Data Collection and Retention in CSfC Solutions

Questions and Answers

What is the primary consideration when collecting monitoring data within a CSfC solution?

Maximizing data redundancy

Collecting as much data as possible

Limiting data collection to internal sources

Balancing expected monitoring data with network bandwidth and storage (correct)

Which logging levels are typically configurable on network devices?

Error, Info, and Alert

'Debug,' 'Informational,' and 'Warning' (correct)

Trace, Debug, and Log

Critical, Warning, and Verbose

What must be defined in the data lifecycle plan for log retention?

Retention policies approved by the Authorizing Official (AO) (correct)

The logging interface for user access

The maximum size of each log file

The encryption methods for logs

What is the recommended minimum duration for storing logs based on retention policies?

One year

What should be done with old data that is no longer needed for immediate queries?

Consider it for longer-term storage

What is one of the risks of excessively verbose logging?

Filling up data storage and triggering reallocation

What is crucial for maintaining effective data hygiene?

Erasing old data and regularly backing it up

How is data classified within the CM solution architecture?

Separating Black, Gray, and Red monitoring data within each security domain

What is required for customers to send EUD log data to a Red Data Network collection server?

Configuring MP8 capabilities

Which network is mentioned as a location for managing MP8?

Red Management Network

What is the purpose of notification and reporting mechanisms in network monitoring?

To enforce network segregation according to site requirements

How can consolidated monitoring be accomplished?

By implementing one-way data transfers with CDS

What defines the functional requirements of each CSfC solution?

CP specifications and annexes

What may using a CDS to aggregate data eliminate?

The need for a Gray SIEM

What must be considered when deploying multiple CPs within the same network architecture?

Reuse of CM capabilities to meet requirements

What is a benefit of having all data accessible from a single SIEM?

Elimination of the need for multiple data sources

What is the primary purpose of vulnerability scanning tools in MP7?

To assess and report on security posture and configuration compliance.

What type of notifications should monitoring solutions generate within the Red Management Network?

Notifications for unexpected traffic and blocked traffic.

Which component must maintain separation when collecting EUD logs within the Red Management Network?

Data Network.

Which sources are monitored by MP8 for collecting system and application event log data?

Operating system event logs and enterprise Data-at-Rest agents.

What is a key influence on the implementation of MP8 capabilities?

The EUD's form factor and architecture design.

What type of data is logged by the Inner Virtual Private Network (VPN) Tunnel?

VPN status, firmware updates, and misconfigurations.

Which of the following statements about data networks is true regarding the Red Management Network?

Data transmissions must use authorized mechanisms for transfer.

What may notifications generated in the Red Management Network indicate?

Failure of filtering functions or potential compromises.

What can be transferred to higher protection levels using a one-way cyber tap or an NSA evaluated diode?

Raw network traffic only

What direction must data be transferred within a CSfC solutions network?

Low to high

Which network is not allowed to receive data from a higher classification network?

Black Network

What must customers adhere to when implementing data transfer capabilities within a CSfC solution architecture?

Applicable data transfer policies for their organization

Which type of data cannot pass to a lower classification level?

Data from higher classification levels

What is required when data is collected from the Black Network to the Gray Network?

An approved CDS

What must be used between the Black Network and the CDS?

One-way cyber tap or an NSA evaluated diode

Which document must DoD customers follow when deploying a CDS within a CSfC solution?

DoDI 8540

What is one of the main advantages of a centralized watch floor in monitoring CSfC solutions?

It helps to oversee the health and operation of remote sites.

What is a potential disadvantage of Centrally Managed CM solutions?

They may face issues due to communication outages.

What could be a recommended practice for networks with limited bandwidth?

Storing logs locally for later review.

How can IPS capabilities benefit remote sites lacking onsite administrative personnel?

By automatically detecting and responding to network anomalies.

What can reduce the ability to effectively monitor and respond to attacks at geographically remote sites?

Low bandwidth and intermittent connectivity.

What is essential when scaling CSfC solutions for high availability requirements?

Extending the monitoring architecture appropriately.

What should customers focus on in a centralized monitoring setup?

Standardizing solutions across multiple remote sites.

What is a common issue faced by remote sites that affects monitoring capabilities?

Communication outages affecting consistency.

Study Notes

Data Collection

• Data collection within a CSfC solution can occur in various ways, including network device logs, EUD logs, and other sources.
• To avoid overwhelming network bandwidth and storage, careful consideration must be made to strike a balance between expected monitoring data collected and available resources.
• The appropriate logging levels for network devices, EUDs, and other log-generating elements must be determined based on customer requirements, potentially exceeding the mandated logging events defined in the CM Requirements.
• Network devices typically allow privileged users to configure logging facilities at various levels, such as ‘debug,’ ‘informational,’ and ‘warning.’ Some logging levels may repeat data or be overly verbose, which can fill data storage and necessitate frequent data reallocation.
• Maintaining data hygiene is essential for maximizing storage availability.

Data Retention

• Data retained from collection activities should be backed up regularly.
• Data can be aggregated on higher classification networks using an approved CDS.
• Data retention policies should be defined in the data lifecycle plan, approved by the AO, with a minimum recommended storage duration of one year.
• Data retention should be analyzed for data sent to CM collection points and local device storage.
• Security administrators should be able to rely on local logging facilities to view event data in case of network-based solution failures.

Data Reallocation

• A data reallocation strategy is necessary due to limited data storage.
• Processes should be restarted regularly to flush memory, stop memory leaks, and clear temporary files.
• Older data that is no longer relevant for on-demand queries can be considered for longer-term storage.
• To prevent completely full storage devices, old data should be erased at regular intervals and backed up according to local data storage policies.

Consolidated Monitoring

• The CM solution architecture is designed to maintain the separation of Black, Gray, and Red monitoring data within each security domain.
• Monitoring capabilities within MP7 include Vulnerability Scanning Tools, Network Scanning Capabilities, and similar tools to ensure security posture and configuration compliance.
• Reports generated from these tools should be sent to SIEM solutions and reviewed according to the AO-defined interval.
• Existing enterprise capabilities for performing these scans, if deployed within customer sites, can be leveraged where available.
• Monitoring solutions should be configured to generate notifications for unexpected traffic on the Red Management Network, identify traffic that should have been blocked by the Inner Firewall, and enable security administrators to query system event log data for components connected to the Red Management Network.
• Notifications generated within the Red Management Network may indicate a failure of the Inner firewall’s filtering functions, improper configuration, or potential compromise of the Outer Encryption Component, Inner firewall, or Red Management Network components.
• Data Network traffic is prohibited on the Red Management Network.
• The collection of EUD logs within the Red Network must be kept separate unless transmitted using authorized data transfer mechanisms between the Data and Management networks (as outlined in Section 6).
• MP7 management is performed from within the Red Management Services.

Monitoring Point 8 (MP8): End User Device (EUD)

• MP8 is located on the EUD and collects system and application event log data.
• Sources of EUD monitoring data include operating system event log data, Host Intrusion Detection System, remote attestation solutions, Mobile Device Manager, and enterprise Data-at-Rest agents.
• The form factor and architectural design of the EUD directly influence the implementation of MP8 capabilities in order to implement two layers of encryption.
• Logging from the Inner Virtual Private Network (VPN) Tunnel provides information regarding VPN tunnel status, software/firmware updates, hardware status, misconfigurations, and intrusion-related events.
• Data transmitted from an EUD resides in the Data Network.
• Customers employing remote log collection should consider this when designing monitoring architectures.
• Consolidating EUD log data with infrastructure log data requires data transfer between the Data and Management networks (see Section 6).
• Customers must configure MP8 capabilities to send EUD log data to a Red Data Network collection server.
• The logs and notifications generated may indicate either an improper configuration or a potential compromise on the EUD.
• Managing MP8 can occur from within the Red Management Network, Red Data Network, via boundary Inner Encryption Components, or locally on EUD platforms when protected by Administrator access.

Deployment of Monitoring Points Supporting Multiple-CPs

• For deployments involving multiple CPs within the same network architecture, customers can reuse CM capabilities.
• Each CSfC solution must meet the functional requirements specified in each respective CP, as well as all applicable CM requirements outlined in each CP annex.
• Customers should consider tailoring SIEM solutions with individual and combined common operating pictures of their network operations to monitor and observe network activity and systems operations for each implemented CP.
• Notification and reporting mechanisms should be built in to verify enforcement of network segregation based on the customer’s site requirements.

Consolidated Monitoring

• The CM Annex allows for the implementation of CDS capabilities to transfer data from the Black and Gray Networks to either the Gray and/or Red Management Networks for co-locating monitoring event data in a single SIEM.
• Consolidated monitoring can be achieved through the implementation of “low-to-high,” one-way data transfers from the Black and Gray Networks into the Gray or Red Network using an approved CDS.
• A CDS for data aggregation might eliminate the need for a Gray SIEM depending on customer monitoring requirements.
• With all data accessible from a single SIEM, security administrators can avoid working across multiple networks for event detection and correlation.
• A one-way cyber tap or NSA evaluated diode (as described in Section 4.2) can be used to transfer raw network traffic to higher protection levels without using a CDS for ingestion into an IDS, SIEM, or other CM capability.
• This use of one-way cyber tap or an NSA evaluated diode is limited to raw network capture only and cannot be used for transferring logs or any other processed data to a higher level of protection.
• The approach to implement CDS capabilities for moving data between security domains within a CSfC solutions network is described in Figure 15.
• Data transfer capabilities are not mandatory for customers.
• Customers deploying consolidated monitoring functionality must meet the requirements outlined in Table 18, Multi-Site Requirements.
• Implementers must consider two caveats:
  • Data can only be transferred in the “low to high” direction within a CSfC solutions network.
  • Data from higher classification levels cannot be passed to a lower classification level.
  • Data and Management plane traffic are considered to be on separate security/administrative domains within each respective network.
• Customers and integrators must comply with all applicable data transfer policies for their organization when designing and implementing these capabilities within their CSfC solution architecture.
• For example, DoD customers must adhere to DoDI 8540 when deploying a CDS within a CSfC solution.
• Any discrepancies found between the guidance in this document and DoDI 8540 should be reported according to the instructions in Section 2.

Black Network

• The Black Network is prohibited from receiving data from higher classification networks like the Gray or Red Networks.
• Data received from devices and stored on the Black collection server can be forwarded to the Gray collection server in the Gray Management Network, or to the Red collection server in the Red Management Network through an approved CDS.
• A one-way cyber tap or an NSA evaluated diode must be used between the Black Network and the CDS.

Gray Network

• The Gray Collection Server can collect data from the Black Network through an approved CDS.
• This monitoring enables customers to detect, respond to, and report any attacks against their CSfC solutions and detect any configuration errors within infrastructure components from their centralized watch floor or operations centers.
• Advantages:
  • Valuable local resources can focus on mission requirements while a centralized watch floor oversees the health and operation of remote sites. Local personnel are only used when required.
  • Centrally managed CM solutions are typically standardized across multiple remote sites.
  • A central location or watch floor provides a broader view of the health of remote sites.
• Disadvantage:
  • Centrally managed CM solutions are likely to be affected by communication outages to other sites for shared resources like DNS, Certificate Distribution Point (CDP), or Authentication Authorization and Accounting Services.
• Geographically remote sites may experience low bandwidth, intermittent connectivity, or other issues that limit data transfer to a Main Site, resulting in a degraded ability to detect, report, and respond to attacks on the remote site.
• In these situations, users may store logs and CM data locally for remote security administrators to review alarms from incidents when network connectivity is restored or authorized personnel are available to audit CM data and/or conduct incident response.
• For networks with limited bandwidth, customers should consider forwarding data during non-peak hours.
• Customers should consider deploying a centrally managed configuration to integrate IPS capabilities at remote sites.
• Without onsite administrative personnel or reliable remote management access capabilities, an IPS enables a remote site to protect itself by automatically detecting and reacting to anomalous network behavior while connectivity to a Main Site is degraded.

Monitoring in a High Availability Environment

• Customers scaling their CSfC solutions architecture to implement high availability requirements, such as hot or cold failover, redundancy, or load balancing, must extend the monitoring architecture to account for the increased network footprint.

Description

This quiz focuses on the methods and best practices for data collection and retention within a CSfC solution. It covers logging levels, data hygiene, and the importance of balancing monitoring data with available resources. Test your knowledge on how these concepts apply to network devices and EUD logs.