Association à but non lucratif enregistrée à la<br/>
Sous-préfecture de Grasse (06) N° w061004871<br/>
</div>
<br/>
@@ -91,6 +91,7 @@ All rights reserved.<br />
# Contents
# Intellectual Property Rights
## Essential patents
@@ -107,6 +108,7 @@ The present document may include trademarks and/or tradenames which are asserted
**DECT™** , **PLUGTESTS™** , **UMTS™** and the ETSI logo are trademarks of ETSI registered for the benefit of its Members. **3GPP™** , **LTE™** and **5G ™** logo are trademarks of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners. **oneM2M™** logo is a trademark of ETSI registered for the benefit of its Members and of the oneM2M Partners. **GSM**® and the GSM logo are trademarks registered and owned by the GSM Association.
# Foreword
> DRAFT FOREWORD - DO NOT CONSIDER THE CONTENT
@@ -226,6 +228,7 @@ For the purposes of the present document, the following terms apply:
**Security information and event managment systems:** Software, hardware or a remote data processing solution (a service) that collects, analyzes, and reports security data from multiple sources to the user.
**Managed Security Service Provider:** A third party or manufacturer service that provides some or all SIEM functions to a customer thorugh a remote data processing solution and client application.
**Extract, Transform, and Load**: Typical data collection process, that describes how the system ingests information.
## 3.2 Abbreviations
@@ -235,6 +238,7 @@ For the purposes of the present document, the following abbreviations apply:
| SIEM | Security information and event management system |
| MSSP | Managed Security Services Provider |
| ETL | Extract, Transform, and Load |
# 4 Product context
@@ -263,16 +267,37 @@ The following types of products have reduced or varied requirements under Regula
## 4.3 Product overview and architecture
SIEM systems collect, analyse, and correlate data from multiple sources to present as actionable information for security-related purposes. Components include:
SIEM systems collect, correlate, and analyse data from multiple sources to present as actionable information for security-related purposes.
The typical data collection process follows Extract, Transform, and Load (ETL), where the transformations are highly specific for the SIEM operation.
Data may be filtered, normalized, or combined with other sources.
After the individual source processing, the correlation phase may include data combination, where lookup tables are used to enrich the incoming information, and the data context is created for later use.
The process may be:
1. Event emitting source
1. Collection endpoint in the system
1. Aggregation and normalization of the incoming data
1. Correlation with multiple input sources and internal data models
1. Support for thread and vulnerability management process
Components may include:
-Software that collects information from the devices being monitored
-Software that collects information on the local device and makes available to the collection server
-Software that analyses, compresses, filters, and/or deletes collected information as it arrives
-Software that stores collected information
-Software that generates events or alerts from collected information
-API endpoint that passively receives information from the devices being monitored
-Device specific software that actively collects information from the managed device and makes available to the collection API endpoint
-Mediator software that analyses, compresses, filters, and/or deletes collected information as it arrives
-Data warehousing component that stores collected information for long term access based on the design requirements
-Workflow management and event trickering mechanism that generates events or alerts from the collected information
Any component other than the software that collects data on the local device can be provided either as software provided to the user to run on its own devices, or as a remote data processing solution (RDPS).
The imlementation of the collecting infrastructure depends often on the availability of existing components.
If the managed device uses a `rsyslog` to send system logs towards more centralized ingestion endpoint, the `rsyslog` is considered to be part of the SIEM system if the used binary is installed to the managed device as part of the initializaton of the device.
The log forwarding tool `rsyslog` is considered to be part of the managed device if it is installed from the device's host OS' maintained package channels.
The upgrade responsibility of the device specific event forwarding software is sometimes hard to address, but it is in system users interests to have it maintained, and free of vulnerabilities. These are later addressed in the [technical requirements](#523-mitigations-of-event-collection-infrastructure).
## 4.4 Use cases
Primary use case is monitoring networks for business use. These can be of any level of risk as they often contain a wide variety of platforms and systems to monitor including mobile devices.
@@ -504,6 +529,13 @@ Threat: compromise of SIEM will compromise other systems?
### 5.2.3 Mitigations of event collection infrastructure
# Annex A (informative): Mapping between the present document and CRA requirements
> Table mapping technical security requirements from Section 5 of the present document to essential cybersecurity requirements in Annex I of the CRA. The purpose of this is to help identify missing technical security requirements.
