The Bromium Enterprise Controller (BEC) must be configured to allow authorized administrators to create organization-defined custom rules to support mission and business requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-80481	BROM-00-001310	SV-95189r1_rule		Low

Description
Without the capability to create custom rules specific to the business and mission needs of the organization, detection of suspicious user activity would be hampered. Additional custom rules can be created within the "Policy" section of the BEC. The security administrator can determine if additional rules are needed based on organization requirements and mission. The Bromium monitoring module includes a base monitoring policy that detects malicious file, registry, process, and network activity. The monitoring module also features the ability to create custom rules to monitor such user activity as: 1. Read operations on files and registry settings; 2. Write operations on files and registry settings; 3. Read/write operations on files and registry settings; and 4. Processes being launched.

Description

Without the capability to create custom rules specific to the business and mission needs of the organization, detection of suspicious user activity would be hampered. Additional custom rules can be created within the "Policy" section of the BEC. The security administrator can determine if additional rules are needed based on organization requirements and mission. The Bromium monitoring module includes a base monitoring policy that detects malicious file, registry, process, and network activity. The monitoring module also features the ability to create custom rules to monitor such user activity as: 1. Read operations on files and registry settings; 2. Write operations on files and registry settings; 3. Read/write operations on files and registry settings; and 4. Processes being launched.

STIG	Date
Bromium Secure Platform 4.x Security Technical Implementation Guide	2018-05-11

Details

Check Text ( C-80157r1_chk )
Ask the site representative for the System Security Policy (SSP) document that includes the security policy settings required for endpoint security and monitoring. If custom monitoring rules are required, verify that monitoring rules are enabled and that custom rules are configured within the policy and applied to the appropriate devices. 1. From the management console, click on "Policies". 2. Select the base policy that covers all devices. 3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and verify that "Host Monitoring" is enabled. 4. Click the arrow next to "Policies" and select "Monitoring Rules". 5. Review custom rules and the device groups they are applied to. If the BEC is not configured for authorized users to capture and log content related to a user session, this is a finding. If the BEC is not configured to allow authorized administrators to create organization-defined custom rules to support mission and business requirements, this is a finding.

Check Text ( C-80157r1_chk )

Ask the site representative for the System Security Policy (SSP) document that includes the security policy settings required for endpoint security and monitoring. If custom monitoring rules are required, verify that monitoring rules are enabled and that custom rules are configured within the policy and applied to the appropriate devices.

1. From the management console, click on "Policies".
2. Select the base policy that covers all devices.
3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and verify that "Host Monitoring" is enabled.
4. Click the arrow next to "Policies" and select "Monitoring Rules".
5. Review custom rules and the device groups they are applied to.

If the BEC is not configured for authorized users to capture and log content related to a user session, this is a finding.

If the BEC is not configured to allow authorized administrators to create organization-defined custom rules to support mission and business requirements, this is a finding.

Fix Text (F-87291r1_fix)
Create an SSP document that contains requirements for implementing Bromium vSentry policy settings and workflows for the endpoint. Bromium vSentry policy settings are accessible in the "Policy" section of the BEC. Custom monitoring rules are available in the "Monitoring Rules" section under "Policy". 1. From the management console, click on "Policies". 2. Select the base policy that covers all devices. 3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and enable "Host Monitoring". 4. Click "Save and Deploy". 5. Click the arrow next to "Policies" and select "Monitoring Rules". 6. Click "Rule Options" and select "Create Custom Rule". 7. Create a name for the custom rule. 8. Apply the custom rule to a group. 9. Configure the applications, triggers, and any exclusions associated with the activity to be monitored. 10. Click "Save ".

Fix Text (F-87291r1_fix)

Create an SSP document that contains requirements for implementing Bromium vSentry policy settings and workflows for the endpoint. Bromium vSentry policy settings are accessible in the "Policy" section of the BEC. Custom monitoring rules are available in the "Monitoring Rules" section under "Policy".

1. From the management console, click on "Policies".
2. Select the base policy that covers all devices.
3. Within the base policy, select the "Features" tab, navigate to the "Monitoring" section, and enable "Host Monitoring".
4. Click "Save and Deploy".
5. Click the arrow next to "Policies" and select "Monitoring Rules".
6. Click "Rule Options" and select "Create Custom Rule".
7. Create a name for the custom rule.
8. Apply the custom rule to a group.
9. Configure the applications, triggers, and any exclusions associated with the activity to be monitored.
10. Click "Save ".