Association à but non lucratif enregistrée à la<br/>
Sous-préfecture de Grasse (06) N° w061004871<br/>
</div>
<br/>
@@ -91,7 +91,6 @@ All rights reserved.<br />
# Contents
# Intellectual Property Rights
## Essential patents
@@ -108,7 +107,6 @@ The present document may include trademarks and/or tradenames which are asserted
**DECT™** , **PLUGTESTS™** , **UMTS™** and the ETSI logo are trademarks of ETSI registered for the benefit of its Members. **3GPP™** , **LTE™** and **5G ™** logo are trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. **oneM2M™** logo is a trademark of ETSI registered for the benefit of its Members and of the oneM2M Partners. **GSM**® and the GSM logo are trademarks registered and owned by the GSM Association.
# Foreword
> DRAFT FOREWORD - DO NOT CONSIDER THE CONTENT
@@ -172,8 +170,6 @@ A SIEM product will perform the following broad functions but may do so in vario
## 1.3 Products not in scope
_Detailed list of things whose scope might be confusing, including parts of a system which are often included when the terms in the "in scope" section are used in general conversation. Reference the "Product Context" section again to remind the reader what operational environments are in scope._
This standard does not cover products in use in contexts other than those identified in Annex <L>.
- Security orchestration, automation and response (SOAR) software with a core functionality to integrate separate security tools, automate low-level tasks and orchestrate security incident responses.
@@ -238,7 +234,8 @@ For the purposes of the present document, the following abbreviations apply:
| SIEM | Security information and event management system |
| MSSP | Managed Security Services Provider |
| ETL | Extract, Transform, and Load |
| ETL | Extract, Transform, and Load |
| MSA | Market Surveilance Authority (national) |
# 4 Product context
@@ -297,7 +294,6 @@ The log forwarding tool `rsyslog` is considered to be part of the managed device
The upgrade responsibility of the device specific event forwarding software is sometimes hard to address, but it is in system users interests to have it maintained, and free of vulnerabilities. These are later addressed in the [technical requirements](#523-mitigations-of-event-collection-infrastructure).
## 4.4 Use cases
Primary use case is monitoring networks for business use. These can be of any level of risk as they often contain a wide variety of platforms and systems to monitor including mobile devices.
@@ -327,29 +323,27 @@ A final category for SIEM systems that may instead represent a set of use cases
- MSSP remote service for other use cases
_Create a list of representative use cases, each one representing a different threat profile. If the threat profile is the same for two use cases, then it is basically the same use case for the purposes of the present document. Use cases should include both intended and reasonably foreseeable use/misuse. Use cases don't include industrial operations, automotive, transport, marine, airplane, medical, military, national security, etc._
_When you have many use cases, group them into 3 - 5 levels of risk. These will probably be your security levels._
### 4.4.1 On premises SIEM system
- UC-OP-1 On Premises SIEM system
-**UC-OP-1** On Premises SIEM system
- All hardware and software for SIEM system owned and operated by consumer.
- Consumer manages and operates all aspects of SIEM system.
- UC-OP-2 On Premises MSSP system
-**UC-OP-2** On Premises MSSP system
- Hardware and software on customer premises, but some elements are remote or operted by remote MSSP
- Consumer may delegate some SIEM functions to MSSP.
### 4.4.2 Managed SIEM service
- UC-RS-1 CLoud Based System
-**UC-RS-1** Cloud Based System
- Software and data are remotely stored by Manufacturer or other MSSP.
- Consumer manages and operates SIEM system internally using own staff
- UC-RS-2 Manufacturer operated SIEM service with consumer portal
-**UC-RS-2** Manufacturer operated SIEM service with consumer portal
- All SIEM functions performed remotely by MSSP or manufacturer
## 4.5 Risk Factors
@@ -358,74 +352,81 @@ For each SIEM system placed on the market, the manufacturer shall develop a thre
### 4.5.1 List of Risk Factors
The risk profile is derived from intended and reasonably foreseeable uses of the product. The following risk factors shall be addressed when developing the risk profile.
The risk profile is derived from intended and reasonably foreseeable uses of the product. The following risk factors shall be addressed when developing the security profile.
#### 4.5.1.1 Number of ingested sources
**[COM]** The manufacturer shall determine the expected size and complexity of ingested sources and implement security requirments or mitigations sufficent for the variety and number of potential threats against networks containing multiple types of devices.
**\[ING]**: The manufacturer shall determine the expected size and complexity of ingested sources and implement security requirments or mitigations sufficent for the variety and number of potential threats against networks containing multiple types of devices.
* COM-1 Small
* COM-2 Medium
* COM-3 Large
- ING-1 Small number of simple device types and supported systems. A highly specialized system
- ING-2 Medium number of avarage complexity devices and supported systems. Most common deployment
- ING-3 Large number of ingested sources of vayring types and designs
#### 4.5.1.2 API exposure
**[EXP]** A SIEM system may have varying degrees of exposure to untrusted users, public networks and external networks. The manufacturer shall implement security requirements and mitigations appropriate to the product's reasonably foreseeable level of exposure.
**\[API]**: A SIEM system may have varying degrees of exposure to untrusted users, public networks and external networks. The manufacturer shall implement security requirements and mitigations appropriate to the product's reasonably foreseeable level of exposure.
* EXP-0 Dedicated networks segment for event ingestion
* EXP-1 Mixed network segments for ingestion
* EXP-2 Ingestion API avaialble in publicly connectible interface
- EXP-0 Dedicated networks segment for event ingestion communications
- EXP-1 Mixed network segments for ingestion but no publicly available interfaces
- EXP-2 Ingestion API available in publicly connectible interface
- EXP-3 Device ingestion API available in publicly connectible interface
<mark>
1. Interfaces or sources that are just used
2. CM clients that are trusted
3. Carbage from authrized sources
</mark>
> <mark>Things to consider</mark>:
> 1. Interfaces or sources that are just used
> 1. CM clients that are trusted
> 1. Carbage from authrized sources
#### 4.5.1.3 Skill Level of SIEM Adminsitrator
**[ADM]**: The manufacturer shall consider if a SIEM products is designed to be administered by cybersecurity specialists or IT generalists. Mitigations and requirements may vary depending on the skill and availability of the administrator.
**\[ADM]**: The manufacturer shall consider if a SIEM products is designed to be administered by cybersecurity specialists or IT generalists. Mitigations and requirements may vary depending on the skill and availability of the administrator.
- ADM-0 Full time security specialist administrator
- ADM-1 Part time security specialist administrator
- ADM-2 IT generalist adminsitraor (full or part time)
<mark>How well the admin knows the company?</mark>
> <mark>Things to consider</mark>:
> 1. How well the admin knows the company?
> 1. Is this a quality thing for the product? If so, should be removed.
#### 4.5.1.4 SIEM System Deployment Isolation
**[ISO]**
* ISO-0 SIEM system has dedicated resources on dedicated tenant
* ISO-1 SIEM system has shared resources with other isolated tenants
* ISO-2 SIEM system shares resources and is installed on a shared tenant
**\[ISO]**:
- ISO-0 SIEM system has dedicated resources on dedicated tenant
- ISO-1 SIEM system has shared resources with other isolated tenants
- ISO-2 SIEM system shares resources and is installed on a shared tenant
### 4.5.2 Mapping of Use Cases to Risk Factors
| Use case | COM | EXP | ADM | ISO | PHY | SUP | Sec Pro |
Security profiles are a resource to the manufacturer. Each security profile is associated with a collection of levels of risk factors. Security profiles will be mapped to specific mitigations for each security requirements necessary to treat the risk.
## 4.6 Security Profile
| Sec Pro | COM | EXP | ADM | ISO | PHY | SUP |
| ------- | --- | --- | --- | --- | --- | --- |
| SP-OP-1 | 2 | 3 | 2 | 0 | 2 | 2 |
| SP-OP-2 | 2 | 3 | 1 | 1 | 2 | 1 |
| SP-RS-1 | 2 | 3 | 1 | 1 | 2 | 1 |
| SP-RS-2 | 2 | 3 | 0 | 2 | 2 | 1 |
Security profiles are a resource to the manufacturer. Each security profile is associated with a collection of levels of risk factors.
Risk factors will be mapped to specific mitigations for each security requirements necessary to treat the risk.
Note: Potentially COM, EXP, and PHY can all be assumed to require the highest risk level mitigation in all products, and therefore can be left out of the use case and security profile analysis.
All products with digital elements has a common set of requirements that shall be addressed regardless of the system design or intented market. These are defined in the CRA <ahref="_ref_i.1">[i.1]</a>.
The risk factors listed in this document meant to help the manufacturer to address specific scenarios which implementation might not be obvious.
## 4.7 Essential functions
The essential functions of all SIEM systems are to collect, analyze and report of security related data.
SIEM system does not make decisions.
SIEM system does not make decisions or direct configuration changes. The security automation is outside
### 4.7.1 Data Collection
@@ -497,6 +498,9 @@ Security functions a SIEM product may provide to other components of the system
## 5.1 General
**[REQ-1]**: Manufacturer shall declare in the technical documentation with what [Risk factors](#45-risk-factors) the product with digital elements shall be evaluated.
**[REQ-2]**: Manufacturer shall provide in the technical documentation a detailed enough systems architecture design description, that enables national bodies like MSA to evaluate and test theproduct design.
> List technical security requirements for the product. Each requirement should be objectively verifiable on an instance of a product. Each should include an implementable method of verifying the requirement is met. Each should include a way to determine if the requirement is applicable to the product. Ideally each will include at least one concrete example of an implementation that satisfies the requirement and a test that verifies it. If the requirement allows the manufacturer to specify their own solution to the technical requirement, the requirement should include a specific way to measure the effectiveness of the risk mitigation and set a minimum level.
@@ -529,7 +533,6 @@ Threat: compromise of SIEM will compromise other systems?
