SANS CAG Compliance

Actively manage (inventory, track, and correct) all software on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

Logcollect  monitors for the installation or execution of software. Logcollect  can also create and maintain dynamic lists of approved software based on behavioral monitoring that may be operated in the environment.

Logcollect  supports the Control 2 Metric by identifying attempts to install authorized/ unauthorized software (for example via Windows application logs/Application monitoring feature), by identifying attempts to execute unauthorized software (by monitoring process startups).

Continuously acquire, assess, and take action on new information in order to identify vulnerabilities, remediate, and minimize the window of opportunity for attackers.

Logcollect  collects logs from vulnerability scanners. It is able to correlate event logs with data from vulnerability scans. Logcollect  can monitor the use of the account that was used to perform the vulnerability scan.

Logcollect  supports the Control 3 Metric by collecting logs and data from vulnerability scans. This enables Logcollect  to correlate both the data from the scan and the logs about the scan, providing the basis to report on progress of the vulnerability scan, and of any devices where the scan did not take place. Logcollect  can also collect logs relating to patch installation, and can trigger an alert based on successful completion.

The processes and tools used to track/ control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications.

Logcollect  collects logs from almost any device and can monitor the use of default, generic, service and other privileged accounts.

Logcollect  supports the Control 4 Metric by collecting logs on administrative activities from across the infrastructure. Logcollect  offers out-of the-box Privileged User Monitoring, which simplifies the task of tracking and monitoring accounts with elevated privileges and automates a number of tasks that are generally done manually.

Logcollect  can be used in combination with multiple operating systems (various Linux distributions, Windows, Solaris, etc.) in addition to MS Exchange server 2007 and 2010. Logcollect ’s unique ability to simultaneously correlate data across multiple applications and devices strengthens privileged user monitoring and exposes suspicious activity performed by administrative accounts.

Establish, implement, and actively manage (track, report on, correct) the security configuration of laptops, servers, and workstations using a rigorous configuration management and change control process in order to prevent attackers from exploiting
vulnerable services and settings.

Logcollect  monitors the use of privileged or generic accounts, the startup of services, the use of ports, and the application of patches. Logcollect  can also detect changes to key files through its Change Audit feature.

Logcollect  supports the Control 5 Metric by identifying changes to key files, services, ports, configuration files, or software installed on the system.

Collect, manage, and analyze audit logs of events that could help detect, understand, or recover from an attack.

Logcollect  provides a comprehensive platform for the maintenance, monitoring and analysis of audit logs. Logcollect  supports the Control 6 Metric by collecting all events from across the network.

Logcollect  performs extensive processing of every log that is collected, assigning a common event and establishing a risk based priority for each log.

Logcollect ’s patented real-time analytics technology can baseline behavior of users, hosts and data from across the network. Once a baseline is established, abnormal behavior can be detected and alerted on.

Minimize the attack surface and the opportunities for attackers to manipulate human behavior though their interaction with web browsers and email systems.

Logcollect  can collect logs from email and web-content filtering tools. Logcollect  is tightly integrated with MS Exchange, Office 365 and many more.

Control the installation, spread, and execution of malicious code at multiple points in the enterprise, while optimizing the use of automation to enable rapid updating of defense, data gathering, and corrective action.

Logcollect  collects logs from malware detection tools and correlate those logs with other data collected in real time to eliminate false positives and detect blended threats. Logcollect  can also collect logs from email and web-content filtering tools. Via its advanced agent, Logcollect  can detect and report data copied to removable storage devices.

Logcollect  is tightly integrated with industry leading security vendors including FireEye, Fortinet and Palo Alto, among many others. Logcollect  supports the Control 8 Metric by continually collecting and monitoring logs from a wide variety of malware detection tools, in addition to its own agent technology.

Manage (track/control/correct) the ongoing operational use of ports, protocols, and services on networked devices in order to minimize windows of vulnerability available to attackers.

By collecting logs from port scanners, Logcollect  is able to detect open ports on the network.

Logcollect  can also collect logs on protocols in use and services starting up on individual devices. Logcollect  supports the Control 9 Metric by collecting logs from across the environment and baselining the behavior patterns observed over a period of time. Using this baseline, deviations from normal or expected behavior can be detected and alerts generated.

The processes and tools used to properly back up critical information with a proven methodology for timely recovery of it.

Logcollect  collects logs from Windows and other backup systems. Logcollect  can detect backups that did not successfully complete, or backups that did not start.

Establish, implement, and actively manage (track, report on, correct) the security configuration of network infrastructure devices using a rigorous configuration management and change control process in order to prevent attackers from exploiting vulnerable services and settings.

Logcollect  collects logs from any network device that generates syslog or SNMP.

Logcollect  supports the Control 11 Metric by collecting logs from network devices and correlating changes against a change control system to identify and alert on any unauthorized changes.

Detect/prevent/correct the flow of information transferring networks of different trust levels with a focus on security-damaging data.

Logcollect  collects logs from a wide variety of boundary defense devices for correlation or compliance purposes.

Logcollect  supports the Control 12 Metric by collecting logs from boundary defense devices.

Logcollect  can build trends of data flows based on observed behavior and alert on deviations from normal behavior. By understanding the internal network infrastructure, internal and external context can be added to alerts, helping identify unexpected traffic flows such as a website in the DMZ communicating directly with a SQL database, rather than communicating via the application layer.

Logcollect  also offers out-of-the-box support for third party threat lists and custom IP address blacklists, and can alert in real-time when connections are made to any blacklisted IP address or host.

The processes and tools used to prevent data exfiltration, mitigate the effects of filtrated data, and ensure the privacy and integrity of sensitive information.

Logcollect  collects logs from both endpoints and network perimeter devices in order to assist in the detection of data loss incidents.

Logcollect  supports the Control 13 Metric by collecting logs from endpoints, authentication systems, boundary defense devices, proxies and email servers, amongst others. Logcollect  is able to detect abnormal activity in real time. Logcollect  patented, real-time analytics technology, is able to establish baselines of behavior.

The processes and tools used to track / control / prevent/correct secure access to critical assets (e.g., information, resources, systems) according to the formal determination of which persons, computers, and applications have a need and right to access these critical assets based on an approved classification.

Logcollect  collects audit logs from across the network. Fully integrated Change Auditing capabilities monitor for and alert on a variety of malicious behaviors, including improper user access of confidential files to botnet related breaches and transmittal of sensitive data.

Logcollect  supports the Control 14 Metric by collecting logs of all attempts by users to access files on local systems or network accessible file shares without the appropriate privileges. Logcollect  Change Audit can also be used to establish a baseline of normal behavior against a file or file set, and can alert on deviations from that behavioral baseline.

The processes and tools used to track / control / prevent/correct the security use of wireless local area networks (LANS), access points, and wireless client systems.

Logcollect  collects logs from a variety of wireless devices and management systems. In conjunction with logs collected from DHCP servers, wireless clients may be detected when connecting to the organization’s network.

Logcollect  supports the Control 15 Metric by collecting logs from wireless devices, wireless management systems, and DHCP. Real-time correlation of these logs enables the identification of unauthorized wireless devices or configurations.

Actively manage the life cycle of system and application accounts -their creation, use, dormancy, deletion -in order to minimize opportunities for attackers to leverage them.

Logcollect  collects audit logs from across the network for both local and network accounts. Logcollect  supports the Control 16 Metric by collecting logs of all user activity and correlating this with lists of privileged, generic and service accounts, and also with lists of accounts for users that are terminated. Using Change Audit, lists can be automatically maintained when changes take place in the environment. Logcollect  can alert when the use of terminated accounts is observed, and offers extensive reporting capabilities in this area.

Logcollect  can also establish baselines of normal account behavior. For example, Logcollect  can track which servers a user normally connects to, and alert on a deviation from that norm.

For all functional roles in the organization (prioritizing those mission-critical to the business and its security), identify the specific knowledge, skills, and abilities needed to support defense of the enterprise; develop and execute an integrated plan to assess, identify gaps, and remediate through policy, organizational planning, training, and awareness programs.

SANS Control 17 is policy-based and focuses on skills and training. Logcollect  is able to monitor user compliance with policy and send alerts in real time when credentials are used in an abnormal manner. Since all user activity is logged and collected, correlation and reporting are effective methods for monitoring the adherence to policy.

Manage the security life cycle of all in-house developed and acquired software in order to prevent, detect, and correct security weaknesses.

Logcollect  collects logs from web application firewalls and from vulnerability scanners.

Logcollect  supports the Control 18 Metric through its ability to correlate across various applications and device logs at once. It is especially well positioned to create meaningful, relevant alerts around suspicious web log data. Logcollect  provides out-of-the box alerts for detecting suspicious URL characters and malicious user agent strings, in addition to automatically populating an “attacking IPs list.” This list enables reporting to be done on source IPs that is attacking the web applications.

Logcollect  collects logs from WAFs and IDS/IPS systems, in addition to vulnerability scanners. All security event logs are correlated in real time.

Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g., plans, define droles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence, and restoring the integrity of the network and systems.

SANS Control 19 is policy-based and focuses on having a clear Incident Response policy. Logcollect  has an integrated incident management capability, providing real-time updates on an incident’s status (i.e., working, closed, etc.). Status and commentary can be attached to each alert and progress reports can be generated on demand.

Test the overall strength of an organization’s defenses (the technology, the processes, and the people) by simulating the objectives and actions of an attacker.

Logcollect  collects logs from across the environment. It is a valuable monitoring tool during any penetration test, or red team exercise.

Logcollect  enables the accounts used in the penetration test to be automatically monitored for legitimate use. Logcollect  also enables the detection of unusual behavior and may be used to detect the attempts to exploit the enterprise systems during penetration testing.