself. The additional
requirements of analyzing and reporting
on log data render manual processes or
homegrown remedies inadequate and costly.

WWW.LOGRHYTHM.COM PAGE 1
WHITEPAPER - NIST CYBER SECURITY FRAMEWORK

The following tables provide a summary of how LogRhythm supports the NIST-CSF control requirements and enhancements. In the specific
control requirements or enhancements where a control is directly met, a specific LogRhythm feature (such as alarming, correlating, or
reporting) actually provides the required functionality to meet the control objective. In the specific control requirements or enhancements
which are designated as being augmented, LogRhythm features provide specific functionality which supports the process to meet the
control objective, but does not directly meet the control objective. The control requirements listed in the table below come directly from
the NIST Special Publication CSF documentation located at the NIST Computer Security Division web site (http://csrc.nist.gov/).

NIST CSF Control Requirement Directly Meets Requirement Augments Control Requirement
ID.AM (Identify Asset Management) N/A ID.AM-3, ID.AM-4, ID.AM-6,

ID.BE (Identify Business Environment N/A N/A

ID.GV (Identify - Governance) N/A ID.GV-1, ID.GV-2, ID.GV-3,

ID.RA (Identify Risk Assessment) N/A ID.RA-1

ID.RM (Identify Risk Management N/A N/A

Strategy)

PR.AC (Protect Access Control) N/A PR.AC-1, PR.AC-2, PR.AC-4, PR.AC-5

PR.AT (Protect Awareness & Training) N/A PR.AT-3

PR.DS (Protect Data Security) PR.DS-1 PR.DS-4, PR.DS-5, PR.DS-6

PR.IP (Protect Information Protection N/A PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-7, PR.IP-8,
Processes & Procedures) PR.IP-11, PR.IP-12

PR.MA (Protect Maintenance) N/A PR.MA-1

PR.PT (Protect Protective Technology) N/A PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4

DE.AE (Detect Anomalies & Events) DE.AE-3, DE.AE-5, DE.AE-1, DE.AE-2, DE.AE-4,

DE.CM (Detect Security Continuous DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-6, DE.CM-7 DE.CM-5, DE.CM-2, DE.CM-3, DE.CM-4, DE.CM-5,
Monitoring) DE.CM-6, DE.CM-7, DE.CM-8

DE.DP (Detect Detection Processes) DE.DP-4 DE.DP-1, DE.DP-2, DE.DP-3, DE.DP-4, DE.DP-5

RS.RP (Respond - Response Planning) N/A RS.RP-1

RS.CO (Respond - Communications) N/A RS.CO-3, RS.CO-4

RS.AN (Respond - Analysis) N/A RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4

RS.MI (Respond Mitigation) N/A RS.MI-1, RS.MI-2, RS.MI-3

RS.IM (Respond Improvements) N/A RS.IM-1, RS.IM-2

RC.RP (Recover Recovery Plan) N/A

RC.IM (Recover Improvements) N/A RC.IM-1, RC.IM-2

RC.CO (Recover Communications N/A RC.CO-3

The tables on the subsequent pages outline how LogRhythm supports requirements and enhancements of the NIST-CSF sections. The
How LogRhythm Supports Compliance column describes the capabilities LogRhythm provides that directly meet or augment support
for NIST-CSF compliance.

WWW.LOGRHYTHM.COM PAGE 2
WHITEPAPER - NIST CYBER SECURITY FRAMEWORK

Identify

Compliance Requirements How LogRhythm Supports Compliance

Asset Management The data, personnel, devices, systems, and facilities that enable
(ID.AM-3, ID.AM-4, the organization to achieve business purposes are identified and
managed consistent with their relative importance to business
ID.AM-6)
objectives and the organizations risk strategy.
LogRhythm provides supplemental support for NIST-
CSF control requirements ID.AM-3, ID.AM-4 and ID.AM-6
by collecting and analyzing all account management,
access granting/revoking, and access/authentication
logs. LogRhythm correlation rules provide alerting
on account authentication failures. LogRhythm
investigations, reports, and tails provide evidence of
system account management activity (account creation,
deletion, and modification), access granting/revoking
activity, and account access/authentication activity.
Lastly, LogRhythm investigations provide evidence of
authorized/unauthorized network access.

Governance The policies, procedures, and processes to manage and monitor the LogRhythm provides supplemental support for NIST-
(ID.GV-1, ID.GV-2, organizations regulatory, legal, risk, environmental, and operational CSF control requirement ID.GV-1, ID.GV-2, and ID.GV-3
requirements are understood and inform the management of by collecting and analyzing all account management
ID.GV-3)
cybersecurity risk. and access/authentication logs. LogRhythm correlation
rules provide alerting on account authentication
failures. LogRhythm investigations, reports, and tails
provide evidence of account management activity
(account creation, deletion, and modification) and
account access/authentication activity to support
efforts of enforcing security policies within the
organization.

Risk Assessment The organization understands the cybersecurity risk to
(ID.RA-1) organizational operations (including mission, functions, image, or
reputation), organizational assets, and individuals.
LogRhythm provides supplemental support for NIST-
CSF control requirements ID.RA-1 by collecting and
analyzing all suspicious network activity or activities
indicative of cybersecurity risks. LogRhythm correlation
rules provide alerting on events indicative of potential
cybersecurity threats or attacks on the network.
LogRhythm investigations, reports, and tails provide
evidence of cybersecurity events in support of early
detection and incident response.

WWW.LOGRHYTHM.COM PAGE 3
WHITEPAPER - NIST CYBER SECURITY FRAMEWORK

Protect

Compliance Requirements How LogRhythm Supports Compliance

Access Control Access to assets and associated facilities is limited LogRhythm provides supplemental support for NIST-CSF control
(PR.AC-1, PR.AC-2, to authorized users, processes, or devices, and to requirements PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.AC-5 by
authorized activities and transactions. collecting and analyzing all account management, network access/
PR.AC-3, PR.AC-4,
authentication logs, remote and physical access. LogRhythm
PR.AC-5) correlation rules provide alerting on account authentication
failures. LogRhythm investigations, reports, and tails provide
evidence of account access/authentication activity.

Awareness and The organizations personnel and partners are
Training (PR.AT-3) provided cybersecurity awareness education and
are adequately trained to perform their information
security-related duties and responsibilities consistent
with related policies, procedures, and agreements.
LogRhythm provides supplemental support for NIST-CSF control
requirement PR.AT-3 by collecting and analyzing all third-party
accounts or process activities within the environment to ensure
third-parties are performing activities according to defined roles
and responsibilities. LogRhythm correlation rules provide alerting
on account authentication failures. LogRhythm investigations,
reports, and tails provide evidence of vendor account management
and authentication (success/failures) activities.

Data Security Information and records (data) are managed LogRhythm provides direct support for NIST-CSF control
(PR.DS-1, PR.DS-4, consistent with the organizations risk strategy to requirements PR.DS-1 and supplemental support for NIST-CSF
protect the confidentiality, integrity, and availability of control requirements PR.DS-4, PR.DS-5, PR.DS-6 by collecting
PR.DS-5, PR.DS-6)
information and analyzing all system logs relating to the protection of data
integrity, availability, and mobility. LogRhythms File Integrity
Monitor (FIM) tracks file changes, while Data Loss Defender (DLD)
independently monitors and logs the connection and disconnection
of external data devices to the host computer where the Agent
is running. DLD also monitors and logs the transmission of files
to an external storage device. DLD can be configured to protect
against external data device connections by ejecting specified
devices upon detection. External USB drive storage devices include
Flash/RAM drives and CD/DVD drives. LogRhythm correlation
rules provide alerting on remote account authentication failures.
LogRhythm investigations, reports, and tails provide evidence of
remote account access/authentication activity.

Information Security policies (that address purpose, scope, LogRhythm provides supplemental support for NIST-CSF control
Protection roles, responsibilities, management commitment, requirements PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-7, PR.IP-8, PR.IP-11,
and coordination among organizational entities), PR.IP-12 by collecting and analyzing all logs relating to change
Processes and
processes, and procedures are maintained and used to management, backups, and those in support of incident response
Procedures manage protection of information systems and assets. plans. LogRhythm correlation rules provide alerting on account
(PR.IP-1, PR.IP-3, management activities. LogRhythm investigations, reports, and
PR.IP-4, PR.IP-7, tails provide evidence of account management and authentication
PR.IP-8, PR.IP-11, (success/failures) activities.
PR.IP-12)

Maintenance Maintenance and repairs of industrial control and
(PR.MA-1) information system components is performed
consistent with policies and procedures.
LogRhythm provides supplemental support for NIST-CSF control
requirement PR.MA-1 by collecting and analyzing all logs relating to
critical and error conditions within the environment. LogRhtyhm
correlation rules provide alerting on critical and error conditions
within the environment. LogRhythm investigations, reports and
tails provide evidence of environment conditions as well as process
and system start-ups/shut-downs.

Protective Technical security solutions are managed to ensure LogRhythm provides supplemental support for NIST-CSF control
Technology the security and resilience of systems and assets, requirement PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4 by collecting logs
consistent with related policies, procedures, and relating to technical security solution access management and
(PR.PT-1, PR.PT-2,
agreements. authentication activities. Further, with the use of LogRhythms
PR.PT-3, PR.PT-4) (FIM) and (DLP) allows for monitoring of removable media and
other audit logging events. LogRhythm correlation rules provide
alerting on audit logging events (log cleared, stopped), DLD, FIM,
software installations, access provisioning and authentication
activities. Lastly, LogRhythm investigations, reports and tails
provide evidence around the aforementioned activities.

WWW.LOGRHYTHM.COM PAGE 4
WHITEPAPER - NIST CYBER SECURITY FRAMEWORK

Detect

Compliance Requirements How LogRhythm Supports Compliance

Anomalies and Anomalous activity is detected in a timely manner and the potential LogRhythm provides direct support of NIST-CSF control
Events impact of events is understood. requirements DE.AE-3 and DE.AE-5, while providing
supplemental support for NIST-CSF control requirement
(DE.AE-1, DE.AE-2,
DE.AE-1, DE.AE-2, DE.AE-4 by collecting and analyzing
DE.AE-3, DE.AE-4, logs related to security events throughout the network.
DE.AE-5 ) An inherent function to LogRhythm is the ability
to correlate and aggregate event data across the
environment. LogRhythms log analysis, investigations,
tails and reporting capabilities can be leveraged during
a security assessment to help ensure implemented
controls are functioning as intended and to potentially
identify any weaknesses.

Security The information system and assets are monitored at discrete LogRhythm provides direct support of NIST-CSF control
Continuous intervals to identify cybersecurity events and verify the effectiveness requirements DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-6, and
of protective measures. DE.CM-7 as well as supplemental support for NIST-CSF
Monitoring
control requirements DE.CM-4, DE.CM-4 AND DE.CM-4
(DE.CM-5, DE.CM-2, by providing continuous monitoring, analysis, and
DE.CM-3, DE.CM-4, reporting of network, physical access and other events
DE.CM-5, DE.CM-6, indicative of malicious cyber activities.
DE.CM-7, DE.CM-8)

Detection Detection processes and procedures are maintained and tested to LogRhythm provides direct support of NIST-CSF control
Processes ensure timely and adequate awareness of anomalous events. requirement DE.DP-4 and supplemental support
of NIST-CSF control requirement DE.DP-1, DE.DP-2,
(DE.DP-1, DE.DP-2,
DE.DP-3, DE.DP-5 by logging and monitoring around
DE.DP-3, DE.DP-4, process and procedures in the environment. Further,
DE.DP-5) LogRhythm correlation engine provides alerting on
activities to assigned individuals. LogRhythm reporting,
investigations and tails provide evidence around these
activities as well to support maintenance of processes
and procedures.

WWW.LOGRHYTHM.COM PAGE 5
WHITEPAPER - NIST CYBER SECURITY FRAMEWORK

Respond

Compliance Requirements How LogRhythm Supports Compliance

Response Planning Response processes and procedures are executed and maintained, to LogRhythm provides supplemental support for
(RS.RP-1) ensure timely response to detected cybersecurity events. NIST-CSF control requirement RS.RP-1 by collecting
and analyzing all cybersecurity events and providing
notifications to assigned personnel. LogRhythm
correlation rules provide alerting on cybersecurity
events while investigations, reports, and tails provide
evidence behind cybersecurity events.

Communications Response activities are coordinated with internal and external LogRhythm provides supplemental support for
(RS.CO-3, RS.CO-4) stakeholders, as appropriate, to include external support from law NIST-CSF control requirement RS.CO-3 and RS.CO-4
enforcement agencies. by collecting and analyzing all cybersecurity events
and providing notifications to assigned personnel.
LogRhythm correlation rules provide alerting on
cybersecurity events while investigations, reports, and
tails provide evidence behind cybersecurity events.

Analysis Analysis is conducted to ensure adequate response and support LogRhythm provides supplemental support for
(RS.AN-1, RS.AN-2, recovery activities. NIST-CSF control requirements RS.AN-1, RS.AN-2,
RS.AN-3 and RS.AN-4 by collecting and analyzing logs
RS.AN-3, RS.AN-4)
to categorize events and allow for forensics to be
performed. LogRhythm correlation engine provides
alerts and notifications to assigned personnel.
LogRhythm investigations, reports, and tails provide
evidence of security and other events of interest
throughout the environment.

Mitigation Activities are performed to prevent expansion of an event, mitigate LogRhythm provides supplemental support for NIST-
(RS.MI-1, RS.MI-2, its effects, and eradicate the incident. CSF control requirements RS.MI-1, RS.MI-2, RS.MI-3
by collecting and analyzing logs related to incident
RS.MI-3)
response. LogRhythm correlation engine provides
alerting on vulnerabilities within the environment.
LogRhythm investigations, reports and tails provide
evidence to support incident analysis and remediation
of exposure or vulnerabilities.

Improvements Organizational response activities are improved by incorporating LogRhythm provides supplemental support for NIST-
(RS.IM-1, RS.IM-2) lessons learned from current and previous detection/response CSF control requirements RS.IM-1, RS.IM-2 by collecting
activities. and analyzing logs related to incident response.
LogRhythm reports provide evidence to support
incident analysis and remediation of exposure or
vulnerabilities.

WWW.LOGRHYTHM.COM PAGE 6
WHITEPAPER - NIST CYBER SECURITY FRAMEWORK

Recover

Compliance Requirements How LogRhythm Supports Compliance

Improvements Recovery planning and processes are improved by incorporating LogRhythm provides supplemental support of NIST-CSF
(RC.IM-1, RC.IM-2) lessons learned into future activities. control requirements RC.IM-1 and RC.IM-2 by collecting
and analyzing logs relating to recovery operations.
LogRhythm reports provide evidence around the
recovery operation events.

Communications Restoration activities are coordinated with internal and external
(RC.CO-3) parties, such as coordinating centers, Internet Service Providers,
owners of attacking systems, victims, other CSIRTs, and vendors.
LogRhythm provides supplemental support of NIST-
CSF control requirement RC.CO-3 by collecting
and analyzing logs relating to recovery operations.
LogRhythm reports provide evidence around the
recovery operation events.

INFO@LOGRHYTHM.COM PAGE 7
2014 LogRhythm Inc. | Whitepaper - NIST 800-53 Compliance