SIEM Requirements

From Glitchdata
Jump to navigation Jump to search


Here is a common list of SIEM Collection requirements:

  • The SIEM solution must be able to discover assets, assist with assigning unique names or references to assets, and support establishing an accurate asset inventory
  • The SIEM solution must enable the organisation to effectively treat any detected vulnerabilities.
  • The SIEM solution needs to be able to provide accurate, timely and meaningful information to enable informed and fact-based decision-making.
  • The SIEM solution needs to adhere to or support standards and policies.


SIEM requirements:

  • SIEM tool needs to be accessible to both service providers and business users
  • SIEM tool needs to provide security analytics information
  • SIEM tool needs to be able to perform correlation of events / logs
  • SIEM tool needs to be configurable and customisable to both service providers and business users
  • SIEM tool needs to allow creation of customisable alerts
  • SIEM tool needs to interface with other products including Collection solution and cloud service providers (e.g. AWS, Azure)
  • SIEM tool needs to have a minimum uptime availability per month of 99.99%
  • SIEM tool needs to integrate with identity management solutions (e.g. Azure AD)
  • SIEM needs to allow creation of customisable reports
  • SIEM tool needs the ability to ingest and process from multiple data sources
  • The solution must be able to accurately identify anomalies, vulnerabilities, non-malicious activities, threats and exposures that pose a risk to Icon Water.
  • The solution should rate risks in line with one or more risk matrices (aligning to Organisation's Risk Management Framework and Procedure)
  • The SIEM solution should be able to generate alerts in a timely manner to detected vulnerabilities, changes, anomalous access, suspicious devices and abnormal software and/or user behaviours.
  • The aggregate solution must cater for ICT environments (active scanning) and OT environments including SCADA (passive scanning).
  • The solution must have the ability to work across a range of hosted environment types (physical, virtual, cloud).
  • The solution supports a combined dashboarding and reporting capability across the wider environment.


Detailed Requirements

  • The solution can discover assets across geographically dispersed regions, sites, and locations.
  • The solution can discover assets across networks including segmented networks.
  • The solution can discover Control Systems assets from a wide range of manufacturers, including but not limited to Siemens, Schneider Electric, Allan Bradley / Rockwell Automation, Honeywell, Mitsubishi, Omron, Moxa, Redlion, Kingfisher and Mox.
  • The solution can discover a wide range of devices connected to Control Systems assets such as Programmable Logic Controller (PLCs), and remote terminal unit (RTUs).
  • The solution supports a variety of networking protocols including but not limited to Control Systems protocol inspections such as
    • Ethernet IP (PLC, Field RIO, Electrical)
    • Modbus TCP/IP (PLC, Field RIO, Electrical)
    • OPC (SCADA WAN, SCADA LAN)
    • DNP3 (SCADA WAN, SCADA LAN)
    • Profinet (PLC, Field RIO, Electrical)
  • The solution can discover a wide range of Corporate ICT assets including but not limited to servers, desktops, networking devices and communication devices (incl. VoIP phones and multi-media devices).
  • The solution can discover assets including but not limited to servers, desktops, networking devices and communication devices in Public Cloud (including AWS, Azure).
  • The solution must discover both “real” and virtualized devices.
  • The solution allows for manually adding context information about discovered assets, such as a configurable name or ID, location details, one or more pictures.
  • The solution should detect firmware, installed software and configuration settings, such as the services and applications installed and running, version and status of patches, and open ports that are installed or available on discovered assets.
  • The solution must support both passive as well as active network scanning and asset discovery, in a manner that does not impact the proper and intended functioning of Control Systems assets and their operational processes and activities.
  • The solution can automatically discover Control Systems communication protocols and patterns, all the way down to the I/O level that runs industrial control processes.
  • The solution supports selective network scanning, that is, the solution can scan preselected IP addresses and address ranges.
  • The solution must use authentication (“administrative credentials”) to gather additional information that otherwise would be inaccessible with a standard user account.
  • The solution can establish an asset configuration inventory, that contains hardware and software configuration information and keeps track of all changes to the assets in terms of Moves, Adds, and Changes.
  • The solution should provide a detailed view of logical connections of the asset environment/s.
  • There should be a single data egress point to the SIEM for data collected from all in-scope OT environment sites.
  • There should be a single data egress point to the SIEM for data collected from all in-scope ICT environment sites.
  • The solution can suggest treatment methods or corrective actions, based on the identified vulnerabilities and risk level.
  • The solution supports the automated, autonomous application of treatments and controls based on the severity and potential impact of the identified vulnerability and treat.
  • The solution utilises a workflow-based approach in applying controls and treating vulnerabilities.
  • The solution can readily integrate with other network management and security solutions such as SIEM, Microsoft Windows AD (Azure).
  • The solution supports workflows and processes across connected security applications.
  • The solution integrates with an IT Service Management system for cross-relationship of assets with a CMDB.
  • The solution can limit access time on a per connection basis.
  • The solution can produce a variety of asset reports with details such as manufacturer, firmware, installed software, patch information, protocol information, connected devices/sensors, and any interconnections between assets.
  • The solution can produce an interactive network map (such as showing the network and detected assets) that allows users to drill down into assets, device configurations and detected vulnerabilities.
  • The solution can generate a data flow map that shows in real-time the network traffic together with selectable filters/layers, such as protocols and endpoints for authorized vs. unauthorized traffic, and alerts on unauthorized data flow.
  • The solution can produce a wide range of reports, such as:
    • a baseline vulnerability report that documents the identified vulnerabilities associated with respective asset, risk rating and relevant treatment actions
    • a network map that shows the detected assets together with any identified vulnerabilities
    • abnormal user behaviour within monitored environments
    • user activity reports (such as for user access)
    • reports to measure compliance against a control framework
  • The solution can readily integrate with a capable SIEM or should be able to export collected data in a format so it can be used by SIEM.
  • The solution can support ISO 27001.
  • The solution can support IEC 62443.
  • The solution can support ISO 10007 (ISO standard that gives guidance on the use of configuration management within an organization).
  • The solution should align with Icon Water Information Security Policy.
  • The solution can support Territory Records Act 2002.
  • The solution can support Territory Records Standards for Records Management.
  • The solution can support Security of Critical Infrastructure Act (2018).
  • The solution must identify vulnerabilities and exposures against known, common vulnerabilities and exposures Common Vulnerabilities and Exposures (CVEs) such as vulnerabilities published in NIST National Vulnerability Database (NIST NVD) or other vulnerability repositories.
  • The solution can use authentication (“administrative credentials”) to perform a deep scan of assets to identify additional vulnerabilities that otherwise would go undetectable.
  • The solution supports the prioritization of assets so that priority assets (“critical systems”) are deeper or more often scanned.
  • The solution must identify and report when administrative privileges are being used to access asset.
  • The solution can identify anomalies in user behaviour.
  • The solution can undertake real time access monitoring.
  • The solution must detect when internal devices are communicating to one or more systems outside of the network, such as to support an attack.
  • The solution can identify vulnerabilities and threats that are not signature-based, such as command-and-control traffic, lateral movement, and data exfiltration, and can provide contextual information as threats move across the attack chain.
  • The solution must detect abnormal and anomalous behaviours and communication patterns to determine the existence of hidden vulnerabilities.
  • The solution can track vulnerabilities over time, such as when vulnerabilities dynamically change their threat signature.
  • The solution must detect non-malicious activities such as policy violations, equipment malfunctions and misconfigurations.
  • The solution can detect unmonitored connections to external environments and the use of insecure, outdated or unauthorised protocols.
  • The solution should notify when new or updates to vulnerabilities (such as CVE signatures) are available, with additional information such as the derived sources of the updates and/or signatures, and the business relevance and need for updating.
  • The solution allows for the creation of one or more configurable risk ratings matrices for risk rating purposes, such as based on the Organisation's risk assessment and ratings matrix.
  • The solution can automatically suggest a risk rating based on the asset, the identified vulnerabilities, and potential impact of the identified vulnerabilities.
  • The solution allows for the manual overwriting of a suggested risk rating.
  • The solution can suggest one or more control methods for identified vulnerabilities, such as based on CIS Critical Security Controls.
  • The solution supports the nomination of staff to receive alerts such as based on the type of asset, the geographical location of the asset, the detected change, severity.
  • The solution can alert nominated staff of new and existing anomalies, together with information such as name, location, type, risk level and others.
  • The solution can alert to irregular or suspicious behaviours, user access, events and other occurrences.
  • The solution enables users to access and track alerts and notifications via an easy to use, intuitive dashboard.
  • The solution can send out alerts and notifications such as through email and/or SMS.
  • The solution can provide automated voice alerts to designated phone numbers based on risk criticality of threat.
  • SIEM Should not impose a significant impact on system overhead for servers and networks.