Posts
ISO 27001 Certification
Prophecy International is continuously investing time and resources to meet customers’ strict requirements for internal controls over financial reporting and data protection across a variety of high regulated industries. We are pleased to announce that Prophecy International has successfully completed ISO 27001 certification for its applicationsc Snare and eMite, covering the development delivery of the environments within the organisational units of Intersect Alliance International Pty Ltd (Snare) and eMite Pty Ltd (eMite).
The certification was completed by SAI Global in Australia, covering ISO/IEC 27001:2013 for the scope of “Development and delivery of the eMite and Snare solutions as defined in the Statement of Applicability version 2.0”. Certified 22nd September 2022. Certificate number ITGOV40332.
The issuance of this certificate reaffirms our commitment to internal control and data protection. Customers may use this third party audit to assess how Prophecy International software and services can meet their compliance and data-processing needs.
Information is the lifeblood of most contemporary organisations. It provides intelligence, commercial advantage, and future plans that drive success. Most organisations store these highly prized information assets electronically. Therefore, protection of these assets from either deliberate or accidental loss, compromise or destruction is increasingly important.
ISO 27001 is a risk-based compliance framework designed to help organisations effectively manage information security.
Having an international standard for information security allows a common framework for managing security across business and across borders. With an evermore connected world, the security of information is increasing in importance.
Data and information needs to be safe, secure, and accessible. The security of information is important for personal privacy, confidentiality of financial and health information and the smooth functioning of systems and supply chains that we rely on in today’s interconnected world.
ISO 27001 provides the framework for organisatons and security teams to effectively manage risk, select security controls, and most importantly, a process to achieve, maintain and prove compliance with the standard. Adoption of ISO 27001 provides real credibility that we understand security and take security seriously.
ISO 27001 is made up of a number of short clauses, and a much longer Annex listing 14 security domains and 114 controls. The most important of the short clauses relate to:
- The organisational context and stakeholders
- Information security leadership and high-level support
- Planning of an Information Security Management System (ISMS), including risk assessment; risk treatment
- Supporting an ISMS
- Making an ISMS operational
- Reviewing the system’s performance
- Adopting an approach for corrective actions
Based on the risk profile of the organisation, controls may be selected to manage identified risks. Within the Annex, the 114 listed controls are broken down into 14 key domains which are listed below:
- Information security policies
- Organisation of information security
- Human resource security
- Asset management
- Access control
- Cryptography
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspects of business continuity management
- Compliance
How Snare & eMite Can Help
There is an increasing global need to enhance security, no matter the size of an organisation or the industry. One step towards securing your organisation is choosing suppliers who have not only demonstrated a commitment to security, but have the certifications to back it up. Our priority is your security – let us know how we can help!
Log collection and storage integrity is critical for both accurate real time threat detection and meeting compliance mandates (like PCI DSS, HIPAA, SOX, ISO27001, NIST, FISMA, NERC, etc), as well as current and evolving cyber industry standards for log storage and retention. Accurate forensic investigation cannot be done if critical event log data is missing or corrupt.
That is why Snare Central has introduced our new High Availability mode in Snare Central 8.4, enabling certainty of log collection even of your primary log collection and reporting server becomes unavailable. The Snare Collector/Reflector will automatically fail-over in this new HA mode, which means we are always collecting logs that are being forwarded for storage, analysis, and forensics.
Ensuring the integrity of log data is also critical if log data is needed as evidence in court – most likely in the event of a large scale breach. Being able to demonstrate integrity of collection means that if your log data is presented as evidence and is shown to have tamper protections, your organization will be less open to legal challenge.
The NIST Standard for log collection (NIST 800-92) states that:
“because logs contain records of system and network security, they need to be protected from breaches of their confidentiality and integrity”.
“Logs that are secured improperly in storage or in transit might also be susceptible to intentional and unintentional alteration and destruction. This could cause a variety of impacts, including allowing malicious activities to go unnoticed and manipulating evidence to conceal the identity of a malicious party. For example, many rootkits are specifically designed to alter logs to remove any evidence of the rootkits’ installation or execution.”
This is one of many reasons are why it is good security practice to store your logs on a system away from the system that generated the log data.
Snare has multiple layers of functionality to ensure log collection & storage integrity:
- High Availability mode – the Snare Central Collector/Reflector can operate in a fail-over mode to ensure logs continue to be collected even if the primary reflector/collector service is interrupted from a hardware, network or system failure.
- Mutual Authentication between Snare Agents and Snare Central/Reflector – using TLS Auth Agents and Snare Central are two communicating sides that exchange messages to acknowledge each other, verify each other, establish the encryption algorithms they will use and agree on session keys.
This ensures that logs are only collected from an authenticated and validated end point and are only sent to an authenticated and validated storage location.
- Snare Agent Heartbeat – The agent can send out regular heartbeats, letting the collecting device know that the agent is working without having to make contact. Agent logs are available, which allows the agent to send status messages to the collection device, such as memory usage, service start and stop messages, and any errors or warnings triggered during operations. Snare Central has a health checker that can report on when agents are not sending logs or not. Often clients will use the Agent Heartbeat feature to ensure that logs are sent to the system to ensure you know it is online and logging.
This is of higher importance for end points that do not generate high numbers of logs and may only generate events sporadically.
- Data Encryption – Snare is using the strongest publicly available encryption and hashing methods. It is using FIPS compliant cryptographic functions and TLS1.3 encryption. Certificate pinning and signing validation also helps to provide assurance that logs are encrypted in-transit to be kept private, to prevent tampering, and to ensure the encrypted session is a trusted path with no tampering or session highjacking.
- Event Log Caching – When the Snare Windows Agent is unable to connect to the storage and collection server, it maintains a bookmark of the last sent Windows log event and waits. The events aren’t cached separately by the Agent, but rather it waits until the server is ready before continuing to read the log and send more events through.
This means no extra space is taken up by Snare specifically for log events, rather that the space is used by the Windows event log with the cache size increased as required for long periods where the Agent cannot talk to the server.
Other Snare Agents for other Operating Systems (Linux/Unix etc) create a separate cache as needed.
Snare Central reflector has both memory and disk caches for helping to manage the log data collection. If a system is a priority destination and there is a network or server disruption on the destination it will cache logs locally and use a disk cache during a prolonged outage and the memory cache is insufficient. Once the system comes back online, the Snare Reflector will send the events to the destination and drain the local cache. The disk cache usage is fully configurable by the customer, so they can create a cache as large as they need based on their available disk to cover expected outage scenarios.
This helps to provide assurance that the log data will be collected and forwarded as soon as possible from as many systems as possible with minimal chance of log data being lost.
Separation of Duties
- Separation of Duties – configuration, security and log monitoring policy is controlled by the Agent and the Security Administrator and cannot be interfered with by the server admin. The Snare Agent logs can be stored on a Snare Central Server that has restricted access, and keeps the logs away from the system that generated them. Users don’t have access to these logs. Access is restricted to the defined admins who have console access. Access via the Agent UI does not allow any change access to the data on the server and can be restricted to privileged users. Once the logs are written to disk they never change and kept in a read only repository. The logs are hashed to monitor for changes to the storage locations or operating system components. The logs from the agents also have sequence numbers to make it easier to see if a log was missing and can also have additional hash details of each event embedded in the event to cover any potential of tampering with the content of the log before storage. All of these options help to provide assurance that the logs cannot be tampered with without some part of the integrity chain alerting to the fact.
“…having someone other than a system administrator review the logs for a particular system helps to provide accountability for the system administrator’s actions, including confirming that logging is enabled. NIST 800-92)”
The Snare Central server file and system checksum store capability can be downloaded to keep offline and burnt to DVD. This process helps to provide assurance that the logs have not been tampered with by an admin. These are automatically generated by the system health checker which can send email alerts for integrity failures. By keeping a copy of the hash details offline away from the system it can also help provide assurance and forensic details that the logs have not been tampered with and can be independently validated for forensic purposes if needed.
When the integrity of your security data is important (and its always important), Snare has you covered.
We’re Here to Help
We understand that security teams are under increasing pressure to enhance their organisation’s cyber security posture in the wake of many global cyber incidents. Contact your regional Snare office to ask how we can help or request a free trial to test Snare for yourself.
Creating a Secure Cyber Security Supply Chain
We all know the importance of maintaining a solid cyber security capability and maintaining a secure cyber posture. We all know the stats about malware, ransomware, cyber IP Theft, data breach fines, and compliance mandates. I don’t think there’s anyone left that does not understand that they need to be cyber secure.
One of the big questions that remains is simply this: “Who do I trust?” And this extends into the supply chain for your service providers and vendors of both software and hardware.
“All organisations should consider cyber supply chain risk management”. – The Australian Cyber Security Centre (ACSC)
The National Cyber Security Centre in the UK (NCSC) documents the type of attacks that could occur through a third party software provider, including compromise of industrial control systems on critical infrastructure.
In the US, the Federal Government has introduced the Cyber Security Maturity Model (CMMC) to mandate minimum security posture for all suppliers to government to “assess and enhance the cybersecurity posture of the Defense Industrial base. The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.”
Outside of government, there are still very few companies that set business standards for their suppliers or truly understand the security implications of the vendors that they might choose – especially if they are choosing based on price. Choosing an open source product written by unknown contractors in Eastern Europe or Asia may not be the best answer.
It’s a topic to take seriously and to consider in great detail when choosing who to trust to assist your organisation maintain a secure environment.
So how do I choose?
Obviously, a reasonable start is some form of certification. This could mean an ISO27001 certification, certification of compliance with the CMMC (when that becomes more available) as well as certification of the actual product.
The team at Prophecy are deep into an ISO27001 project that will see us certified to this international standard as well as preparing for CMMC certification to enable us to continue to supply the Defense sector in the United States. We have also had our software verified by a third party company that specialises in vulnerability assessment. We have used Veracode and have had both Snare Enterprise Agent and our Agent Manager attain “Verified“ level. (Read here for more information on Prophecy’s Verified status)
Linked to this is risk from open source software – particularly in relation to the tracking use of open source components as new versions become available and older components might have vulnerabilities that remain unpatched. You only need to look to the Equifax breach to see how this can be a significant challenge to manage and one that can have massive consequences. Other issues include projects that might have value now but decrease as active involvement decreases and/or a lack of visibility into who is contributing to open source projects and where they might be coming from.
Why is sovereign capability important?
In a global market with players from almost every country, it is critically important to look at capability from home as well as from those countries that have a level of integration and acceptance when it comes to cyber maturity, cooperation around defense and intelligence, as well as protections for IP and trademarks. Obviously, local companies usually have created the IP that you will be deploying in your environment and have local support in your time zone and in your language an understand the local regulatory and legal environment in which you operate. They will be there is you need them and in your legal jurisdiction if something really goes wrong.
In addition to this, sovereign capability will drive the growth of jobs and the economy – which is very important after the disruptions to the global economy due to COVID) – and potentially also drive exports. Snare software, for instance, is developed in Australia with Australian resources and we generate nearly 80% of our revenue outside Australia.
To expand this our slightly further you could then also look to those geographies that have formal alliances. Like the Five Eyes countries as an example.
The Five Eyes
The Five Eyes is an intelligence sharing alliance comprising Australia, Canada, New Zealand, The UK and the US. This is a formal agreement on intelligence sharing at an intergovernmental level and is a factor that could be considered in choosing a vendor if they are based in one of these geographies and are used by government or defense agencies in those countries.
This also shows the importance of secure supply chains as any supplier to these agencies could potentially introduce vulnerabilities that could possibly allow access into other agencies in other geographies.
If you are a trusted supplier to any of these agencies then that’s a good recommendation for the commercial world too.
Snare was developed by defense personnel for defense purposes and we have many military and defense agencies and defense suppliers using our software around the globe as Snare has been trusted for Centralised Log Management for decades.
So what do you do if you aren’t sure where your providers are headquartered or need to take steps to ensure your supply chain is trustworthy?
There’s a lot to take in here but in essence its all about trust.
Start by asking if your suppliers have the following:
- Speak my language, reside in my time zone, have developers I know and a legal framework I can work with and use?
- Are they trusted by government in my country or in countries that have a level of engagement and cooperation with my own?
- If they are an international company do they have a team in my country that is bound by our laws?
- Is the IP protected by law and do I have protections in the license to use the software?
- Can I be comfortable that I am not introducing risk by choosing a vendor when I am trying to reduce risk?
If you have questions about your supply chain or want to speak with our expert team about implementing Snare’s suite of services as a part of your trusted supply chain, reach out. We are trusted by over 4,000 companies across the globe for log management and can help you create a stronger cyber security infrastructure during a time when it is more important than ever to trust your vendors and your partners.
