| Functional area | Category | Sub-categories | Product mapping | |
|---|---|---|---|---|
| Feature/Compatibility | Description | |||
| Govern | ||||
| Organizational Context (GV.OC): The circumstances—mission, stakeholder expectations, dependencies, and legal, regulatory, and contractual requirements—surrounding the organization’s cybersecurity risk management decisions are understood. | GV.OC-03: Legal, regulatory, and contractual requirements regarding cybersecurity—including privacy and civil liberties obligations—are understood and managed. | Integrated compliance management | Simplify compliance management with audit-ready report templates for the PCI DSS, HIPAA, FISMA, CCPA, GDPR, and more. | |
| Oversight (GV.OV): Results of an organization-wide cybersecurity risk management activities and performance are used to inform, improve, and adjust the risk management strategy. | GV.OV-03: Organizational cybersecurity risk management performance is evaluated and reviewed for adjustments as needed. | Real-time AD auditing | View the risk posture of Active Directory and SQL Server. Assess the degree of risk to help adjust the strategy. | |
| Identify | ||||
| Risk assessment (ID.RA): The cybersecurity risk to the organization, assets, and individuals is understood by the organization. | ID.RA-02: Cyberthreat intelligence is received from information-sharing forums and sources. | Threat intelligence | Leverage STIX, TAXII, and AlienVault Open Threat Exchange (OTX) threat feeds to discover malicious IPs, domains, and URLs. | |
| ID.RA-03: Internal and external threats to the organization are identified and recorded. | UEBA, threat detection, incident response | Detect malicious software, services, and processes on endpoints and servers. Mitigate insider threats and account compromise with UEBA. Maintain a tamper-proof log archive to ensure log data from Windows, syslogs, and other applications is secured for future forensic analysis and audits. Log360 provides an advanced threat detection and incident response (TDIR) engine, Vigil IQ, that help organizations identify, navigate, and investigate threats. | ||
| Protect | ||||
| Identity management, authentication, and access control (PR.AA): Access to physical and logical assets are limited to authorized users, services, and hardware and managed commensurate with the assessed risk of unauthorized access. | PR.AA-05: Access permissions, entitlements, and authorizations are defined in a policy, managed, enforced, and reviewed, and incorporate the principles of least privilege and separation of duties. | Log management, workflow execution, SOAR | Detect threats to users and devices. Monitor all successful and non-successful accesses. Trigger response workflows to log off the associate user or entity. | |
| Data Security (PR.DS): Data is managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. | PR.DS-01: The confidentiality, integrity, and availability of data at rest are protected. | Integrated DLP, file integrity monitoring | Avoid data exposure by blocking high-risk file copy activities to USB devices and across local and network shares. Also, Log360 monitors files servers by tracking and recording every copied file by auditing you clipboard for Ctr+C and right-click copy actions. | |
| PR.DS-02: The confidentiality, integrity, and availability of data in transit are protected. | Integrated DLP, file integrity monitoring | Prevent files containing highly sensitive data from being shared via email as attachments. Log360 also allows the tracking of data-sharing patterns via web apps like SharePoint, Exchange, OneDrive, DropBox, Box, and more with details on who made the request, when, and from where. Leverage Log360 to secure your data in transit by monitoring workstations, file servers, cloud applications, and more. | ||
| PR.DS-10: The confidentiality, integrity, and availability of data in use are protected. | Integrated DLP, file integrity monitoring | Leverage Log360 to monitor and report on a wide range of file activities, including create, delete, modify, overwrite, rename, move, read, etc. in real time. Also gather details on all file activities via browsers, such as potential upload and download actions by employees. Log360 also allows you to classify files based on their sensitivity into categories, such as public, private, confidential, or restricted, to help secure at-risk confidential files. | ||
| Platform security (PR.PS): The hardware, software (e.g., firmware, operating systems, applications), and services of physical and virtual platforms are managed consistent with the organization’s risk strategy to protect their confidentiality, integrity, and availability. | PR.PS-04: Log records are generated and made available for continuous monitoring. | Log management | Collect logs from devices, servers, network devices, firewalls, and more. Encrypt the log data for future forensic analysis, compliance, and internal audits. Log360 automatically discovers the Windows and syslog devices on your network and ingests log data. With features such as custom log parsing, real-time analytics, secure log archival, and automated workflows, Log360 bolsters your organization's cybersecurity. | |
| PR.PS-05: Installation and execution of unauthorized software are prevented | SOAR, CASB | With its complex log collection capabilities, Log360 uses both agent-based and agentless log collection methods to ensure no entity or abnormal behavior goes unnoticed. UEBA also provides insights into unauthorized or abnormal software installations or executions within your network. | ||
| Technology infrastructure resilience (PR.IR): Security architectures are managed with the organization’s risk strategy to protect asset confidentiality, integrity, and availability, and organizational resilience. | PR.IR-01: Networks and environments are protected from unauthorized logical access and usage | UEBA, SOAR, CASB | Log360 tracks malicious IP addresses attempting to access your company's vital resources and assists with the analysis of users accessing unsafe and banned websites to help in both detection and mitigation of cyberattacks. Log360 will also help you gain more insights about the attack techniques, IP reputation scores, and the geolocations of hostile actors trying to infiltrate your network. | |
| Detect | ||||
| Continuous monitoring (DE.CM): Assets are monitored to find anomalies, indicators of compromise, and other potentially adverse events. | DE.CM-01: Networks and network services are monitored to find potentially adverse events. | Log and data management | Gain insights into your security incidents by monitoring and collecting extensive audit data from servers, firewalls, applications, and endpoints. | |
| DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events. | Log and data management, UEBA | Group users in the network based on their behaviors and establish a baseline for their group. Use the baseline as a reference to flag any deviations as anomalies and raise alerts. Monitor privileged user activities, data access, and network access, and receive real-time alerts for incidents. | ||
| DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events. | Log and data management | Gain insights into your security incidents by monitoring and collecting extensive audit data from servers, firewalls, applications, and endpoints. | ||
| Adverse event analysis (DE.AE): Anomalies, indicators of compromise, and other potentially adverse events are analyzed to characterize the events and detect cybersecurity incidents. | DE.AE-02: Potentially adverse events are analyzed to better understand associated activities. | Rule-based: Real-time correlation | Collect and analyze event logs from the endpoints, servers, network devices, and firewalls in your environment to spot security threats. Analyze and correlate logs with visual dashboards to discover security incidents, attacks, and suspicious or malicious user behavior. | |
| DE.AE-04: The estimated impact and scope of adverse events are understood. | Forensic analysis | Understand the impact of incidents by conducting post-attack analysis and identify patterns to stop attacks through log forensics. | ||
| DE.AE-06: Information on adverse events is provided to authorized staff and tools. | SOAR | Gain meaningful security context from collected log data to identify security events quickly and streamline incident management by integrating with external ticketing tools. | ||
| DE.AE-07: Cyberthreat intelligence and other contextual information are integrated into the analysis. | Threat intelligence | Leverage STIX, TAXII, and AlienVault OTX format threat feeds to discover malicious IPs, domains, and URLs. | ||
| DE.AE-08: Incidents are declared when adverse events meet the defined incident criteria. | Smart Threshold, Rule-based: Real-time correlation | Configure alert thresholds by selecting the number of anomalies, intervals, and time ranges that would trigger the alert. | ||
| Respond | ||||
| Incident management (RS.MA): Responses to detected cybersecurity incidents are managed. | RS.MA-01: The incident response plan is executed in coordination with relevant third parties once an incident is declared. | SOAR | Automate and accelerate threat response through standard workflows, and streamline incident management by integrating with ticketing tools. | |
| RS.MA-02: Incident reports are triaged and validated. | Forensic analysis | Mitigate internal and external threats by collecting and analyzing real-time data from all critical resources. Conduct forensic analysis by identifying network and system anomalies. | ||
| RS.MA-03: Incidents are categorized and prioritized. | Signature-based: MITRE ATT&CK | Prioritize threats that occur earlier in the attack chain by using MITRE ATT&CK framework in Log360. | ||
| RS.MA-04: Incidents are escalated or elevated as needed. | SOAR, Orchestration | Automate and accelerate threat response through standard workflows, and streamline incident management by integrating with ticketing tools. | ||
| Incident analysis (RS.AN): Investigations are conducted to ensure effective response and support forensics and recovery activities. | RS.AN-03: Analysis is performed to establish what has taken place during an incident and the root cause of the incident. | Forensic analysis | Understand the impact of incidents by conducting post-attack analysis and identify patterns to stop attacks through log forensics. | |
| RS.AN-06: Actions performed during an investigation are recorded, and the records’ integrity and provenance are preserved. | Secure log archival | Tamper-proof log archive files to ensure the log data is secured for future forensic analysis, compliance, and internal audits. | ||
| RS.AN-07: Incident data and metadata are collected, and their integrity and provenance are preserved. | Log and data management | Mitigate internal and external threats by collecting and analyzing real-time data from all critical resources. | ||
| Incident response reporting and communication (RS.CO): Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies. | RS.CO-02: Internal and external stakeholders are notified of incidents. | Rule-based: Real-time correlation, SOAR | Correlate log data to detect attack patterns, conduct root cause analysis, and automate immediate notifications via email and SMS. | |
| Incident response reporting and communication (RS.CO): Response activities are coordinated with internal and external stakeholders as required by laws, regulations, or policies. | RS.MI-01: Incidents are contained. | SOAR | Automate incident response and create incident workflows triggered by alerts. Reduce the mean time to detect (MTTD) and the mean time to resolve (MTTR) an incident by quickly detecting, categorizing, analyzing, and resolving an incident accurately with a centralized console. | |
| Respond | ||||
| Incident recovery plan execution (RC.RP): Restoration activities are performed to ensure operational availability of systems and services affected by cybersecurity incidents. | RC.RP-01: The recovery portion of the incident response plan is executed once initiated from the incident response process. | SOAR | Terminate or initiate processes, change firewall rules, and effect AD changes automatically after an incident to enable recovery. | |
Take the lead in data protection best practices with our unified SIEM solution!
