Compliance - NIST 800-171 - Audit and Accountability

Audit and Accountability

Threat vectors will always innovate new ideas to circumvent security measures in an organization. This indicates that audit of security measure is needed in an institution to test their effectiveness. Auditing ensures that both users and administrators are in compliance with security policies. Auditing builds accountability and prevents concerned security incidents.

NIST 800-171

A guideline from NIST provides following security requirements for awareness and training (including basic and derived requirements) for protecting the confidentiality of CUI (Controlled Unclassified Information) in nonfederal information systems and organizations. The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

Basic Security Requirements:
3.3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
3.3.2 Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.

Derived Security Requirements:
3.3.3 Review and update audited events.
3.3.4 Alert in the event of an audit process failure.
3.3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
3.3.6 Provide audit reduction and report generation to support on-demand analysis and reporting.
3.3.7 Provide an information system capability that compares and synchronizes internal system clocks
with an authoritative source to generate time stamps for audit records.
3.3.8 Protect audit information and audit tools from unauthorized access, modification, and deletion.
3.3.9 Limit management of audit functionality to a subset of privileged users.

SIEM and Compliance
Keeping up with compliance and reporting is a daunting tasks. SIEM solutions can help us here by providing holistic visibility into the network and improving detection and response capabilities. However, not everything mentioned by NIST is realizable through SIEM. Here's what you can implement with your SIEM to create a compliance reporting.

Basic Security Requirements:
3.3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
  • Summary of what types of audit records are being analyzed, where it is stored, earliest event timestamp, latest event timestamp, size of storage, retention policy etc.
3.3.2 Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions. (Audit users action)
  • Top Users making any changes
  • Top actions by users
  • Summary of the change
Derived Security Requirements:
3.3.4 Alert in the event of an audit process failure.
  • Any audit failure events (like Missing data streams, truncated datas, missing timestamp, data received with future timestamp etc.)
3.3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
  • Define and track anomalous behavior
    • user logging from multiple sources
    • multiple users logging from same source
    • access attempt to blocked ports/services
    • IDS/IPS detected sources and destinations
    • Antivirus signature update fail or same host affected with more than 20 known malwares
3.3.7 Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
  • check if system time is changed
  • time synchronization failure
Log Source Requirements for SIEM
  • Host logs (Windows, Unix etc)
  • IDS/IPS logs
  • Firewall logs

Comments

Popular posts from this blog

Windows - Event ID 4625 - An Account Failed to Logon

Windows - Event ID 4771 - Kerberos pre-authentication failed

Windows - Event ID 4624 - An Account was Successfully Logged on