Presentation to Nov 2015 "Chicago Security Intelligence with SIEM" meetup. Overview of SIEM as part of Continuous Monitoring in the NIST CyberSecurity framework.

1. © 2014 Cognizant1
FISMA – How does SIEM fit in?
Bernie Leung, CISSP,
SOC Lead, Architect
takming.leung@cognizant.com
leung.bernie@gmail.com

2. © 2014 Cognizant2
Definitions
EGov Act 2002 –Title III is the law that enacted FISMA
FISMA is part of this law to ensure security for computer systems (H/W, S/W and
operations). NIST is called upon to created the standards.
NIST SP800-xxx are the standards. In particular SP800-53 specifies the various
security controls.
NIST Risk Management Framework addresses the security controls according to:
• Identify
• Protect
• Detect
• Respond
• Recover
FIPS addresses the requirement and process that a federal computer system can be
operated.
FIPS 199 - Classification of system impact
FIPS 200 – Application of NIST to system according to FIP 199 classification
Circular A130 re-affirms the NIST Risk Management Framework – an operations
view of the NIST SP800-53.
.

3. © 2014 Cognizant3
Federal and Regulatory Requirement Flow Down
Requirement
How it applies to Cognizant US
SOC
Considerations Outcome
FISMA –
Federal
Information
Security
Management Act
- Applies to US government
agencies and contractors
- Relies on NIST
- Is client a Federal agency or
contractor?
- SOC must comply with NIST
Cognizant Confidential and Internal Use only
FedRAMP -
Federal Risk
Operation and
Mangement
Program
- Applies to Cloud Service
Providers to US Government
Agencies
- Based on certified 3rd part
accreditation
- Even though contractor is not a
Federal agency, it provides servive
to Federal agencies
- SOC should comply with
FedRAMP requirements.
Data Governance
- Applies to data storage, retention
periods, eDiscovery and legal
hold.
- SOC is the guardian of
configuration data.
- International law complicates data
stored outside of US.
- Data will reside within US
border.

4. © 2014 Cognizant4
SIEM Can Not operate as an Island!

5. © 2014 Cognizant5
People, Process, Technology

6. © 2014 Cognizant6
SIEM  Technology

7. © 2014 Cognizant7
Process

8. © 2014 Cognizant8
NIST Risk Management Framework

9. © 2014 Cognizant9
Step 1 Categorization
FIPS 199
NIST SP800-60

10. © 2014 Cognizant10
Step 2 & 3 - Security Controls

11. © 2014 Cognizant11
Step 6 Monitoring

12. © 2014 Cognizant12
Information Security Continuous Monitoring

13. © 2014 Cognizant13
ISCM and Security Automation

14. © 2014 Cognizant14
CAESARS block architecture

15. © 2014 Cognizant15

16. © 2014 Cognizant16
References
NIST Special Publication 800-xxx
http://csrc.nist.gov/publications/PubsSPs.html
NIST FIPS-199
http://csrc.nist.gov/publications/PubsSPs.html
CAESARS reference architecture
http://scap.nist.gov/events/2012/itsac/presentations/day3
/5Oct_330pm_Sell.pdf
NIST CyberSecurity Framework Reference Tool
http://www.nist.gov/cyberframework/csf_reference_tool.c
fm.