How SenseOn supports compliance

This blog was authored by SenseOn’s Director of Technology, Brad Freeman.

SenseOn helps organisations improve their security posture and provides the technical capability to meet many of the requirements of common cybersecurity standards. Globally, we have customers who have achieved compliance with ISO 27001, PCI DSS, SOC 2, CIS Top 18, HIPAA, GDPR, and more. This article addresses the most common standards and highlights how SenseOn can help.

Common compliance standards

ISO27001

ISO27001 is an international standard focused around effective governance and a living set of policies, standards and processes known as Information Security Management System (ISMS). The controls within ISO27001 focus on proportionate controls to manage risk.

The standard focuses on 114 individual security controls but is not prescriptive in terms of what technical controls should be implemented. For example, some controls can be implemented through policy, training, or technical controls. SenseOn enables customers to achieve ISO27001 by providing a basis for logging and monitoring, malware defence, asset management and being able to assess risk by providing an interface which can audit other controls.

Payment Card Industry – Data Security Standard (PCI-DSS)

The Payment Card Industry – Data Security Standard (PCI-DSS) is a set of security standards to protect payment (eg credit & debit) card information. It is an international standard controlled by the major payment card brands, and the controls are normally limited to a specific zone in the network which holds payment card data. SenseOn supports customers to achieve requirements across network, application, and data security.

PCI-DSS requires that logs be available for immediate analysis for a 90 day period and archived for a year. SenseOn creates and stores audit logs of activity which covers the logging requirements for most organisations. SenseOn’s raw telemetry is currently available by default for 30 days but this can be extended on request. Data can also be retained in cold storage for extended periods to exceed the logging retention requirements.

Service Organisation Control 2 (SOC 2)

SOC 2, also known as the Service Organization Control 2, is a set of internationally recognised audit standards that are designed to assess an organisation’s internal controls over security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports are used to demonstrate the implementation of  effective controls to protect their data to their customers, partners, and other stakeholders.

Whilst SOC 2 reports review the organisation much more broadly than just cybersecurity, there are security controls around incident response, monitoring and auditing. All of these controls SenseOn supports can enable organisations to achieve compliance.

Center for Internet Security (CIS) Top 18

Previously known as the CIS Top 20 or the SANS Top 20. This is a prescriptive set of controls which cover a broad range of control areas and is very prescriptive over how they should be implemented. The controls change depending upon the size and risk profile of the organisation. CIS Top 18 gets regular updates and covers a broad range of areas. The graphic below is based on the CIS Top 20 and provides details of the control areas which SenseOn supports.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA is a United States federal law that sets national standards for the protection of patient health information. HIPAA applies to health care providers, health plans, and health clearinghouses.

HIPAA is primarily concerned with the protection and management of patient data. Many of the technical requirements focus on areas such as access permissions, encryption at rest, and encryption in transit. SenseOn supports compliance to HIPAA through the following safeguarding controls: security management, security incident procedures and ongoing evaluation.

Cyber Essentials and Cyber Essentials Plus (CE & CE+)

Cyber Essentials and Cyber Essentials Plus are UK security certification schemes backed by the National Cyber Security Centre (NCSC). Cyber Essentials is a requirement to supply services to UK Government departments.

The assessment for Cyber Essentials is an online question and answer process validated by a third party auditor. The security standard is very prescriptive and leaves little room for managing the risk outside of specific technical controls. However, controls are not validated directly by the auditor.

Cyber Essentials Plus is an expansion upon Cyber Essentials and includes a technical assessment of your organisation’s IT systems. This assessment is carried out by a qualified assessor and checks that you have implemented the controls effectively. The focus is on vulnerability management, and tests of malware prevention controls and configuration on every build of end user devices.

Both Cyber Essentials and Cyber Essentials Plus are valuable tools for organisations of all sizes. Cyber Essentials is a good starting point for any organisation, while Cyber Essentials Plus provides a more comprehensive level of protection.

General Data Protection Regulation (GDPR) Compliance

GDPR is a regulation in EU law on data protection and privacy. SenseOn platform is fully compliant with GDPR and collects the minimum required personal data to perform threat detection and response. As of May 2023 the Personally Identifiable Information (PII) from endpoints where our software is installed is: 

• Usernames.  Recorded to track activity to a specific user. A username may not necessarily contain a name but it often does. Passwords are never recorded.
• IP Addresses.  Used to correlate network activity to a specific computer.
• Incidental data collection.  Our software does not intend to collect other forms of personal data. However it collects metadata such as opened filenames, domain names and metadata about unencrypted web traffic. In rare occasions this could contain personal data. For example if a file name was called bob_smith_misconduct_hearing.doc this would be stored and may be sensitive.  This telemetry is required for threat detection purposes and we do not store the contents of files or any analysis inside encrypted sessions is proportionate.

Additional data is collected from users who have a login to the SenseOn security console in order to verify their identity and detect threats or the misuse of our platform. SenseOn’s data collection and processing is in full adherence to GDPR.

Data residency 

Data residency is the physical location where data is stored. This is important for our customers because of:

• Compliance.  Many jurisdictions have residency requirements for the processing of personal data within their own or friendly jurisdictions. For example many of our European customers insist the data is held within Europe.
• Performance.  Data located far away from the primary users such as the other size of the world may cause latency issues.

Customers can define which region their data is held to meet data residency requirements.

Common technologies explicitly requested by standards

Intrusion Detection & Prevention Systems (IDS & IPS)

Many security standards were developed over a decade ago when we secured networks in a different way than we do today. As a result, many compliance standards require the use of technologies which we would not deploy into modern networks if we were to recreate them today. One of these technologies is Intrusion Detection and Intrusion Prevention Systems (IDS & IPS). These technologies are less applicable now because they don’t work effectively in cloud environments or with remote workers. Additionally, the majority of network traffic is encrypted, making detection using network data alone difficult.

Intrusion Detection & Prevention Systems (IDS & IPS) work by analysing network traffic and producing security alerts if malicious traffic is detected. This is a basic component of what SenseOn offers, as it analyses traffic from the perspective of every endpoint and optionally network probes to detect and remediate threats.

Therefore, SenseOn meets and exceeds the requirements of deploying an IDS/IPS for compliance purposes. It also goes beyond their shortcomings by deploying easily to cloud environments, protecting remote workers, and addressing the encryption problem by monitoring traffic from the source and destination process.

Security Information and Event Management (SIEM)

A Security Information and Event Management (SIEM) is a software product that collects and analyses security logs and events. A security log is a record of an event that occurred and could include logins, logouts, file access, and system changes. Collecting logs and events centrally is a requirement of many security compliance standards such as PCI-DSS, ISO 27001, and Cyber Essentials.

SenseOn believes that ingesting security logs is a difficult approach to get right. This is because logs need to be normalised, correlated, and alerts created and tuned manually, which requires skilled and expensive resources. SenseOn instead generates its own record of events, which records events such as network traffic, processes running, and authentication information. This displaces the vast majority of logs, allowing them to be structured in a way where SenseOn’s automation and built-in analytics can make effective use of them out of the box. It’s important to note that SenseOn will not log data from custom applications where the data is not available in standard network protocols or within higher-level process information.

For the majority of organisations, SenseOn likely meets and exceeds the requirements for Security Information and Event Managers (SIEM) as it has a highly effective out the box record of security information and events.

Antivirus

Cyber Essentials Plus has a requirement for Anti Virus which is tested through the use of the detection of sample malicious files in various forms. As of May-2023 the sample files are EICAR test strings in various forms such as inside a zip, .iso, .exe etc. The test verifies that the accessed file can not be opened or executed by the end user. Whilst the default mode of the anti virus component is off to enable it to run alongside other antivirus products like Microsoft Defender if this is enabled SenseOn meets the requirements for anti virus within Cyber Essentials Plus.

Vulnerability Scanning

Most security compliance standards require the use of a vulnerability scanner. Many of our customers use products from vendors such as Tenable or Qualys as active vulnerability scanners. Whilst SenseOn can support a vulnerability management program to determine what software is in use, who by and its exposure it isn’t a replacement for a vulnerability scanner.

Summary

Certification isn’t just a box ticking exercise but requires careful consideration on how each control is implemented and reviewed on an ensuring basis. By working with SenseOn, you can be confident that you are taking the right steps to achieve compliance to common cyber security standards. Our capabilities support various technical, audit and process controls across IT & Security Operations.

To learn more about how SenseOn can help you achieve compliance to modern security standards, please contact us today.