SANS Critical Controls 14 and 15: Audit Logs and Controlled Access

This week we come back with our blog series on SANS 20 Critical Controls and focus on Audit Logs and Controlled Access.

Audit Logs for firewall, network devices, servers and hosts are most of the time the only way to determine whether or not the host has been compromised and the only way to control the activity of the system administrator. The logs need to be aggregated, safeguarded and correlated with other relevant security events.

Unified VRM is not a log aggregation solution. However it allows you to pour relevant and verified vulnerability information into log aggregation systems and SIEM systems to enable the correlation with intrusion detection and other log data.

Another important security control is #15 that deals with controlling access to data from people with the appropriate need to know. Information needs to be classified in terms of sensitivity and importance for the business. Sensitive information needs to be segregated in separate VLANs with appropriate firewall controls. File servers need to be appropriately protected and configured. Access permissions needs to be configured to allow people with “need to know” access to specific information. Logging of those file servers operations should be maintained and information that needs to be transmitted off to public networks needs to be encrypted. Data Leak Preventions and ACLs need to maintained to prevent sensitive information from being transmitted outside the organization.

Unified VRM can be used to verify that File Servers are appropriately patched and configured according to best practice industry standards. Furthermore, Unified VRM can help verify that firewall rules are appropriately implemented and networks are appropriately segregated via VLAN. Active Directory group policies application can be verified via Unified VRM Security Configuration Module or by performing authenticated vulnerability scans. File auditing enablement can be verified by scanning file servers and active directory servers with the configuration module.

To learn more about the Unified VRM Security Configuration Module and other modules, please visit