ARS v3.1 Compliance

The information system enforces assigned authorizations for controlling access to the system in accordance with applicable policy.

Logcollect  collects all access activities which get generated in the system. Logcollect  reports provide easy and independent review of access control settings and enforcement.

The information system enforces assigned authorizations for controlling the flow of information within the system and between interconnected systems in accordance with applicable policy.

Logcollect  incorporates a bi-directional stateful firewall that enforces the flow of data based on physical or logical addressing. Logcollect  can also be used to create and manage sophisticated protection rules that allow and deny appropriate connections and alert on suspicious behavior with a minimum number of rules and maximum flexibility.

Separate duties of individuals as necessary to prevent malevolent activity without collusion; documents separation of duties; and implements separation of duties through assigned information system access authorization.

Logcollect  enables role-based access control (RBAC) and delegated administration to support separation of administrative duties with respect to creating, deploying, and auditing security policy and events that violate the policies.

The information system enforces the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks.

Logcollect  incorporates a bi-directional stateful firewall that restricts network connections (ports, protocols, etc.) based on organizational policy. Logcollect  enables role-based access control (RBAC) and delegated administration to support the concept of least privilege and workflow of security response.  can also be used to create and manage sophisticated protection rules that allow and deny appropriate connections and alert on suspicious behavior with a minimum number of rules and maximum flexibility. Logcollect  log inspection capabilities provide the ability to monitor and alert on important security events that could indicate suspicious activity. In addition, Logcollect  integrity monitoring capabilities will detect and raise events whenever critical OS or application files are modified (i.e. Windows system files, Hosts file, registry, etc.)

The information system enforces a limit of consecutive invalid access attempts by a user during a time period.

Logcollect  log inspection capabilities provide the ability to monitor and alert on important security events such as ‘x’ failed login attempts within ‘y’ time period providing administrators with visibility into unsuccessful login attempts.

The organization authorizes, monitors, and controls all methods of remote access to the information system.

Logcollect  offers controls for securing remote access including:

• The ability to dynamically assign firewall rules
  based upon user location for example, remote
  users will have a more stringent firewall policies
  assigned to reduce the attack surface.
• Protection against bridging attacks (wired vs.
  wireless),
• Enforcing usage of VPN connections for remote
  users, etc.

All of the above capabilities are augmented with the IDS/IPS, integrity monitoring, and log inspection capabilities provided by Logcollect  to facilitate the monitoring and control of remote access methods.

The organization: Establishes usage restrictions and implementation guidance for Wireless technologies; and authorizes, monitors, controls wireless access to the information system.

Logcollect  offers controls for securing wireless mobile workers including:

• The ability to dynamically assign firewall rules based upon user location for example, remote users will have a more stringent firewall policies assigned to reduce the attack surface.
• Protection against bridging attacks (wired vs. wireless)
• Enforcing usage of VPN connections for remote users, etc.

All capabilities above are augmented with standard IDS/IPS, integrity monitoring and log inspection capabilities provided by Logcollect.

The organization: Establishes usage restrictions and implementation guidance for organization controlled portable and mobile devices; and authorizes, monitors, and controls device access to organizational information systems.

Logcollect  entity and network definitions allow for correlation and event monitoring based on location relative to the organizational networks, to determine inbound, outbound, and local network traffic. Remote access and usage activities from mobile devices can be monitored by observation of the logs from authentication systems, security systems and production servers.

The information system produces audit records that contain sufficient information to establish what events occurred, the sources of the events, and the outcomes of the events.

Logcollect  event logs contain very granular network information about the event, including the event type, sources of events and can even capture the complete contents of the packet. The Manager also logs all important internal system events such as administrator logins and system errors.

The organization allocates sufficient audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.

Logcollect  The events and logs are spooled locally at each Logcollect  agent and sent to Logcollect  on a scheduled heartbeat. The size of the local spool is configurable and the Manager is limited only by the available disk space assigned to the database.

The information system alerts appropriate organizational officials in the event of an audit processing failure and takes the following additional actions: [Assignment: organization-defined actions to be taken (e.g., shut down information system, overwrite oldest audit records, stop generating audit records)].

Logcollect  has several mechanisms to respond to audit processing failures. It will alert when disk space is low or as Agents go offline. It will then overwrite the oldest logs as needed so that the most recent events are available. The Agent will enforce protection even if it cannot generate events.

The organization regularly reviews/analyzes information system audit records for indications of inappropriate or unusual activity, investigates suspicious activity or suspected violations, report’s findings to appropriate officials, and takes necessary actions.

Logcollect  provides a number of features which assist with audit monitoring, analysis, and reporting such as customizable dashboards, alerting, and reporting. It forwards this valuable event information via syslog to a centralized log server or SIEM for further analysis.

The information system provides an audit reduction and report generation capability.

Logcollect  has several out-of-box reports that can be scheduled or produced on demand. Reports can be automatically delivered via email and can be restricted based on role-based administrative access. In addition, event information can be exported for further analysis.

The information system provides time stamps for use in audit record generation.

All Logcollect  alerts and logs are time stamped.

The information system protects audit information and audit tools from unauthorized access, modification, and deletion.

The delivery of events to the Logcollect  is authenticated and encrypted using certificates and SSL encryption. Data at rest in the database is password protected.  agent log inspection may also be used to forward important security events from operating system and application logs to a centralized logging server to prevent local tampering. Logcollect  enables role-based access control (RBAC) and delegated administration to support separation of administrative duties to a limited subset of privileged users.

The organization retains audit records to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.

Logcollect  supports integration with SIEM solutions for long term archival of security event information. In addition, Logcollect  can store audit logs and events for an indefinite amount of time, limited only by the available disk space of the database server. Native database tools can be used to back up and archive data as appropriate.

The information system: provides audit record generation capability for the list of auditable events defined in AU-2; allows designated organizational personnel to select which auditable events are to be audited by specific components of the system; and, generates audit records for the list of audited events defined in AU-2 with the content as defined in AU-3.

Logcollect  event logs contain very granular network information about the event, including the event type, sources of events and can even capture the complete contents of the packet. The Manager also logs all important internal system events such as administrator logins and system errors. Logcollect  enables role-based access control (RBAC) and delegated administration to support separation of administrative duties to a limited subset of privileged users. Logcollect  supports integration with SIEM solutions for long term archival of security event information. In addition, Logcollect  can store audit logs and events for an indefinite amount of time, limited only by the available disk space of the database server. Native database tools can be used to back up and archive data as appropriate.

The organization monitors the security controls in the information system on an ongoing basis.

Logcollect  monitoring, analysis, and reporting capabilities provide for continuous monitoring of specific controls across the IT infrastructure. For instance, Logcollect  alerts can detect the use of restricted accounts.

The organization authorizes all connections from the information system to other information systems outside of the accreditation boundary through the use of system connection agreements and monitors/controls the system connections on an ongoing basis.

Logcollect  can collect network device logs and also ’s network connection monitoring feature will identify the network connections established. Logcollect ’s analysis & reporting capabilities can be used for reviewing network activity to ensure only authorized communications occur. Logcollect  alerts can be used for detecting unauthorized communications.

The organization: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Logcollect  collecting and analyzing all configuration change logs. Logcollect  provide alerting on configuration/policy changes on critical systems. Logcollect  investigations, reports, and details provide evidence of configuration/policy changes.

The organization enforces explicit rules governing the installation of software by users.

Logcollect  monitoring, analysis, and reporting capabilities provide for continuous monitoring of specific controls across the IT infrastructure. For instance, Logcollect  alerts can detect the use of restricted accounts.

The information system uniquely identifies and authenticates before establishing a connection.

Logcollect  provides support for control requirements IA-3 by collecting and analyzing all authentication logs. Logcollect  provide alerting on vendor default account authentications. Logcollect  investigations, reports, and details provide evidence of all account authentication activity including those from vendor default accounts.

The information system uniquely identifies and authenticates non-organizational users (or processes acting on behalf of non-organizational users).

Logcollect  provides support for control. requirements IA-8 by collecting and analyzing all authentication logs. Logcollect  provide alerting on vendor or 3rd party account authentication failures. Logcollect  investigations, reports, and tails provide evidence of all account authentication activity including those from vendor or 3rd party accounts.

The organization tracks and documents information system security incidents.

Logcollect  provides direct support for control requirements IR-5 by providing security incident tracking and documentation through the Logcollect  management interface.

The organization promptly reports incident information to appropriate authorities.

Logcollect  notification capabilities can route alerts to the appropriate individual based on group membership or relationship to the impacted system. Logcollect  reports provide summary and detail level reporting of incident based alerts.

The organization provides an incident response support resource that offers advice and assistance to users of the information system for the handling and reporting of security incidents. The support resource is an integral part of the organization’s incident response capability.

Logcollect  integrated knowledge base provides information useful in responding to and resolving incidents.

The organization authorizes, monitors, and controls any remotely executed maintenance and diagnostic activities, if employed.

Logcollect  can identify maintenance related activity for analysis and/or reporting. Logcollect  reports provide easy review of remotely executed maintenance activity.

The organization allows only authorized personnel to perform maintenance on the information system.

Logcollect  can identify maintenance related activity for analysis and/or reporting. Logcollect  reports provide easy review of maintenance activity.

The organization controls physical access to information system output devices to prevent unauthorized individuals from obtaining the output.

Logcollect  provides support for NIST 800-53 control requirement MP-2 by utilizing the Logcollect  feature of the Windows System Monitor. Logcollect  monitors and logs the connection and disconnection of external data devices to the host computer where the Agent is running, also monitors and logs the transmission of files to an external storage device. Logcollect  can be configured to protect against external data device connections by ejecting specified devices upon detection. External USB drive storage devices include Flash/RAM drives and CD/DVD drives.

The organization reviews information systems/facilities access authorizations when personnel are reassigned or transferred to other positions within the organization and initiates appropriate actions.

Logcollect  reports provide easy review of transferred personnel to ensure access rights have been terminated and/or appropriately modified.

The information system monitors and controls communications at the external boundary of the information system and at key internal boundaries within the system.

Logcollect  can collect boundary device logs from routers, firewalls, VPN servers, etc. Logcollect  can alert on unauthorized or suspicious activity. Logcollect  reports provide a consolidated review of internal/external boundary activity and threats.

The information system prohibits remote activation of collaborative computing mechanisms and provides an explicit indication of use to the local users.

Logcollect  will be able to identify report and/or alert on the initiation of specific collaborative computing activity.

The organization: Establishes usage restrictions and implementation guidance for mobile code technologies based on the potential to cause damage to the information system if used maliciously. Authorizes, monitors, and controls the use of mobile code within the information system.

Logcollect  will be able to identify report and/or alert on specific mobile code activity.

The information system protects the authenticity of communications sessions.

Logcollect  supports and analyzes logs against man-in-the-middle attacks/session hijacking and the insertion of false information into sessions.

The information system protects the confidentiality and integrity of information at rest.

Logcollect  provides supplemental support for control requirement SC-28 by providing details of changes to information at rest. Logcollect  can be configured to monitor system file or directory activity, deletions, modification, and permission changes.

The information system implements malicious code protection.

Logcollect  detects and prevents attacks that target data and applications, including activity from malicious code. Logcollect  alerts personnel the moment an attack has been attempted, and provides detailed logging of the event for audit purposes. For commercial applications which contain known Logcollect  detects and prevents attacks that target data and applications, including activity from malicious code. Logcollect  alerts personnel the moment an attack has been attempted, and provides detailed logging of the event for audit purposes. For commercial applications which contain known vulnerabilities targeted by malicious code, Logcollect  virtual patching capabilities protect systems and data until vendor patches can be deployed.

Logcollect  systematically monitors a wide range of vulnerability research sources to identify and to customers. The deployment of new security rules can be completely automated so that downloading and installing new security rules to the appropriate systems occur without administrative intervention. Logcollect  also supports the ability to schedule automatic scans of host systems – one time only, daily, weekly, and so forth – offering recommendations on the appropriate security rules to protect these hosts. Web application protection rules defend against SQL injection attacks, cross-site scripting attacks, and other Web application vulnerabilities, and shield these vulnerabilities until code fixes can be completed.

The organization employs tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system.

Logcollect  collects and analyzes operating system and application logs for security events. Log Inspection rules optimize the identification of important security events buried in multiple log entries. These events are forwarded to a security information and event management (SIEM) system or centralized logging server for correlation, reporting and archiving. Reports can be scheduled to run automatically and alerts can be delivered via SNMP or email, in addition to visibility from the Logcollect  console.

The organization receives, generates, and disseminates security alerts and implements security directives in accordance with established time frames.

Logcollect  provides alerts that are integral to a security incident response plan. And because it can prevent attacks as well, Logcollect  reduces the number of incidents requiring a response. The solution’s integration with leading SIEM vendors enables a consolidated view of security incidents. Monitoring the integrity of critical system and application files such as executables, configuration and parameter files, and log and audit files – it includes support for alerting, dashboards, and reporting on events created. Logcollect  enables collection of important security events from operating system and application log files, including the ability to forward all events – or only events relevant – to centralized logging servers or SIEMs via syslog in real time, in addition to sending these events to Logcollect.

The information system verifies the correct operation of security when anomalies are discovered.

Logcollect  monitors the Agents to ensure that it is in constant communication and creates an alert if an Agent terminates communication for any reason.

The information system detects and protects against unauthorized changes to software and information.

Logcollect ’s change audit module provides the ability to monitor critical operating system files, registry keys and values, and application files for changes and generate alerts on detected changes. These events are sent to Logcollect  which supports dashboards, alerts, and reporting. In addition, these events can also be sent to a SIEM for additional correlation and analysis.

The organization employs spam protection mechanisms at information system entry and exit points and at workstations, servers, or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses, or other common means.

Logcollect  provides support for control requirement SI-8 by collecting and analyzing SPAM logs. Logcollect  investigations, reports, and tails provide evidence of SPAM protection activity.

The information system identifies potentially security-relevant error conditions.

Logcollect  provides support for control requirement SI-11 by collecting and analyzing all error logs. Logcollect  provide alerting on security related critical errors. Logcollect  investigations, reports, and tails provide evidence of security related errors, process shutdowns, and system shutdowns.

The organization handles and retains information within the information system and information output from the system in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.

Logcollect  completely automates the process and requirement of collecting and retaining audit logs. Logcollect  retains logs in compressed archive files, easy-to-manage, long-term storage. Log archives can be restored quickly and easily months or years later in support of after-the-fact investigations.