SOX Compliance Use Cases

Summary:

The document outlines several use cases for using ArcSight solution in monitoring controls related to SOX compliance, including tracking closed account activity, insecure services, default password changes, system availability, and attacks on systems. These include: 1. **Closed Account Activity**: Monitors disabled or deleted accounts that may attempt reactivation with a removal from the active list once detected. 2. **Insecure Services (Network service Monitoring)**: Identifies use of insecure services like FTP, POP3, etc., and generates reports on systems with insecure configurations. 3. **Default Password not changed**: Monitors new accounts whose default passwords have not been updated within 2 days, tracking these until the password is changed. 4. **Monitoring System Use**: Tracks access to SOX assets including successful and unsuccessful logins/logouts and brute force activity through reports showing different data aspects. 5. **Availability of critical systems**: Monitors and ensures uptime compliance with regulations for SOX systems. 6. **Attacks and Recon targeting SOX systems**: Provides trending reports on attack and reconnaissance attempts, aiding in threat analysis and mitigation planning. 7. **Internet Usage Reporting and Monitoring**: Focuses on traffic through ports 80 (HTTP), 443 (HTTPS), 20 (FTP data transfer), and 21 (FTP control) to ensure compliance with security policies. 8. **Vulnerability Trending**: Provides reports showing trends in vulnerabilities identified on SOX assets, giving management a current status update on their vulnerability management efforts within the context of their SOX environment. 9. **User Monitoring** (ArcSight solution): Includes four specific use cases: - Reconnaissance from Internal Systems - Audit Clearing on High Value Targets (HVT) - Data Transfers to Competitor/Known Sharing Sites - Downloads from Hacker Sites 10. **Prohibited website access**: Monitors real-time internet traffic from internal users attempting to access prohibited websites using proxies. 11. **Printing sensitive documents after hours**: Identifies instances where employees print out sensitive documents outside of regular working hours, ensuring monitoring and reporting on such activities. 12. **Inactive User Account Detected**: Identifies user accounts that have been inactive for a specified period (default 183 days), including notifications for any activity from an inactive account and reports on the total number of identified inactive accounts. 13. **Privilege Account Usage**: Monitors and reports on privileged accounts, focusing specifically on those added to an active list. 14. **Account Lockouts**: Tracks failed login attempts that result in lockouts, helping identify brute-force attacks or other unauthorized access attempts targeting specific systems. These use cases collectively aim to provide a holistic view of network activity and user behavior within the context of SOX compliance, with actionable insights for risk management and regulatory adherence.

Details:

This document outlines various use cases for customers using the ArcSight solution for monitoring controls related to SOX compliance. These include: 1. **Closed Account Activity**: Used to detect access attempts by closed or deleted accounts. Disabled or deleted accounts are tracked, and any reactivation triggers a removal from the active list. Reports list disabled accounts and login attempts. 2. **Insecure Services (Network service Monitoring)**: Identifies use of insecure services like FTP, POP3, etc., on SOX regulated systems, populating a list of systems with insecure configurations. Dashboards and reports are available for consumption. 3. **Default Password not changed**: Monitors new accounts that haven't changed their default passwords within 2 days, tracking these in an active list until the password is updated. Expiration triggers report generation based on rule events. 4. **Monitoring System Use**: Tracks access to SOX assets including successful and unsuccessful logins/logouts and brute force activity through reports showing different data aspects. 5. **Availability of critical systems**: Monitors and reports on the availability of critical SOX systems, ensuring uptime compliance with regulations. 6. **Attacks and Recon targeting SOX systems**: Provides trending reports on attack and reconnaissance attempts targeting SOX assets, aiding in threat analysis and mitigation planning. The provided text outlines several use cases related to cybersecurity, specifically targeting management with reports and metrics focused on the "threat-scape" and improvements in security measures against attacks affecting SOX systems. Here's a summary of each use case: 1. **Internet Usage Reporting and Monitoring**: This use case involves monitoring and reporting on internet usage by employees and SOX assets, focusing particularly on traffic through ports 80 (HTTP), 443 (HTTPS), 20 (FTP data transfer), and 21 (FTP control). The goal is to ensure that such activities comply with security policies. 2. **Vulnerability Trending**: This use case provides overview reports showing the trends in vulnerabilities identified on SOX assets. It aims to give management a current status update on their vulnerability management efforts within the context of their SOX environment, allowing for informed decision-making and addressing any issues promptly. 3. **User Monitoring** (ArcSight solution): This section is dedicated to customers using the ArcSight solution for internal user monitoring. There are four specific use cases detailed here:

• **Reconnaissance from Internal Systems**: Monitors real-time reconnaissance activities within the organization, both from internal sources to internal targets. It uses a combination of rules for immediate monitoring and a dashboard for viewing these activities.

• **Audit Clearing on High Value Targets (HVT)**: Monitors, notifies, and reports on clearing activity in audit logs specifically on Windows systems designated as High Value Targets (HVT). This includes both real-time monitoring and historical reporting of such actions.

• **Data Transfers to Competitor/Known Sharing Sites**: Monitors and reports on users who attempt to transfer confidential data or engage in other communication with competitors, focusing on known sharing sites. It uses rules for immediate monitoring and reports for ongoing tracking of these activities.

• **Downloads from Hacker Sites**: Monitors and reports on users accessing websites that host hacking tools, alerting to potential security threats posed by such actions. This use case also involves real-time monitoring and reporting mechanisms.

These use cases collectively aim to provide actionable insights into the organization's cybersecurity posture, identifying areas of vulnerability, tracking threat actors, and ensuring compliance with regulatory standards like SOX requirements. The document outlines several use cases designed to enhance security measures within an organization, focusing on the detection of malicious activities and inappropriate usage of resources through detailed analysis of internet access and user behavior. 1. **Prohibited website access**: This use case involves monitoring real-time internet traffic from internal users to detect attempts at accessing prohibited websites using proxies. It provides detailed dashboards and metric reports for comprehensive analysis. 2. **Printing sensitive documents after hours**: This use case is aimed at identifying instances where employees print out sensitive documents outside of regular working hours, ensuring that such activities are monitored and reported on. 3. **Inactive User Account Detected**: This use case identifies user accounts that have been inactive for a specified period (default 183 days). It includes notifications for any activity from an inactive account and reports on the total number of identified inactive accounts. 4. **Privilege Account Usage**: This use case monitors and reports on privileged accounts, focusing specifically on those added to an active list. By tracking these accounts, it helps in maintaining a secure environment where only authorized personnel have elevated access rights. 5. **Email activity/file size**: By monitoring email activities based on file size, this use case aims to detect any unusual or excessive data being sent through emails, which could be indicative of potential security breaches or non-compliant behavior. 6. **Perimeter Monitoring** includes:

• High Value User VPN monitoring: This involves tracking anomalous activity from high-value users accessing restricted areas via virtual private networks (VPNs), including failed access attempts and targeted attacks on these specific individuals.

• Top dropped internal addresses (Firewall): This use case focuses on monitoring the top IP addresses that are being dropped by the firewall, which could be a sign of suspicious activity or unauthorized access attempts within the network.

Overall, these use cases provide a comprehensive approach to ensuring compliance and security across an organization's digital environment, with proactive measures in place to detect and respond to potential threats or inappropriate user behavior. The provided text outlines various use cases focused on identifying internal network "noise" and improving overall user experience and performance through the elimination of unnecessary network traffic. These use cases include: 1. Unauthorized direct external communications for standard services: This ensures that only authorized systems communicate externally for specific services like SMTP, DNS, NTP, etc., preventing unauthorized data leakage or misuse. 2. Peer to Peer Activity: It monitors and reports on the usage of peer-to-peer software and activity to detect potential abuse or excessive traffic. 3. Outbound use of clear-text protocols: This use case identifies the internal systems using clear-text protocols for communication with external destinations, which could lead to data leakage issues. 4. Top Talkers Firewall: It provides regularly scheduled reports on the top talkers through customer firewalls, enabling identification of Internet abuse and unauthorized applications communicating externally. 5. IDS Metrics: This use case offers comprehensive reporting on Intrusion Detection System (IDS) metrics such as targeted systems, attacking systems, alerts, etc., to monitor potential security threats. 6. Worm Outbreak: It helps identify zero-day worm outbreaks through statistical and behavioral analysis of event data. 7. AV Metrics: This use case provides a reporting package centered around Anti-Virus (AV) metrics such as the top viruses found, unsuccessful definition updates, etc., to maintain antivirus software effectiveness.