La aplicación debe manejar la opción de añadir autenticación de dos factores del sistema (Active Directory) Utilizando el protocolo LDAP

Caracteristicas Aplicación

 Authentication

Autenticación  dos factores

La aplicación debe manejar la opción de añadir autenticación de dos factores del sistema (Active Directory) Utilizando el protocolo LDAP

La aplicación debe manejar la opción de añadir autenticación de dos factores del sistema (tokens de RSA SecurID) utilizando el protocolo RADIUS.

 grupos de usuarios / perfiles

La aplicación debe gestionar grupos de usuarios / perfiles, de grupos / el perfil  otorga el derecho de acceso a las opciones de aplicación específica, maneja la división de tareas

   WEB Services

Los servicios de aplicaciones web se debe ejecutar a través del protocolo seguro (HTTPS / /)

System Performance

Revision Dashbord actividad Equipo

Data Server

NIC Server Activity

Event Storage Disk Usage

App Server

Web Server Activity

Analysis Disk Storage

Descubrimiento de Equipos

Descubrimiento de equipos y Redescubrimiento de equipos automaticamente

Forzar a un equipo UNKNOWN ser reconocido y almacenar Log a Tablas

Manage Monitored Devices

Manage Unmonitored Devices

Creacion de Grupos  

Creacion de grupos sobre equipos con OS y DB en comun y creacion de Grupos mixtos

Manage Device Group Filters

Manage Output Actions

Pruebas sobre distintos tipos de acciones al encontrarse un Hallasgo

Text File

SNMP

SMTP

AIM

Syslog

Run Command

SNPP

Event Viewer

Consultas distintos tipos de eventos y graficas de periodos sobre periodo de tiempo

Events - Message View (busqueda de eventos)

Graph View (graficas sobre eventos)

Events by Event Type

Event Types by Time

Generacion de Alarmas

Creacion de Alarmas sobre succesos especificos y envio de Alertas por medio de SMTP

Manage Views

Import/Export Views

Generacion de Reportes

Creacion de Reportes utilizando tablas unificadas y campos variables

Creacion de Querys utilizando varios SQL sobre Atributos especificos,  pruebas sobre distintas tablas

Programacion de Reportes

Programacion de Reportes envio de notificacion y notificacion con reporte adjunto

Manage Scheduled Reports

Schedule Reports

Tipos de Recoleccion

Pruebas sobre distintos tipos de recoleccion

ODBC

Syslog

File Reader

Windows

Manejo de Reportes

Copia y Modificación de Reportes

Manejo y modificación de Folders

Manage Folders

Feature

Descripción

Functional Requirements

Capability to integrate into the existing IT architecture

A SIEM solution usually contains several components (log collectors, log storage, log correlation etc.) which can be centralised or geographically dispersed. We recommend analysing if the architecture of the potential SIEM solutions aligns with Millicom’s existing and future infrastructure architecture and the impact of this on the TCO. E.g. with several distributed data centres it might not be cost efficient to send all event data across (expensive) WAN links.

Total collection of all raw logs for use in real-time monitoring, proving compliance, & forensic analysis.

Se requiere que todos los equipos de computo del personal que labora para Tigo se autentiquen al dominio.

Significant log data compression (up to 75%), minimizing storage costs & maximizing access & analysis.

Impedir que a un punto de red conectan Switches, HUB o Access Point para hacer extensiones de LAN.

Have a high availability scheme

Easy deployment & management.

Determinar a nivel de puerto de Switch el intento de acceso a la red.

Broader event source support for better visibility into the IT infrastructure, as well as the ability to "do it yourself."

It is very important that the solution is able to collect, process, correlate & report on events from key/critical security solutions within Millicom’s ICT infrastructure. Critical solutions are usually firewalls, anti-malware, IDS/IPS, WAFs, Database Monitoring, Identity Management & Access Control.  We recommend to make a product list of such solutions (currently used and future) and evaluate the degree of out-of-the-box integration. E.g. it is key that your SIEM has extensive reporting on your firewall product events.
This will ensure:
- Faster acceptance by your technical teams
- Less additional “satellite” systems are installed

Able to add new event sources without having to go back to the vendor or to write to custom API's.

Several vendors also offer wizards to create custom API’s for event sources yourself. The availability and ease of use of such wizards should also be evaluated.

Establishes Baselines, a standard by which user activity is tracked & anomalous behavior is detected.

Debe dar alcance al control de red sobre dispositivos Tablet y Smart phones.

Correlated Alerts. Packaged alerts provide better security via correlation of log events & other information such as assets.Automated kick-off of remediation workflow alerts based on user role.

Defining event correlation in a SIEM can be very time consuming. Therefore we recommend to analyse as well:
- The amount of out-of-the-box event correlations the solution offers
- The ease of use to create custom correlations
- To which extend custom correlations stay intact when product upgrades are installed

Elaboration of profiling of assets & matching against the national vulnerability database to help mitigate risk, minimize false positives, & prioritize high risk assets.

A SIEM can usually obtain such information by integrating it with a vulnerability management solution like Nessus, Qualys, etc.

customized Reports. Comprehensive reports for Sarbanes-Oxley, PCI, HIPAA, & other government & industry regulations as well as frameworks including ISO27002.

Facil identificación de incidentes y de ser posible aviso mediante la generación de correo electrónico.

Forensics & Security. Maintains chain of custody for all log data, allowing for complete & proper investigation procedures to be met.

No todos los nodos de la red pueden poseer Switch que operen bajo 802.1X, pero se denerian monitorear.

Incident Management. Assessment of productivity metrics such as departmental workload, open incidents, time to closure, etc.

The embedded incident management function of a SIEM is usually rather limited and additional SIEM user licenses might be required for each ‘incident handler’. We recommend to analyse the integration capabilities of the SIEM with other IT Service Management products (e.g. via web services, email, API’s)

Real-time Analysis & Event Explorer. Timely alerts, direct monitoring capabilities & beginning-to-end incident management & remediation.

No debe requerir cambios mayores sobre la infraestructura existente.

Correlated Alerts. Automated kick-off of remediation workflow alerts based on user role, allowing for faster resolution to alerted incidents.

Faster resolution for incidents, as well as direct access to real-time events.

Log collection scalability:

It is recommended to implement a SIEM in a phased approach, gradually adding more event source types and correlations. As such it is key that the selected solution is scalable to accommodate future capacity requirements without major hardware and or software changes.

The solution must support the incorporation of the entire universe of operating systems, network devices, databases and applications deployed in the organization.

Role based access capabilities

Is it possible to set up granular access on the SIEM solution based on a user’s role and/or business unit?
Several technical teams usually require access on a SIEM solution for reporting and investigation purposes. Therefore the solution must be capable to provide and restrict access by type (read/write/modify), event source type (OS, database, network devices, security devices), event source owner (by business unit, country, etc.) and user role (security, administrator, internal audit, external audit, management, etc.)

Security of the solution itself

Security logs can be sensitive and should be collected and stored tamper proof. Therefore the solution itself should be properly secured. There are two main aspects to assess:
1) The security of log collection
A Log Management and SIEM solution is usually centrally positioned in a data centre with various communication flows across security zones and firewalls. As such the solution must be capable to protect these communication flows and their related interfaces. (e.g. the use of sFTP to collect logs instead of FTP)
2) The security of the solution platform(s)
What type of OS is the solution? Is the OS hardened? How often does the vendor supply patches for the OS and for third party software (e.g. Java)? Can an anti-virus be installed? Are the logs encrypted? Are there any security incidents, exploits reported in the past for this solution? Etc.

Information Lifecycle Management. Manages security information through the stages of creation, use & archival & deletion over time to meet with logging compliance retention requirements.

No debería interrumpir el servicio de red ante un mantenimiento correctivo - preventivo o mejoras.