What Statements does the DefenseStorm GRID help you comply with?


DefenseStorm knows banks want to be safe, but must be compliant. We have increased the Policy, Active Compliance aspect of our product by integrating the FFIEC CAT into our web console. You can now complete the entire evaluation, add evidence, view results, and generate reports directly through our console. For more information on completing the FFIEC CAT with DefenseStorm, see our Policy Knowledge Center article.

The Federal Financial Institutions Examination Council (FFIEC) is a formal U.S. government interagency body that includes five banking regulators—the Federal Reserve Board of Governors (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). It is "empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions". It also oversees real estate appraisal in the United States. Its regulations are contained in title 12 of the Code of Federal Regulations.

This playbook provides detailed information on the FFIEC government requirement criteria. Some of these statements are met by having DefenseStorm on your network, and some require additional action on your part. This playbook tells you exactly what DefenseStorm does for you, and how you can help DefenseStorm improve your FFIEC compliance.

D1.G.Ov.B.3 - Annual report of overall security status

Statement: Management provides a written report on the overall status of the information security and business continuity programs to the board or an appropriate board committee at least annually. (FFIEC Information Security Booklet, page 5)

DefenseStorm: Yes. The CyberSecurity Report.

Customer: Annually provide the Cybersecurity Report to board-level executives.


D1.G.Ov.Int.1 - Cybersecurity expertise

Statement: The board or an appropriate board committee has cybersecurity expertise or engages experts to assist with oversight responsibilities.

DefenseStorm: Yes, if...

Customer:  Utilize TRAC Team.


D1.G.Ov.Int.2 - Standard review of threat intelligence trends and security posture

Statement: The standard board meeting package includes reports and metrics that go beyond events and incidents to address threat intelligence trends and the institutions security posture.

DefenseStorm: Yes. The Cybersecurity Report.

Customer: Include the Cybersecurity Report in board meetings.


D1.G.SP.B.3 - Threat information Sharing

Statement: The institution has policies commensurate with its risk and complexity that address the concepts of threat information sharing. (FFIEC EBanking Booklet, page 28).

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: To further your compliance, take part in the peer-to-peer forum offered in Connect to share further information with DefenseStorm peers.


D1.G.SP.B.6 - Incident response and resilience

Statement: The institution has policies commensurate with its risk and complexity that address the concepts of incident response and resilience. (FFIEC Information Security Booklet, page 83).

DefenseStorm: Yes. Leveraging DefenseStorm.  

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D1.G.IT.B.1 - Asset Inventory

Statement: An inventory of organizational assets (e.g., hardware, software, data, and systems hosted externally) is maintained. (FFIEC Information Security Booklet, page 9).

DefenseStorm: Yes, Partially. The asset information that DefenseStorm collects an incomplete view. DefenseStorm gets partial views through the utilization of the following programs: Pwnie, Nessus, Agents, and Logs. Alerts based on discovery of Untracked Assets, also on discovery of new/changed software/hostnames/etc.

Customer: Utilize Pwnie, Nessus, Agents, and Logs to help give DefenseStorm the most complete view.


D1.G.IT.B.2 - Asset protection prioritization

Statement: Organizational assets (e.g., hardware, systems, data, and applications) are prioritized for protection based on the data classification and business value. (FFIEC Information Security Booklet, page 12)

DefenseStorm: Yes, partially.

Customer: You must leverage the “owner” and “importance” descriptions in the Assets page.


D1.G.IT.E.1 - Annual update of assets

Statement: The asset inventory, including identification of critical assets, is updated at least annually to address new, relocated, re-purposed, and sunset assets.

DefenseStorm: Yes, partially. Alert on new/untracked asset. Similar to alert an asset not talking to us, etc.

Customer: Create a CSV export of your assets at least annually.  


D1.G.IT.E.3 - EOL management

Statement: The institution proactively manages system EOL (e.g., replacement) to limit security risks.

DefenseStorm: Yes, partially.

Customer: For complete compliance, leverage Pwnie/Nessus with DefenseStorm.


D2.TI.Ti.B.1 - Threat information sources

Statement: The institution belongs or subscribes to a threat and vulnerability information sharing source(s) that provides information on threats (e.g., Financial Services Information Sharing and Analysis Center [FS-ISAC], U.S. Computer Emergency Readiness Team [US-CERT]). (FFIEC EBanking Work Program, page 28)

DefenseStorm: Yes. Over a dozen sources. See the Threat Sharing Sources FAQ.

Customer: Ensure that ThreatMatch is enabled.


D2.TI.Ti.B.2 - Threat monitoring

Statement: Threat information is used to monitor threats and vulnerabilities. (FFIEC Information Security Booklet, page 83)

DefenseStorm: Yes. The DefenseStorm Console is threats. Pwnie+Nessus = threats + vulnerabilities.

Customer: Make sure ThreatMatch is enabled. For more complete compliance, utilize Pwnie and Nessus for threat and vulnerability monitoring through TRAC.


D2.TI.Ti.B.3 - Enhance risk management

Statement: Threat information is used to enhance internal risk management and controls. (FFIEC Information Security Booklet, page 4)

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: For increased compliance, leverage TRAC recommendations. You can also leverage the daily TRAC Intel Report to enhance risk management and controls by following the TRAC Security Bulletins Forum.



D2.TI.Ti.E.1 - Information, analysis, and mitigation recommendations

Statement: Threat information received by the institution includes analysis of tactics, patterns, and risk mitigation recommendations.

DefenseStorm: Yes, if...

Customer:  To further your compliance, utilize TRAC.


D2.TI.Ti.Int.1 - Formal implementation of a threat intelligence program

Statement: A formal threat intelligence program is implemented and includes subscription to threat feeds from external providers and internal sources.

DefenseStorm: Yes. DefenseStorm provides external providers. Console enables internal sources via download of internal threat feeds.

Customer: Make sure ThreatMatch is enabled.


D2.TI.Ti.Int.2 - Collection protocols

Statement: Protocols are implemented for collecting information from industry peers and government.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: Utilize the TRAC team; they have defined protocols for accomplishing this.


D2.TI.Ti.Int.3 - Central cyber threat repository

Statement: A read-only, central repository of cyber threat intelligence is maintained.

DefenseStorm: Yes, via Connect. 

Customer:  To further your compliance, utilize TRAC Team.


D2.TI.Ti.A.1 - Use of a cyber intelligence model

Statement: A cyber intelligence model is used for gathering threat information.

DefenseStorm: Yes. Via DefenseStorm’s methodology for collecting intelligence and distribution through our daily news.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D2.TI.Ti.A.2 - Receive threats automatically

Statement: Threat intelligence is automatically received from multiple sources in real time.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: Make sure ThreatMatch is enabled.


D2.TI.Ti.A.3 - Geopolitical threat intelligence

Statement: The institution's threat intelligence includes information related to geopolitical events that could increase cybersecurity threat levels.

DefenseStorm:  Yes. Leveraging DefenseStorm.

Customer: Make sure ThreatMatch is enabled.


D2.TI.Ti.Inn.2 - Investment in threat intelligence and collaboration

Statement: The institution is investing in the development of new threat intelligence and collaboration mechanisms (e.g., technologies, business processes) that will transform how information is gathered and shared.

DefenseStorm: Yes, DefenseStorm does this on your behalf.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D2.TI.Ma.B.1 - Secured review and retainer of logs

Statement: Audit log records and other security event logs are reviewed and retained in a secure manner. (FFIEC Information Security Booklet, page 79).

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: No further action required. Simple having DefenseStorm meets this criteria.


D2.TI.Ma.B.2 - Investigation of events

Statement: Computer event logs are used for investigations once an event has occurred. (FFIEC Information Security Booklet, page 83).

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: To further your compliance, utilize onTRAC services.


D2.TI.Ma.E.1 - Discovery of emerging threats

Statement: A process is implemented to monitor threat information to discover emerging threats.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer:  To further your compliance, utilize TRAC Team. They analyze the threat feeds and leveraging that data to better monitor your network.


D2.TI.Ma.E.2 - Threat analysis team

Statement: The threat information and analysis process is assigned to a specific group or individual.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: To further your compliance, utilize TRAC Team.


D2.TI.Ma.E.3 - Security Operations Center (SOC)

Statement: Security processes and technology are centralized and coordinated in a Security Operations Center (SOC) or equivalent.

DefenseStorm: Yes, partially.

Customer: To further your compliance, utilize onTRAC services. Centralized and coordinated through TRAC team depending on Rules of Engagement established with DefenseStorm. They provide the 24/7 Monitoring Center and response via Active Response.


D2.TI.Ma.E.4 - Continuous system monitoring

Statement: Monitoring systems operate continuously with adequate support for efficient incident handling.

DefenseStorm: Yes, if...

Customer: To further your compliance, utilize onTRAC services.


D2.TI.Ma.Int.1 - Multiple source threat evaluation

Statement: A threat intelligence team is in place that evaluates threat intelligence from multiple sources for credibility, relevance, and exposure.

DefenseStorm: Yes, if...

Customer: To further your compliance, utilize onTRAC services.


D2.TI.Is.B.1 - Internal sharing of threats

Statement: Information security threats are gathered and shared with applicable internal employees. (FFIEC Information Security Booklet, page 83).

DefenseStorm: Yes, via TRAC Team and Connect.

Customer: To further your compliance, utilize TRAC Team and Connect.


D2.TI.Is.B.3 - Law enforcement

Statement: Information about threats is shared with law enforcement and regulators when required or prompted. (FFIEC Information Security Booklet, page 84).

DefenseStorm: Yes. Within your IR policy/plan, you should have points of contacts with law enforcement. If DefenseStorm takes on the role of your trusted advisor, we should be added into the plan.

Customer: Add DefenseStorm to your Incident Response (IR) plan.


D2.TI.Is.E.2 - Information-sharing meetings

Statement: A representative from the institution participates in law enforcement or information-sharing organization meetings.

DefenseStorm: Yes. DefenseStorm participates in FS-ISAC and Infraguard meetings, gatherings, etc.

Customer: To further your compliance, utilize onTRAC services.


D2.TI.Is.Int.1 - Internal, formal, sharing protocol

Statement: A formal protocol is in place for sharing threat, vulnerability, and incident information to employees based on their specific job function.

DefenseStorm: Yes, partially. DefenseStorm provides all the necessary data via Connect, Pwnie/Nessus reports, and incident information.

Customer: Define and implement the formal protocol using the data provided by DefenseStorm.


D2.TI.Is.A.2 - Peer institution sharing

Statement: Relationships exist with employees of peer institutions for sharing cyber threat intelligence.

DefenseStorm: Yes, via connect.

Customer: To further your compliance, utilize Connect forums.


D3.PC.Im.B.1 - Perimeter defense tools

Statement: Network perimeter defense tools (e.g., border router and firewall) are used. (FFIEC Information Security Booklet, page 33).

DefenseStorm: Yes. DefenseStorm can monitor via alerts to ensure this control is in place and event data is being received.

Customer: To further your compliance, create a policy based on assessments.  


D3.PC.Im.B.3 - Port monitoring

Statement: All ports are monitored. (FFIEC Information Security Booklet, page 50).

DefenseStorm: Yes. DefenseStorm is monitoring via Firewall, Network Switch, and other logs.

Customer: For further compliance, utilize SecurityOnion and Pwnie/Nessus.


D3.PC.Im.B.5 - System configurations

Statement: System configurations (for servers, desktops, routers, etc.) follow industry standards and are enforced. (FFIEC Information Security Booklet, page 56).

DefenseStorm: Yes, partially...

Customer: For further compliance, utilize Pwnie and Nessus with DefenseStorm.


D3.PC.Im.B.7 - Selective access for system configurations

Statement: Access to make changes to systems configurations (including virtual machines and hypervisors) is controlled and monitored. (FFIEC Information Security Booklet, page 56).

DefenseStorm: Yes, partially. DefenseStorm provides the monitoring to enable you to be alerted and audit these types of access and changes.

Customer: Make sure your policy is set up for the monitoring aspect.


D3.PC.Im.B.10 - Encryption for authentication and transmission

Statement: Wireless network environments require security settings with strong encryption for authentication and transmission. (*N/A if there are no wireless networks.) (FFIEC Information Security Booklet, page 40).

DefenseStorm: Yes, partially.

Customer: For further compliance, utilize Pwnie and Nessus.


D3.DC.Th.B.2 - Attack detection tools

Statement: Antivirus and anti-malware tools are used to detect attacks. (FFIEC Information Security Booklet, page 55).

DefenseStorm: Yes, partially. DefenseStorm is part of the overall malware detection toolset.

Customer: Ensure that ThreatMatch and PatternScout are enabled and utilized.


D3.DC.An.B.1 - Anomaly detection

Statement: The institution is able to detect anomalous activities through monitoring across the environment. (FFIEC Information Security Booklet, page 32).

DefenseStorm: Yes. PatternScout.

Customer: Leverage PatternScout.  


D3.DC.An.B.3 - Log review

Statement: Logs of physical and/or logical access are reviewed following events. (FFIEC Information Security Booklet, page 73).

DefenseStorm: Yes.

Customer: For further compliance, utilize TRAC Team. They perform the initial triage of incidents and work with you for comprehensive analysis and remediation.


D3.DC.An.B.4 - Critical system access

Statement: Access to critical systems by third parties is monitored for unauthorized or unusual activity. (FFIEC Outsourcing Booklet, page 26).

DefenseStorm: Yes. Onboarding policies.

Customer: For further compliance, utilize TRAC Team. They work with you to identify critical systems and third party access information in order to provide appropriate alerting and monitoring related to third party access. Who are your third party vendors that access, how do they access. What systems do they access, when do they access, etc.


D3.DC.An.B.5 - Elevated privileges

Statement: Elevated privileges are monitored. (FFIEC Information Security Booklet, page 19).

DefenseStorm: Yes.

Customer: For further compliance, utilize TRAC team. They monitors based on information collected during onboarding for privileged accounts.


D3.DC.An.E.2 - Regular log review

Statement: Security logs are reviewed regularly.

DefenseStorm: Yes, if...

Customer: For compliance, utilize onTRAC services

D3.DC.An.E.3 - System access traceability

Statement: Logs provide traceability for all system access by individual users.

DefenseStorm: Yes, if...

Customer: Fully implemented and instrumented to provide us with the data.


D3.DC.An.E.4 - Established thresholds

Statement: Thresholds have been established to determine activity within logs that would warrant management response.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: Make sure that PatternScout and Alert Thresholds are configured via TRAC for monitoring.


D3.DC.An.Int.3 - Monitor and alert on log anomalies

Statement: Tools actively monitor security logs for anomalous behavior and alert within established parameters.

DefenseStorm: Yes. PatternScout automatically, TRAC Team manually.

Customer: For further compliance, utilize onTRAC services.


D3.DC.An.Int.4 - Restricted, centralized log server

Statement: Audit logs are backed up to a centralized log server or media that is difficult to alter.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D3.DC.An.Int.5 - Periodic threshold evaluation

Statement: Thresholds for security logging are evaluated periodically.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: For compliance, utilize onTRAC services. They do this dynamically based on your instrumentation, quality, and changes.


D3.DC.An.Int.6 - Alerts correlated across all business units

Statement: Anomalous activity and other network and system alerts are correlated across business units to detect and prevent multifaceted attacks (e.g., simultaneous account takeover and DDoS attack).

DefenseStorm: Yes if...

Customer: Fully implemented and instrumented to provide us with the data.


D3.DC.An.A.3 - Employee behaviour

Statement: A system is in place to monitor and analyze employee behavior (network use patterns, work hours, and known devices) to alert on anomalous activities.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: For compliance, utilize role based PatternScout.


D3.DC.Ev.B.1 - Established activity baseline

Statement: A normal network activity baseline is established. (FFIEC Information Security Booklet, page 77).

DefenseStorm: Yes. DefenseStorm is providing this capability via PatternScout and Event Thresholds set by TRAC.

Customer: For further compliance, utilize onTRAC services.


D3.DC.Ev.B.2 - Potential attack notification

Statement: Mechanisms (e.g., antivirus alerts, log event alerts) are in place to alert management to potential attacks. (FFIEC Information Security Booklet, page 78).

DefenseStorm: Yes. DefenseStorm monitors and escalates back to you.

Customer: For further compliance, utilize TRAC Team for escalation and resolution help.


D3.DC.Ev.B.3 - Monitor for unauthorized access

Statement: Processes are in place to monitor for the presence of unauthorized users, devices, connections, and software. (FFIEC Information Security Work Program, Objective II: M-9).

DefenseStorm: Yes. DefenseStorm monitors via Assets.

Customer: For further compliance, utilize Pwnie and Nessus.


D3.DC.Ev.B.4 - Assigned monitor

Statement: Responsibilities for monitoring and reporting suspicious systems activity have been assigned. (FFIEC Information Security Booklet, page 83).

DefenseStorm: Yes. DefenseStorm monitors and escalates to you based on our Rules of Engagement with you.

Customer: Ensure the Rules of Engagement allow for compliance.


D3.DC.Ev.B.5 - Physical environment unauthorized access

Statement: The physical environment is monitored to detect potential unauthorized access. (FFIEC Information Security Booklet, page 47).

DefenseStorm: Yes, if...

Customer: Provide DefenseStorm with access log information from physical controls.


D3.DC.Ev.E.1 - Event correlation tool

Statement: A process is in place to correlate event information from multiple sources (e.g., network, application, or firewall).

DefenseStorm: Yes. DefenseStorm is the correlation tool, TRAC Team provides the correlation experts.

Customer: For further compliance, utilize onTRAC services.


D3.DC.Ev.Int.2 - Reliable event detection

Statement: Event detection processes are proven reliable.

DefenseStorm: Yes. Leveraging TRAC.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D3.DC.Ev.Int.2 - Critical Asset monitoring

Statement: Specialized security monitoring is used for critical assets throughout the infrastructure.

DefenseStorm: Yes. DefenseStorm is a specialized monitoring that is refining monitoring for critical assets, if...

Customer:  Properly identify critical assets to us via the importance column of the assets page on the Console.


D3.DC.Ev.A.1 - Detect unauthorized changes

Statement: Automated tools detect unauthorized changes to critical system files, firewalls, IPS, IDS, or other security devices.

DefenseStorm: Yes, via monitoring triggers for system changes.

Customer: Ensure that triggers for system changes are active.


D3.DC.Ev.A.3 - Automatic network change alerts

Statement: Real-time alerts are automatically sent when unauthorized software, hardware, or changes occur.

DefenseStorm: Yes, partial for software. Through monitoring triggers for system changes and asset alerts on changes to software for a windows asset.

Customer: Ensure that your triggers are activated to alert in changes to software for a windows asset.


D3.DC.Ev.A.4 - Tools can correlate events

Statement: Tools are in place to actively correlate event information from multiple sources and send alerts based on established parameters.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D3.DC.Ev.Inn.1 - Predictive event correlation

Statement: The institution is leading efforts to develop event detection systems that will correlate in real time when events are about to occur.

DefenseStorm: Yes. As your representative, DefenseStorm is continuing to develop tools that provide predictive correlation based on event data received.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D3.DC.Ev.Inn.2 - Investing in intelligence and collaboration

Statement: The institution is investing in the development of new threat intelligence and collaboration mechanisms (e.g., technologies, business processes) that will transform how information is gathered and shared.

DefenseStorm:  Yes. Being your vendor and providing cybersecurity stack, DefenseStorm does this for you.

Customer: Ensure ThreatMatch is enabled.


D5.IR.Pl.B.4 - Team diversity

Statement: The response team includes individuals with a wide range of backgrounds and expertise, from many different areas within the institution (e.g., management, legal, public relations, as well as information technology). (FFIEC Information Security Booklet, page 84).

DefenseStorm: Yes, if...

Customer: Utilize TRAC Team. They provide Cybersecurity expertise in the Response Team.


D5.IR.Te.B.1 - Improvement scenarios

Statement: Scenarios are used to improve incident detection and response. (FFIEC Information Security Booklet, page 71).

DefenseStorm: Red Team.

Customer: No further action required.


D5.IR.Te.B.2 - Third party collaboration

Statement: Business continuity testing involves collaboration with critical third parties. (FFIEC Business Continuity Planning Booklet, page J-6).

DefenseStorm: Yes, if...

Customer: Incorporate DefenseStorm into your business continuity testing.


D5.IR.Te.E.2 - Response improvement

Statement: Widely reported events are used to evaluate and improve the institution's response. TRAC provides the information.

DefenseStorm: Yes, partially. DefenseStorm provides the data.

Customer: For complete compliance, leverage the data from DefenseStorm to improve your responses.


D5.IR.Te.Int.1 - Analysis of attack scenarios

Statement: Cyber-attack scenarios are analyzed to determine potential impact to critical business processes.

DefenseStorm: Red Team.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.IR.Te.Int.2 - Participation in cyber exercises

Statement: The institution participates in sector-specific cyber exercises or scenarios (e.g., FS-ISAC Cyber Attack (against) Payment Processors (CAPP)).

DefenseStorm: Red Team.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.IR.Te.Int.3 - Analysis of resilience testing

Statement: Resilience testing is based on analysis and identification of realistic and highly likely threats as well as new and emerging threats facing the institution.

DefenseStorm: Red Team.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.

D5.IR.Te.Int.4 - Critical system stress testing

Statement: The critical online systems and processes are tested to withstand stresses for extended periods (e.g., DDoS).

DefenseStorm: Red Team.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.IR.Te.Int.5 - Utilization of cyber event exercises

Statement: The results of cyber event exercises are used to improve the incident response plan and automated triggers.

DefenseStorm: Yes. DefenseStorm provides the data.

Customer: For compliance, leverage the DefenseStorm output of these types of activities.


D5.IR.Te.A.1 - Comprehensive resilience testing

Statement: Resilience testing is comprehensive and coordinated across all critical business functions.

DefenseStorm: Red Team.

Customer: No further action necessary. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.IR.Te.A.2 - Utilization of known attacks

Statement: The institution validates that it is able to recover from cyber events similar to by known sophisticated attacks at other organizations.

DefenseStorm: Red Team - leveraging data/experience across customers.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.IR.Te.A.3 - Internal hacking team (Red Team)

Statement: Incident response testing evaluates the institution from an attacker's perspective to determine how the institution or its assets at critical third parties may be targeted.

DefenseStorm: Red Team.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.IR.Te.A.4 - Root cause correction

Statement: The institution corrects root causes for problems discovered during cybersecurity resilience testing.

DefenseStorm: Yes. DefenseStorm provides the data and recommendations.

Customer: For compliance, utilize the data provided by DefenseStorm.


D5.DR.De.B.1 - Alert parameters

Statement: Alert parameters are set for detecting information security incidents that prompt mitigating actions. (FFIEC Information Security Booklet, page 43).

DefenseStorm: Yes. DefenseStorm Triggers.

Customer: Ensure triggers are activated. 


D5.DR.De.B.2 - Risk indicator information

Statement: System performance reports contain information that can be used as a risk indicator to detect information security incidents. (FFIEC Information Security Booklet, page 86).

DefenseStorm: Yes, partial. Though temporal anomalies.

Customer: Ensure that ThreatMatch and PatternScout are enabled for the best compliance.


D5.DR.De.B.3 - Initiation of the incident response program

Statement: Tools and processes are in place to detect, alert, and trigger the incident response program. (FFIEC Information Security Booklet, page 84).

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.DR.De.E.1 - Potential threatening internal activity

Statement: The institution has processes to detect and alert the incident response team when potential insider activity manifests that could lead to data theft or destruction.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.DR.De.Int.1 - Anomaly detection

Statement: The incident response program is triggered when anomalous behaviors and attack patterns or signatures are detected.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.DR.De.Int.2 - Discover infiltration pre-damage

Statement: The institution has the ability to discover infiltration, before the attacker traverses across systems, establishes a foothold, steals information, or causes damage to data and systems.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.DR.De.Int.3 - Appropriate personnel alert

Statement: Incidents are detected in real time through automated processes that include instant alerts to appropriate personnel who can respond.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.DR.De.Int.4 - Correlation of network and system alerts

Statement: Network and system alerts are correlated across business units to better detect and prevent multifaceted attacks (e.g., simultaneous DDoS attack and account takeover).

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.DR.De.Int.5 - Enterprise level event correlation

Statement: Incident detection processes are capable of correlating events across the enterprise.

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.DR.De.A.1 - External and internal threat detection

Statement: Sophisticated and adaptive technologies are deployed that can detect and alert the incident response team of specific tasks when threat indicators across the enterprise indicate potential external and internal threats.

DefenseStorm: Yes. ThreatMatch, PatternScout, Triggers.

Customer: Ensure that ThreatMatch, PatternScout, and Triggers are enabled.


D5.DR.De.A.2 - Specialized security monitoring

Statement: Automated tools are implemented to provide specialized security monitoring based on the risk of the assets to detect and alert incident response teams in real time.

DefenseStorm: Yes. DefenseStorm is the specialized tool and can be tuned for more specialized monitoring of identified high risk systems that.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.DR.Re.B.1 - Incident containment

Statement: Appropriate steps are taken to contain and control an incident to prevent further unauthorized access to or use of customer information. (FFIEC Information Security Booklet, page 84).

DefenseStorm: Yes, through TRAC Team.

Customer:  Utilize onTRAC services. They provide alerting, recommendations, and expertise on mitigation.


D5.DR.Re.E.6 - Incident records

Statement: Records are generated to support incident investigation and mitigation.

DefenseStorm: Yes. Incident Ticketing system.

Customer: Utilize the incident ticketing system on your DefenseStorm console.

D5.DR.Re.E.7 - Mitigation by third parties

Statement: The institution calls upon third parties, as needed, to provide mitigation services.

DefenseStorm: Red Team.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.

D5.DR.Re.E.8 - Security improvement from event analysis

Statement: Analysis of events is used to improve the institution's security measures and policies.

DefenseStorm: Yes, partially.

Customer: For further compliance, utilize TRAC Team. They perform continuous improvement based on lessons learned dealing with incidents.


D5.DR.Re.A.1 - Management and intelligence collaboration

Statement: The incident management function collaborates effectively with the cyber threat intelligence function during an incident.

DefenseStorm: Yes if...

Customer: TRAC Team is appropriately integrated into your IR Plan.


D5.DR.Re.A.2 - Proactive response to threats

Statement: Links between threat intelligence, network operations, and incident response allow for proactive response to potential incidents.

DefenseStorm: Yes if...

Customer: TRAC Team is appropriately integrated into your IT team. (force-multiplier if you are leveraging DefenseStorm effectively).


D5.DR.Re.A.3 - Timely response to attacks

Statement: Technical measures apply defense-in-depth techniques such as deep packet inspection and black holing for detection and timely response to network-based attacks associated with anomalous ingress or egress traffic patterns and/or DDoS attacks.

DefenseStorm: Yes, partially. Anomalous detection.

Customer: Requires appropriate instrumentation and configuration of PatternScout as well as ThreatMatch.


D5.ER.Es.B.3 - Annual reporting

Statement: The institution prepares an annual report of security incidents or violations for the board or an appropriate board committee. (FFIEC Information Security Booklet, page 5).

DefenseStorm: Yes. CyberSecurity Report.

Customer: Display the Cybersecurity Report to the board.

D5.ER.Es.B.4 - Incident management

Statement: Incidents are classified, logged, and tracked. (FFIEC Operations Booklet, page 28).

DefenseStorm: Yes. Leveraging DefenseStorm.

Customer: No further action required. Having DefenseStorm as your cybersecurity company meets the criteria.


D5.ER.Es.E.3 - Incident tracking

Statement: Tracked cyber incidents are correlated for trend analysis and reporting.

DefenseStorm: Yes. Data included in CyberSecurity Report.

Customer: For further compliance, utilize onTRAC services such as trend analysis.


D5.ER.Es.A.2 -  Management level metric review

Statement: Detailed metrics, dashboards, and/or scorecards outlining cyber incidents and events are provided to management and are part of the board meeting package.

DefenseStorm: Yes. Cybersecurity Report.

Customer: Utilize the Cybersecurity Report as part of board meetings.