Security & Risks
Platform-specific security controls, threat model for the audit infrastructure itself, risk register, and mitigation strategies to protect the integrity of the evidence collection and storage system.
6.1 Threat Model for the Audit Platform
The audit and forensics platform is itself a high-value target. Attackers who can compromise the platform can delete evidence, alter logs, or gain intelligence about what the security team knows. A dedicated threat model for the platform infrastructure — separate from the threats it monitors — is therefore essential. This section applies STRIDE methodology to identify the most critical threats to platform integrity.
| STRIDE Category | Threat | Target Component | Impact | Likelihood | Priority |
|---|---|---|---|---|---|
| Tampering | Attacker modifies SIEM rules to suppress alerts for their TTPs | SIEM rule engine | Critical — detection blind spot | Medium | P1 |
| Tampering | Admin deletes or modifies evidence vault objects | Evidence Vault / WORM storage | Critical — evidence destruction | Low (if WORM enforced) | P1 |
| Repudiation | Admin denies performing privileged actions | Bastion/PAM session records | High — non-repudiation failure | Medium | P1 |
| Information Disclosure | Unauthorized access to evidence vault exposes investigation data | Evidence Vault | High — investigation compromise | Medium | P1 |
| Denial of Service | Log flood attack overwhelms collector and drops evidence | Log Collector | High — evidence gap | High | P1 |
| Elevation of Privilege | Compromise of SIEM admin account grants full platform access | SIEM admin interface | Critical — full platform compromise | Medium | P1 |
| Spoofing | Attacker injects forged log events to mislead investigation | Log Collector ingest interface | High — false evidence | Medium | P2 |
| Tampering | NTP manipulation causes time skew, invalidating evidence timeline | NTP infrastructure | High — timeline integrity failure | Low | P2 |
6.2 Platform Security Controls
The following security controls are mandatory for all deployments of the audit and forensics platform. These controls directly address the threats identified in the threat model and must be verified during acceptance testing (see Chapter 10). Controls are organized by the platform component they protect.
| Component | Security Control | Implementation | Verification Method |
|---|---|---|---|
| All Components | MFA for all administrative access | TOTP/hardware token; SSO with MFA enforcement | Attempt admin login without MFA — must fail |
| All Components | TLS 1.3 for all inter-component communication | mTLS with certificate pinning for internal APIs | TLS scan; reject TLS 1.2 and below |
| SIEM Platform | Rule change audit trail | All rule modifications logged to immutable meta-audit index | Modify rule; verify log entry in meta-audit; attempt deletion |
| SIEM Platform | RBAC with least privilege | Analyst role: read-only; Admin role: config only; Evidence role: separate | Attempt cross-role actions; verify denial |
| Evidence Vault | WORM object lock (compliance mode) | S3 Object Lock compliance mode; retention period enforced by storage layer | Attempt object deletion/modification during retention period — must fail |
| Evidence Vault | Encryption at rest (AES-256) | KMS-managed keys; HSM-backed key storage | Verify encryption headers; test key rotation procedure |
| Log Collector | Rate limiting and flood protection | Per-source EPS rate limits; circuit breaker for flood events | Flood test at 10× normal rate; verify spool and rate limiting |
| Log Collector | Source authentication | mTLS client certificates for all log sources; IP allowlist as secondary control | Attempt log injection without valid cert — must fail |
| Bastion/PAM | Session recording tamper protection | Recordings stored in WORM vault; admin cannot access recording storage | Attempt recording deletion as bastion admin — must fail |
| NTP Infrastructure | Authenticated NTP (NTS) | Network Time Security (NTS) for NTP authentication; GPS-disciplined Stratum 1 | Verify NTS authentication; test with unauthenticated NTP source |
6.3 Risk Register
The risk register documents the residual risks that remain after all mandatory security controls are implemented. Each risk is assessed for likelihood and impact, with the resulting risk score used to prioritize additional mitigations. Risk owners are responsible for monitoring and reporting on their assigned risks during the operational phase.
| Risk ID | Risk Description | Likelihood (1–5) | Impact (1–5) | Risk Score | Mitigation | Residual Risk |
|---|---|---|---|---|---|---|
| R-01 | Evidence vault storage failure causes evidence loss | 2 | 5 | 10 | Erasure coding + geo-redundant replication; quarterly DR test | Low |
| R-02 | Log collector capacity exceeded during major incident, causing evidence gaps | 3 | 4 | 12 | N+1 collector deployment; 72h spool; capacity monitoring with 80% alert threshold | Medium |
| R-03 | SIEM admin account compromise allows rule manipulation | 2 | 5 | 10 | MFA; break-glass procedure; rule change alerts to separate monitoring channel | Low |
| R-04 | Cloud API log retention gap (default 90 days) misses evidence for long-running investigations | 4 | 4 | 16 | Extend cloud audit log retention to 1 year; export to evidence vault within 24h | Medium |
| R-05 | NTP failure causes time skew across evidence sources | 2 | 4 | 8 | Redundant NTP servers; NTS authentication; skew monitoring with 1s alert threshold | Low |
| R-06 | KMS/HSM failure prevents evidence signing and access | 1 | 5 | 5 | HA HSM pair; documented key recovery procedure; quarterly recovery test | Low |
| R-07 | Insider threat by SOC analyst accesses sensitive investigation data | 2 | 4 | 8 | RBAC; case-based access control; access logging; dual-control for sensitive cases | Low |
6.4 Compliance Framework Mapping
The platform design is aligned with multiple compliance frameworks. The table below maps the key platform controls to their corresponding requirements in major frameworks, enabling compliance teams to use the platform's built-in capabilities to satisfy audit requirements without additional controls.
| Platform Control | ISO 27001 | NIST CSF | PCI DSS v4 | SOC 2 Type II | GDPR |
|---|---|---|---|---|---|
| Centralized log collection | A.12.4.1 | DE.CM-1 | Req 10.2 | CC7.2 | Art. 32 |
| WORM evidence vault | A.12.4.2 | PR.DS-6 | Req 10.5 | CC6.1 | Art. 5(1)(e) |
| Privileged access management | A.9.4.4 | PR.AC-4 | Req 7.2, 8.2 | CC6.3 | Art. 25 |
| Cryptographic integrity (SHA-256) | A.10.1.1 | PR.DS-6 | Req 10.5.5 | CC6.1 | Art. 32 |
| Retention policy enforcement | A.18.1.3 | PR.IP-6 | Req 10.7 | A1.2 | Art. 5(1)(e) |
| Chain-of-custody workflow | A.16.1.7 | RS.AN-3 | Req 12.10 | CC7.4 | Art. 33 |