The Pearl Software NIST Guide

The National Institute of Standards and Technology has published a self-assessment tool designed to help organizations gauge the impact and effectiveness of their cybersecurity risk management initiatives. The NIST Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”) enables organizations to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework is not intended to be a one-size-fits-all solution to cybersecuirity.  Rather, the Framework will help an organization align its cybersecurity activities with its business requirements, risk tolerances, and resources.

Pearl Echo helps organizations satisfy portions of the Protect, Detect and Respond “Functions” of the Framework by focusing on the following Framework “Categories”:

PR.AT-1: All users are informed and trained. (Protect)
Pearl Echo’s integrated notification feature allows organizations to inform users when data in motion may violate the organization’s Internet Acceptable Use Policy (AUP).  At the time of violation, the user may be redirected to a web page hosting the organization’s AUP.  In addition, the user may be trained about proper and intended Internet use at timed intervals.

PR.DS-2: Data-in-transit is protected. (Protect)
Pearl Echo provides the ability to define Profiles – a group of settings defined to govern the Internet access permissions of users.  Specific access privileges can be applied to individual users, groups of users or computers. Pearl Echo will identify when specific content is transmitted in supported segments of the Internet and will highlight and/or block transactions containing addresses, words, phrases or text patterns defined in the selected Profile’s Control list. Pearl Echo will also decode attachments in real-time and search the attachment for textual data that matches words, phrases or text patterns defined in the Profile’s Control list. Pearl Echo provides full visibility into encrypted data while it resides on the managed workstation, prior to it truly becoming data-in-transit.

PR.DS-5: Protections against data leaks are implemented. (Protect)
Pearl Echo retraces nearly every step an Internet user makes by creating a complete audit trail of Internet activity, including site visits, file transfers, news group activity, chat, instant messaging, and email. Pearl Echo’s Quick Link™ feature enables visualization of the actual web and FTP sites a user visited, or to restore the content of incoming and outgoing postings, email, chat and instant messaging items.  Data is reviewed in real-time to detect insider threats and is stored centrally for reporting and analytics.

PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity. (Protect)
Data verification is performed by the Pearl Echo Agent on all data sent to the Pearl Echo Administration Machine.  Individual check-sums are performed on the logged record data as well as associated file attachments. These unique identifiers improve the evidentiary integrity of each record and produce forensic quality data that can be used to support compliance auditing and investigative activities on users.

PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy. (Protect)
At the heart of Pearl Echo is its Internet Activity Log.  A unique time-stamped event record is generated for every Internet transaction that is attempted by a user.  This identifying record includes the Internet address or site, subject or title of the site, date and time of the transaction, the reason if a restriction occurred, the user name, machine name, physical machine address and a signature (or fingerprint) on the logged event record.

PR.PT-4: Communications and control networks are protected. (Protect)
Pearl Echo’s filtering module helps stop malware at its source by keeping users from visiting sites that contain harmful content. When Pearl Software scans a site we also download and check for viruses in setup files, zip files and executable files. If viruses are found, the site is added to our Malware filter category to prevent a seemingly harmless site from launching a drive-by install of malicious code or drivers.

In addition, communications between Pearl Echo agents and the Pearl Echo server are protected.

DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed. (Detect)
Pearl Echo categorizes user habits and provides insight into the amount of time, cost and bandwidth users spend on the Internet. Trend analysis provides visualization into baseline usage and highlights variations in expected activity.

DE.AE-2: Detected events are analyzed to understand attack targets and methods. (Detect)
Pearl Echo maintains accountability by sensing violations and reporting the source of the event as well as the content associated with the event.

DE.CM-1: The network is monitored to detect potential cybersecurity events. (Detect)
Network monitoring occurs down-low to analyze network protocols and the content associated with those protocols (users are not constrained to specific application choices or plug-ins).  Violations are highlighted in real-time in the patented Pearl Echo Activity Log as well as in Violation/Audit reports.

DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events. (Detect)
Network monitoring is segregated by user.  Pearl Echo provides detailed analysis of user e-communications in order to identify the insider threat. Its patented Mobility Monitor technology automatically follows users so all of their activity is monitored, and access privileges remain governed by the same rules that apply when users are on the private network. Users cannot circumvent policies prohibiting illegal transactions over email or IM by leaving the corporate network and joining a private network or readily available hot-spot.

DE.CM-8: Vulnerability scans are performed. (Detect)
Pearl Echo detects the health of its own components for attempted circumvention.  It also continuously monitors e-communications for actual or attempted violation of cyber policy.

DE.DP-4: Event detection information is communicated to appropriate parties. (Detect)
Trend analytics and violation reports run interactively or in “hands-off” mode where they may be scheduled to be automatically generated and distributed to key parties.

RS.AN-3: Forensics are performed. (Respond)
Pearl Echo collects, analyzes and authenticates e-communications. All data is accessible in the Pearl Echo Activity Log where forensic analysis is performed.

Posted in Cyber Security.