Table of Contents:
Correlation policies are crucial for efficient signal management within the system. They dictate how incoming signals are correlated with existing ones and determine the actions taken based on predefined rules. This manual outlines the process of selecting correlation policies based on hierarchical scopes and provides guidance on various use cases.
Hierarchy of Accounts
The system follows a hierarchical structure consisting of Domains, Organizations, and Tenants:
- Domain: Represents the highest level of the hierarchy, comprising multiple Organizations.
- Organization: Sits below the Domain level and may contain one or more Tenants.
- Tenant: Represents the lowest level and is where the correlation policies are applied.
Correlation Policy Scopes: Correlation policies can be defined at three different scopes:
- Tenant Level: Policies defined specifically for a Tenant.
- Organization Level: Policies defined for an entire Organization.
- Domain Level: Policies defined for the entire Domain.
Policy Selection Rules
The system follows specific rules to determine which correlation policy to apply when a signal is received:
- Tenant Level:
- If there are policies defined at the Tenant level (> 0), the system will only consider Tenant level policies.
- If the incoming signal matches any Tenant level policy and there is an open ticket, the signal will be attached to the open ticket. If no open ticket exists, a new ticket will be created.
- Organization and Domain level policies will not be considered.
- Organization Level:
- If there are no policies defined at the Tenant level, the system will check for policies at the Organization level.
- If there are policies defined at the Organization level (> 0), the system will only consider Organization level policies.
- If the incoming signal matches any Organization level policy and there is an open ticket, the signal will be attached to the open ticket. If no open ticket exists, a new ticket will be created.
- Domain level policies will not be considered.
- Domain Level:
- If there are no policies defined at both Tenant and Organization levels, the system will check for policies at the Domain level.
- If there are policies defined at the Domain level (> 0), the system will only consider Domain level policies.
- If the incoming signal matches any Domain level policy and there is an open ticket, the signal will be attached to the open ticket. If no open ticket exists, a new ticket will be created.
- No Matching Policy:
- If no policies are defined at any level, the system will create a new ticket for the incoming signal.
Use Cases
- Tenant Level Policies:
- Use Case: A Tenant requires specific correlation rules tailored to its operations. Additionally, the Tenant may need to add new policies for unique criteria without losing access to existing policies inherited from the Organization or Domain.
- Example: Consider a financial institution Tenant operating within an Organization that provides cloud services to multiple clients. The Organization has established standard correlation policies for monitoring network traffic and detecting potential security breaches. However, the financial Tenant, due to regulatory requirements, needs to implement additional policies specifically focusing on detecting unauthorized access to sensitive customer data.
- How to Achieve:
- Click the gear icon at the top (or) hover over icon at the top left corner.
- In the bottom of the left menu, click Configurations.
- In the left menu, under Signal Management, click Correlation Policies.
You will be navigated to the Correlation Policies listing page. - Select the option to import policies from the parent Organization/Domain/Platform.
- Review and confirm the import to ensure all existing policies are brought into the Tenant's scope.
- Once imported, add new policies targeting the specific criteria outlined by regulatory requirements.
- Ensure that the newly added policies complement and do not override or conflict with existing policies inherited from the parent scope.
- Organization Level Policies:
- Use Case: An Organization wants to enforce standard correlation policies across all its Tenants while allowing individual Tenants to introduce custom policies for their unique requirements without compromising the effectiveness of the overarching policies.
- Example: Imagine an Organization providing cloud-based collaboration tools to various sectors, including healthcare and education. The Organization has established comprehensive correlation policies to monitor user activity, detect suspicious behavior, and protect sensitive data across all Tenants. However, a healthcare Tenant within the Organization needs to comply with stringent HIPAA regulations, requiring additional policies for monitoring access to patient records and ensuring data privacy.
- How to Achieve:
- Switch to your account at the organization level at the top menu bar next to your profile.
- Click the gear icon at the top (or) hover over icon at the top left corner.
- In the bottom of the left menu, click Configurations.
- In the left menu, under Signal Management, click Correlation Policies.
You will be navigated to the Correlation Policies listing page. - Export all existing Organization-level policies to a file.
- Share the exported file with Tenants, allowing them to import the policies into their respective scopes.
- Tenants review the imported policies and augment them with custom rules addressing their specific compliance needs.
- Ensure effective communication and collaboration between the Organization and its Tenants to maintain alignment with overarching security objectives while accommodating unique requirements.
- Domain Level Policies:
- Use Case: A Domain sets global correlation policies applicable to all Organizations and Tenants within its scope while facilitating customization at lower levels to address unique operational requirements.
- Example: Consider a multinational corporation operating across various industries with diverse regulatory environments. The Domain establishes core correlation policies aimed at detecting and responding to common threats across all its subsidiaries and business units. However, each subsidiary may have specific compliance obligations and operational challenges necessitating additional policies.
- How to Achieve:
- Switch to your account at the domain level at the top menu bar next to your profile.
- Click the gear icon at the top (or) hover over icon at the top left corner.
- In the bottom of the left menu, click Configurations.
- In the left menu, under Signal Management, click Correlation Policies.
You will be navigated to the Correlation Policies listing page. - Export all existing Domain-level policies to a structured format.
- Share the exported policies with subsidiary Domains and Organizations, allowing them to import the policies into their respective scopes.
- Subsidiaries review the imported policies and supplement them with additional rules tailored to their industry-specific requirements.
- Ensure ongoing coordination and collaboration between the Domain and its subsidiaries to maintain a cohesive security strategy while accommodating diverse operational needs.
Comments
0 comments
Please sign in to leave a comment.