FairWarning CEF Certified Configuration Guide - May 2011

Summary:

The "Common Event Format Configuration Guide for FairWarning®" is a document that explains how to set up the CEF (Common Event Format) connector for syslog event collection on Linux platforms. This tool is designed to detect privacy breaches in healthcare settings, such as unauthorized access to patient records or misuse of protected health information (PHI). It reduces manual workload by over 90% and enhances incident visibility. FairWarning® has various features including automatic detection of potential incidents that are then notified via a web-based dashboard or email. The solution can identify several types of privacy breaches, such as unauthorized access to VIP medical records, financial identity theft, medical identity theft, inappropriate clinician access, neighbor snooping, and more. To set up the CEF connector for FairWarning® on Linux, you need specific resources like an installer binary (ArcSight

-connectorLinux.bin), documentation, a client certificate (cacerts file), and an AUP Build 5487 or later compatible with FairWarning 2.8. All events should be exported to the fairwarning_alerts.txt file. The CEF Connector Field Mappings table maps ArcSight event data fields to vendor-specific definitions, including EventID (externalId), Date/Time (rt), UserID (suid), USER_NAME (suser), PatientID, MRN (duid), PATIENT_NAME (duser), Function (act), Auditsourceid (src), NetworkID (dst), WorkStation (shost), Department (cs1), Device (cs2), Screen (cs3), Facility (cs4), Data Source (cs5), and FairWarning Appliance IP address (dvchost). This table is crucial for bridging the gap between standardized ArcSight event data and vendor-specific details, aiding in better integration and analysis of diverse security events.

Details:

The "Common Event Format Configuration Guide for FairWarning®" is a document that outlines how to set up the CEF (Common Event Format) connector for syslog event collection, which is specifically designed for use on Linux platforms. This guide was first published in December 2009 and has since been updated with additional information such as screen shots and ArcSight certification. FairWarning® is a privacy breach detection solution that identifies users involved in activities indicative of snooping, identity theft, or other risky behaviors, particularly related to electronic health records (EHRs) and applications containing protected health information (PHI). It automatically detects potential incidents and alerts relevant personnel via a web-based dashboard or email. By automating manual audit log reviews, FairWarning® reduces workload by over 90% and significantly improves incident visibility, often uncovering four times as many undetected incidents compared to manual methods. The solution can detect various privacy breaches including VIP medical record access, financial identity theft, medical identity theft, inappropriate clinician access, neighbor snooping, compromised application user IDs, and other unspecified categories. FairWarning® also offers tools for rapid investigation and resolution of patient or user incidents. FairWarning® es un sistema diseñado para mantener un entorno completamente seguro para preservar información sobre el acceso a pacientes, lo cual es crucial para cumplir con la legislación como HIPAA y otras leyes estatales y federales. A diferencia de herramientas tradicionales de registro de auditoría, FairWarning® se centra en los registros de auditoría de las EHR (sistemas de información electrónica en salud) y aplicaciones médicas. Además, utiliza datos no relacionados con la auditoría para detectar situaciones específicas dentro del personal sanitario. Utiliza tecnología patentada, no invasiva, que centraliza los registros de auditoría de las aplicaciones médicas y analiza la información en términos de pacientes, usuarios, fecha, hora, funciones realizadas e incluso información de ubicación como ID terminal, dirección IP, cama, campus, etc. FairWarning® ofrece una experiencia de usuario ideal para funcionarios de privacidad y cumplimiento. Además, puede integrarse con productos SIEM de asociados para la correlación y análisis de eventos, así como con otros sistemas y dispositivos no clínicos. FairWarning® puede configurar CEF Connector en su dispositivo FairWarning y necesita ciertos archivos/recursos para la instalación del conector ArcSight, incluyendo el instalador binario de Linux (ArcSight

-connectorLinux.bin), el documento ArcSight CEF, un certificado del cliente (cacerts file) y una AUP Build 5487 o posterior que admita FairWarning 2.8. Todos los eventos FairWarning deben exportarse al archivo fairwarning_alerts.txt y se puede usar la utilidad de exportación ArcSight para importar todos los eventos en un archivo específico durante la instalación. The CEF Connector Field Mappings table provides a mapping between ArcSight event data fields and vendor-specific event definitions. It includes the following mappings: 1. **EventID (externalId)**: This field is mapped to the external ID of an event, which can be used for identification or correlation purposes. 2. **Date/Time (rt)**: Represents the date and time when the event occurred. 3. **UserID (suid)**: Maps to a unique identifier for the user associated with the event. 4. **USER_NAME (suser)**: Contains the name of the user involved in the event. 5. **PatientID, MRN (duid)**: Represents the patient ID or Medical Record Number, which is essential for healthcare and medical record tracking. 6. **PATIENT_NAME (duser)**: Indicates the name of the patient associated with the event. 7. **Function (act)**: Captures the function or action performed by the user in relation to the event. 8. **Auditsourceid (src)**: Identifies the source of the audit, which could be a network device, workstation, or other data source. 9. **NetworkID (dst)**: Represents the destination network ID related to the event. 10. **WorkStation (shost)**: Specifies the hostname or IP address of the workstation involved in the event. 11. **Department (cs1)**: Indicates the department within an organization that is associated with the event. 12. **Device (cs2)**: Maps to the device information related to the event, which could be a specific piece of hardware or software. 13. **Screen (cs3)**: Captures details about the screen being used during the event, such as resolution or application name. 14. **Facility (cs4)**: Indicates the facility where the event occurred, possibly specifying a physical location within an organization. 15. **Data Source (cs5)**: Represents the data source from which the event information was collected. 16. **FairWarning Appliance IP address (dvchost)**: Specifies the IP address of the FairWarning appliance used to collect and process the event data. 17. **Source port (spt)**: Indicates the port number on the source device involved in the network communication that is associated with the event. 18. **Destination port (dpt)**: Represents the port number on the destination device involved in the network communication related to the event. This table helps bridge the gap between ArcSight's standardized event data and vendor-specific details, facilitating better integration and analysis of diverse security events across different systems and applications.