SOX Compliance - Use Cases

Summary:

This document outlines several use cases for ArcSight solutions aimed at enhancing security controls for SOX compliance, including monitoring access attempts by closed or deleted accounts, detecting insecure services on regulated systems, tracking password changes, assessing system availability, and detecting attacks and reconnaissance activities. Specific actions are taken based on defined rules when certain conditions are met, such as placing entities on an active list or generating reports. The document also covers use cases for internet usage reporting, vulnerability trending, user monitoring (including reconnaissance from internal systems, audit log clearing on high-value targets, data transfers to competitors/known sharing sites, and downloads from hacker sites), prohibited website access, printing sensitive documents after hours, inactive user account detection, privilege account usage, email activity/file size perimet

Details:

This document outlines several use cases for customers using the ArcSight solution for monitoring controls related to SOX compliance. These include identifying access attempts by closed or deleted accounts, detecting insecure services on SOX regulated systems, tracking default password changes, monitoring system usage, and assessing the availability of critical SOX assets. The solutions also aim to detect attacks and reconnaissance activities targeting these systems. Each use case has specific actions based on defined rules, such as placing affected entities in an active list or generating reports when certain conditions are met. The document outlines several use cases designed for different aspects of security management, focusing primarily on monitoring and reporting against internal threats related to SOX compliance. 1. **Internet Usage Reporting and Monitoring**: This involves tracking internet usage by employees connected to SOX assets through specific ports (80, 443, 20, 21). The purpose is to ensure that such activities comply with security policies and are not exposing the systems to unauthorized access or potential threats. 2. **Vulnerability Trending**: This use case involves providing management reports on trends in vulnerabilities identified across SOX assets. It aims to give stakeholders an overview of the current state of vulnerability management within their SOX environment, highlighting any improvements or areas needing attention. 3. **User Monitoring**: Applied specifically to customers using ArcSight for internal user monitoring without requiring asset modeling:

• **Reconnaissance from Internal Systems**: Monitors and reports on reconnaissance activities conducted by employees, both as sources targeting internal systems. This involves both real-time monitoring rules and a dashboard for visualizing such activities.

• **Audit Log Clearing on High Value Targets (HVT)**: Focuses on monitoring and managing audit log clearing activity on designated high-value Windows systems (HVT). It includes both real-time alerting based on rule violations and historical reporting of these actions to track compliance and detect any unauthorized deletions.

• **Data Transfers to Competitor/Known Sharing Sites**: Monitors user activities involving the transfer of confidential documents or communication with competitors, storing such users in a watch list for further review. This involves rules for real-time monitoring and reports for tracking historical trends in data sharing attempts.

• **Downloads from Hacker Sites**: Tracks and reports on users who attempt to access websites hosting hacking tools. This helps in identifying potential insider threats or unauthorized access related to such resources.

These use cases are designed to provide actionable insights into various aspects of internal security, allowing for better management of risks associated with SOX compliance and network security. This document outlines various use cases designed to enhance security measures within an organization, particularly through the utilization of a comprehensive monitoring and reporting system called ArcSight. The primary objective is to detect and report potential malicious activities or unauthorized access attempts from within the company's network, as well as inappropriate user behavior such as accessing sensitive information or engaging in prohibited activities online during work hours. The use cases include: 1. Prohibited website access - Monitors internet usage by employees to prevent them from accessing restricted websites that may contain malicious content or hacker tools. 2. Printing sensitive documents after hours - Tracks and reports when employees print out confidential documents outside of regular working hours, ensuring these activities are monitored. 3. Inactive User Account Detected - Identifies user accounts that have not been used for an extended period (default is 183 days) and alerts the relevant parties to either reactivate or assess whether the account should be deactivated based on company policy. 4. Privilege Account Usage - Monitors the use of privileged accounts, which are critical for security management within the organization. This includes identifying and reporting unusual usage patterns that could indicate unauthorized access or suspicious activity. 5. Email Activity/File Size - Focuses on monitoring email communications in terms of file size to detect potentially oversized attachments that might be used to transfer sensitive information. 6. Perimeter Monitoring, including High Value User VPN monitoring and Top dropped internal addresses (Firewall) - These sections deal with the surveillance of network traffic through virtual private networks (VPNs) and firewall logs, respectively, to identify any unusual or malicious activities originating from within the organization's network perimeter. Overall, these use cases are designed to provide detailed insights into user behavior on company resources, alerting administrators to potential security threats and unauthorized access attempts while also promoting responsible information handling practices among employees. This document outlines various use cases designed to address internal network issues related to unauthorized communications and improve overall user experience and performance. The main focus is on eliminating unnecessary network traffic by ensuring that only authorized systems communicate externally for specific services such as SMTP (Simple Mail Transfer Protocol), DNS (Domain Name System), NTP (Network Time Protocol), etc. Additionally, the use cases monitor peer-to-peer software usage, outbound clear-text protocol usage, and provide detailed reports on IDS (Intrusion Detection Systems) metrics, including top targeted systems, attacking systems, alerts, and worm outbreaks. The AV Metrics use case covers Anti-Virus related data to assist in identifying the most common viruses circulating within the network and their prevalence among users.