Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

ISO/IEC27000: Change Control Management

by Megan Daudelin
June 20, 2016

ISO/IEC27000 Change Control Management Dashboard Screenshot

As changes to devices, policies, files, and folders occur on a daily basis, many organizations often lose track of changes that can leave a network vulnerable to attack. The smallest change can lead to system outages, data loss, and can add unwanted security risks and increased costs for an organization. The ISO/IEC27000 Change Control Management dashboard can assist the organization in monitoring device, software, and network change control events.

The ISO/IEC 27002:2013 framework is a global security standard that provides best practice solutions in support of the controls found in Annex A of ISO/IEC 27001:2013. The framework establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management systems (ISMS). Each of the security controls and objectives provided within the standard can be tailored to specific business and regulatory objectives and assist with maintaining overall compliance. This dashboard focuses on the ISO/IEC 27002 12.1.2 and 12.5.1 controls that will identify any change control or configuration events on a network.

Proper change control management allows organizations to be aware of changes in their environment, understand potential impacts, and achieve business goals without unnecessary delay. Both authorized and unauthorized changes to a network device, software, file, or folder can impact user access to systems and result in loss of integrity. Without change control procedures in place, changes can be made without management’s knowledge, formal risk assessment, or approval.

The components in this dashboard provide a comprehensive view of change events using the Log Correlation Engine (LCE). LCE provides information on normalized events for device changes, software modifications, file and directory changes, and statistical indicators. Statistical event indicators use keywords to identify normalized event logs that the analyst should review further, including service changes, user activity, and suspicious activity. Changes on network devices will provide the analyst with targeted information, which can be used to strengthen change control management procedures.

The dashboard and its components are available in the Tenable.sc Feed, a comprehensive collection of dashboards, reports, Assurance Report Cards, and assets. The dashboard can be easily located in the Tenable.sc Feed under the category Compliance & Configuration Assessment. The dashboard requirements are:

  • Tenable.sc 5.3.1
  • LCE 6.0.0

Tenable provides continuous network monitoring to identify vulnerabilities, reduce risk and ensure compliance. Our family of products includes Tenable.sc Continuous View (CV), Nessus, NNM and LCE. Tenable.sc CV performs log normalization from hundreds of unique data sources. LCE performs automatic discovery of users, infrastructure, and vulnerabilities across more technologies than any other vendor including operating systems, network devices, hypervisors, databases, tablets, phones, web servers and critical infrastructure.

This dashboard contains the following components:

  • Daily Usage Summary - Configuration Changes: This component collects the top 10 configuration changes. Adding a new user account into Windows, changing a firewall rule, or installing new software may generate these events. Networks are always evolving and constantly require changes. Tenable.sc Continuous View (Tenable.sc CV) customers can detect these changes by monitoring LCE and syslog events. NNM can alert in real-time when new hosts are discovered. This component refreshes hourly and should be monitored throughout the workday.
  • ASD Top 4 Mitigation Strategies - Software Modification Events: This component provides an indicator for file changes or modification events collected from systems with LCE Clients installed, or from systems where syslogs are collected. For each indicator, when a pattern match is found, the indicator will turn purple. Some of the event indicators in the matrix are application changes, a Windows executable file has changed, and UNIX library file changes. The indicators of this component provide system administrators with a central location to monitor for authorized or unauthorized software execution, installation, or changes. Regardless of if the software is downloaded from the internet or a USB drive, LCE Client software can log the application events. When configured appropriately, whitelisting can help prevent unauthorized intruders from modifying or adding software to secure servers or workstations.
  • File Integrity Monitoring - File and Directory Change Event Details - Past 7 Days: The File and Directory Change Event Details – Past 7 Days table lists the events related to file changes detected in the past 7 days by count. This table uses the Normalized Event Summary tool and filters based on the keyword “File” and the “detected-change” type. The data in this table can be useful in determining the most common file change events and where they originate.
  • Stats Summary - Stats Indicators: This dashboard component shows the 40 different types of anomalies that the statistics daemon monitors. If there is one or more events for each of the anomalies monitored, it will be indicated in this component.
  • CSF - Network Changes: This component displays a list of network changes over the last 72 hours. There are several normalized event types presented that detect changes from servers, database, and infrastructure devices. Many of these detected changes are additions to the network, such as new hosts, new software, policy and security settings changes, and new open ports. Any new additions or changes should be investigated to determine if they are authorized. To obtain additional information, the analyst can click on any of the normalized events.
  • CSF - Top Detected Changes (Last 72 Hours): This table displays the top change events detected on the network in the last 72 hours. The table is sorted so that the changes detected most often are at the top. This table can be used by an analyst to investigate recent network changes and determine if they are appropriate and authorized. Clicking on the Browse Component Data icon will bring up the event analysis screen to display all of the detected change events and allow further investigation. In the analysis screen, clicking on a particular event will display all occurrences of that event. Setting the tool to IP Summary will display the systems on which the events occurred. Setting the tool to Raw Syslog will display the raw syslog of the events, which can give more details.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Formerly Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Formerly Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training