201 CMR 17 and Intrusion Detection

Designed to protect MA consumers from identity theft, 201 CMR 17 is scheduled to take effect on 3/31/2010. One of the provisions of this law states that a reasonable attempt must be made to detect unauthorized access - such as failed logins to a Windows server or domain. If you've ever looked at Windows event logs, you know that reviewing them on a frequent basis isn't practical. One of our recommended solutions is OSSEC, an excellent open source intrusion detection system developed by Daniel Cid and now owned by Trend Micro. Pretty quick and easy to set up, simple to maintain, OSSEC actually contains extensive functionality well beyond the scope of this quick article. Regarding the requirements of the law, what OSSEC can do is alert (via email) on Windows multiple failed logins, account lockouts, and many other security related events. As of today, the server must be installed on Linux (or similar, but not Windows) while the agent goes on AD controllers and any other important systems. A little tuning, and voila! Compliance with the requirement. There's lots of documentation at the OSSEC site, as well as many examples all over the web - thousands of companies are using it. Of course, we'd welcome the opprtunity to help - just drop us an email or give us a call (contact info).