2 of 2 people found this helpful
I'm not sure where you got this nice summary, but I went looking here: CIP Standards
And I started looking at the "Subject to Future Enforcement" sections.
In short, I don't think LEM is the tool for this particular part of CIP compliance. Patch Manager could certainly help you inventory installed software; manage security and critical updates for Microsoft and third-party products; and produce reports to present to auditors showing what devices are(n't) up to date with all current vulnerabilities addressed. Patch Manager could at least assist with 1.1.1, 1.1.2, 1.1.3 and 1.1.5. Patch is not a system imaging tool, though.
LEM and NPM could probably help with 1.1.4 in as much as LEM can collect data from network devices connected to those logical ports and alert off of traffic it sees, and NPM could track the performance of those network devices.
However, looking at other sections, there's plenty of work for the LEM to do: things like information protection, change management (and to a more limited degree the vulnerability assessments), incident reporting and response.
- FIM and USB Defender (parts of the LEM Agent) can both help with information protection, as well as auditing who is touching what.
- Change management is a big reason to have an auditing platform like LEM, since it can track all changes and produce reports and alerts.
- Vulnerability Assessments: no Solarwinds product will do the same job that something like a Nessus scanner will do. However, if your LEM is working correctly, you should be able to watch Nessus or a pen-test proceed through the network, and get reporting and information on where you're vulnerable and what sort of things to look for.
- Incident Alerting is all part of rules and correlations in LEM: if you see X happen, respond with Y and make sure it ends up in mailbox Z and report A. LEM has that covered.
I hope that helps.
1 of 1 people found this helpful
There was rumor that TriGeo/LEM was going to have either port scanning capability and/or vulnerability scanning capability. Is that really/still on the roadmap? Not really looking for anything as strong as Nessus withini LEM, but anything to help us better address the 1.1.4 requirement would be helpful. Say something along the lines of scan for "listening" ports and check against a known set of "authorized/white listed" ports...
I am working on tweaking rules for NERC-CIP before the compliance deadline - 1 July 2016. Has anyone created a rule for "Detected Failed Access Attempts." My rule looks for all "Access Attempts", but doesn't single out "Failed". Anyway to do that. Thanks.
Wouldn't that just be a failed log on? We have template rules for that.
It's nice to see this information--thank you for the thread.