@@ -99,8 +99,7 @@ In the present document "**shall** ", "**shall not** ", "**should** ", "**should
The present document is a European harmonised standard that defines cybersecurity requirements for products whose primary purpose is security information and event managment (SIEM) systems. Demonstrating compliance with this standard is not necessary, but doing so provides a presumption of conformity with the Cyber Resilence Act, Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 [i.1].
This standard does not apply to products that contain XXXXXX or are part of [vertical] if the core purpose of the product is not that of an [vertical]. However, it may be useful as one part of the process of demonstrating compliance for a product containing or interacting with [vertical].
This standard does not apply to products that contain SIEM elements or components but are part of other systems with a different core purpose. If the core purpose of the product is not that of a SIEM system. However, it may be useful as one part of the process of demonstrating compliance for a product containing or interacting with SIEM system.
# 1 Scope
@@ -154,7 +153,6 @@ The following referenced documents are necessary for the application of the pres
References are either specific (identified by date of publication and/or edition number or version number) or nonspecific. For specific references, only the cited version applies. For non-specific references, the latest version of the referenced document (including any amendments) applies.
@@ -178,22 +176,18 @@ This section provides terms and definitions based on CEN/CLC JTC13 WG09's work o
For the purposes of the present document, the [following] terms [given in ... and the following] apply:
1.**Security information and event managment systems**: Software, hardware or a remote data processing solution (a service) that collects, analyzes, and reports security data from multiple sources to the user.
2.
2.**Managed Security Service Provider**: A third party or manufacturer service that provides some or all SIEM functions to a customer thorugh a remote data processing solution and client application.
## 3.2 Symbols
For the purposes of the present document, the [following] symbols [given in ... and the following] apply:
## 3.3 Abbreviations
For the purposes of the present document, the [following] abbreviations [given in ... and the following] apply:
1.**SIEM**: Security information and event management system
2.**MSSP**: Managed Security Services Provider
# 4 Product context
@@ -224,14 +218,58 @@ The following types of products have reduced or varied requirements under the Cy
## 4.3 Product overview and architecture
SIEM systems have X basic functions, all related to collection, analysis, and reporting of security data.
_Explain the overall architecture and relationship among the parts of the products. Use diagrams if that is helpful._
## 4.4 Use cases
Primary use case is monitoring networks for business use. These can be of any level of risk as they often contain a wide variety of platforms and systems to monitor including mobile devices.
* business networks
* connected vehicle fleets
* business mobile device networks
* ecommerce platforms
Higher risk business and enterprise use includes highly regulated and essential industries where SIEM monitors both security and legal compliance.
* financial institutions
* medical providers
Related often high risk use cases for SIEM are in manufacturing, industry, and infrastructure both on a site or for plant scale and company or organization wide multi-site network.
* industrial plants and machinery
* public infrastructure
* telecom networks
Less common and lower risk scenarios for SIEM use include small SIEM systems for:
* hobbyist home networks
* security researchers
A final category for SIEM systems that may instead represent a set of use cases to be incorporated into the other catogories are remote or contracted security operations centers (SOC's) and managed security service providers (MSSP's).
* MSSP remote service for other use cases
_Create a list of representative use cases, each one representing a different threat profile. If the threat profile is the same for two use cases, then it is basically the same use case for the purposes of the present document. Use cases should include both intended and reasonably foreseeable use/misuse. Use cases don't include industrial operations, automotive, transport, marine, airplane, medical, military, national security, etc._
_When you have many use cases, group them into 3 - 5 levels of risk. These will probably be your security levels._
### 4.4.1 On premises SIEM system
* UC-OP-1 On Premises SIEM system
* All hardware and software for SIEM system owned and operated by consumer.
* Consumer manages and operates all aspects of SIEM system.
* UC-OP-2 On Premises MSSP system
* Hardware and software on customer premises, but some elements are remote or operted by remote MSSP
* Consumer may delegate some SIEM functions to MSSP.
### 4.4.2 Managed SIEM service
* UC-RS-1 CLoud Based System
* Software and data are remotely stored by Manufacturer or other MSSP.
* Consumer manages and operates SIEM system internally using own staff
* UC-RS-2 Manufacturer operated SIEM service with consumer portal
* All SIEM functions performed remotely by MSSP or manufacturer
## 4.5 Risk Factors
For each SIEM system placed on the market, the manufacturer shall develop a threat model and risk profile based on the intended purpose and reasonably foreseeable use of the SIEM system. Risk factors are specific elements of a product's intended or reasonably foreseeable use that are linked to or allow specific threats. Risk factors are one part of creating a product's risk profile. They define specific security requirements and mitigations that a the manufacturer will need to apply to a product and collectively define the product's security level.
@@ -240,15 +278,46 @@ For each SIEM system placed on the market, the manufacturer shall develop a thre
The risk profile is derived from intended and reasonably foreseeable uses of the product. The following risk factors shall be addressed when developing the risk profile.
#### 4.5.1.1 Physical Access by Threat Actors to System
#### 4.5.1.1 Network Size and Complexity
**[COM]** The manufacturer shall determine the expected size and complexity of network and implement security requirments or mitigations sufficent for the variety and number of potential threats against different scale networks and networks containing multiple types of devices.
* COM-1 Small network (under X devices) of same device type.
* COM-2 Large network (over X devices) or network of varied devices.
* COM-3 Large network (over X devices) of varied types.
#### 4.5.1.2 Degree of exposure
**[EXP]** A SIEM system may have varying degrees of exposure to untrusted users, public networks and external networks. The manufacturer shall implement security requirements and mitigations appropriate to the product's reasonably foreseeable level of exposure.
* EXP-0 Internal network
* EXP-1 VPN secured network
* EXP-2 Other kinds of secure network?
* EXP-3 Dubious network/public internet
#### 4.5.1.3 Skill Level of SIEM Adminsitrator
**[ADM]**: The manufacturer shall consider if a SIEM products is designed to be administered by cybersecurity specialists or IT generalists. Mitigations and requirements may vary depending on the skill and availability of the administrator.
* ADM-0 Full time security specialist administrator
* ADM-1 Part time security specialist administrator
* ADM-2 IT generalist adminsitraor (full or part time)
#### 4.5.1.4 SIEM System Isolation
**[ISO]**
* ISO-0 SIEM system is hosted and managed on dedicated server or servers
* ISO-1 SIEM system is managed and hosted on server shared with other systems
* ISO-2 SIEM system is managed and hosted on remote server
#### 4.5.1.5 Physical Access by Threat Actors to System
**[PHYS]**: Manufacturers of SIEM systems may implement protective measures to mitigate physical access based threats to the device.
PHYS-0: only used in environments with authorized users
PHYS-1: may be incidentally exposed to untrusted users
PHYS-2: used primarily by untrusted users, e.g. the general public
*PHYS-0: only used in environments with authorized users
*PHYS-1: may be incidentally exposed to untrusted users
*PHYS-2: used primarily by untrusted users, e.g. the general public
#### 4.5.1.2 Support Period
#### 4.5.1.x Support Period
**[SUPP]**: Manufacturers shall implement protections and implement safeguards appropriate to the support period of a SIEM System
@@ -266,6 +335,25 @@ Security levels are a resource to the manufacturer. Each security level is assoc
## 4.7 Essential functions
The essential functions of all SIEM systems are to collect, analyze and report of security related data.
### 4.7.1 Data Collection
* Requests, collects, and logs data from network and devices protected by SIEM system
* Receives third party information regarding new or likely threats
* Data Retention
### 4.7.2 Data Analysis
* Correlation and threat monitoring
* Analytics and modelling
### 4.7.3 Data Reporting
* Reports activities and results of analysis to users, often through use of dashboards and other visualization tools.
* Allows users to run queries and organize data.
* Provides reports for compliance purposes
* Alerts user of potential security threats or other anomolies
_List the essential functions of the product, including:_
* _What it does during its intended or reasonably foreseeble use_
@@ -304,25 +392,6 @@ _Risk can be transferred between components, for example a network interface can
_Describe what risks are delegated to other components, as well as what security functionalities this product offers to things integrated with it._
## 4.11 Support period
The support period for a SIEM product shall be for a minimum of ten years unless the specific nature of the product justifies a reduced support period.
A reduced support period is justified when the manufacturer has a reasonable expectation that the product will be in use for less than ten years or the product exists to fill a special need of a reasonably certain duration under ten years. A reduced support period may be of any length, but shall cover the expected time that the product will be in use.
In accordance with Article 13 (8) of the CRA<ahref="#_ref_i.1">[i.1]</a>, the manufacturer shall document how it reached a decision on a specific support period in the technical documentation of the product. The manufacturer shall document the following considerations that affected the decision making process:
1. Reasonable user expectations
1. Nature of the product and intended purpose
1. Relevant law and guidance
1. Support period of products on the market with similar functionality
1. The availability of the operating environment
1. The support period of any integrated components that provide core functions of the product.
_Describe the expected support period and its impact on security risks. Generally the support period should be at least 5 years, shorter or longer according to the expected period of use. See Article 13.8 and Recitals 59 - 62 of the CRA for more information._
