HOWTO - NIST 800-171 Auditing and Accountability Software Solution
NIST 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" is a recommendation from the National Institute of Standards and Technology for
securing data. It is available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf.
PA File Sight offers powerful access and auditing capabilities for accessing files stored on Microsoft Windows file servers. See below
how PA File Sight can help fulfill the requirements of NIST 800-171.
Executive Summary: PA File Sight can assist with requirements in NIST 800-171 section 3.1 (3.1.1, 3.1.3, 3.1.11, 3.1.21) and section 3.3 (3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9)
3.1 ACCESS CONTROLS
Section 3.1 of the document discusses access controls. See below for how PA File Sight can help with specific requirements.
- 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)
3.1.3 Control the flow of CUI in accordance with approved authorizations
- The Trusted Applications monitor can prevent access to files based on rules you create. The rules can inspect the application being used to access the
files, the user account and group membership, etc.
- 3.1.11 Terminate (automatically) a user session after a defined condition
- The Block User List action can be triggered by any monitor, and when a user is on that list, they are prevented from accessing any files on the Windows servers
where PA File Sight is protecting file structures.
- 3.1.21 Limit use of portable storage devices on external systems
- The Drive Sight monitor can prevent USB drives from attaching to the system, thus preventing data getting copied to them. The Trusted Applications monitor
can also prevent files from being written to USB drive as well as common cloud drives (OneDrive, Google Drive, DropBox, etc).
3.3 AUDIT AND ACCOUNTABILITY
- 3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity
- The File Sight monitor can record who accesses files (user account, from which computer/IP) on the server, and with the optional Endpoint you
can also see which process was used on the user's computer, as well as if the file was then written out (a copy operation). Operations that can be recorded include file reads, writes, moves and deletes.
In addition, the Trusted Applications rules can be triggered not only on failed access (when access is prevented) but can also be used to record access to the
database for later reporting.
When using the Ultra version of PA File Sight, the collected data is kept in a database which can be used for running reports later during audit investigations.
- 3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions
- When PA File Sight records a file I/O operation, it records the user account used and also includes the user's IP address from which they requested file data.
- 3.3.3 Review and update logged events
- As mentioned, PA File Sight's Ultra Edition records monitoring data to a database. Ad hoc reports can be run to view the data. It is also often helpful
to schedule daily or weekly reports to be reviewed by personnel. These reports can be viewed via web browser or emailed in PDF form.
- 3.3.4 Alert in the event of an audit logging process failure
- PA File Sight has many built in measure to ensure auditing is proceeding correctly, including automatic perodic internal test procedures, various internal checking mechanisms,
and configurable alerting for the occasion that a problem might be found. In addition, the monitoring is done by a Windows service which can be locked to prevent it from being stopped,
even by administrator users.
- 3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity
- Reports in PA File Sight make it simple to see who interacted with specific files, or to see all file activity performed my a specific user during a specific time period. This
aids in analysis and correlation of unauthorized activity.
In addition, alert thresholds can be created to monitor for unusual activity levels, such as a high level of data file read activity, or a high number of file deletes.
- 3.3.6 Provide audit record reduction and report generation to support on-demand analysis and reporting
- Besides scheduled reports which can be scheduled for any timeframe, ad-hoc or one-off reports can be quickly run to support on-demand analysis.
- 3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records
- PA File Sight relies on the Windows system clock for timestamps. Windows computers can be configured to use an NTP time source to provide accurate
time. In addition, PA File Sight has a built in periodic check to detect if the system time is ever tampered with (moved forward or backwards).
- 3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion
- Access to the PA File Sight software can be configured to require a login, even on the local host where it is installed. The monitoring service can
be locked such that it cannot be stopped.
Audit data is stored by default in local database files, and it can also be configured to be stored in a Microsoft SQL Server database with all of the
security protection that product provides. In addition, when remote "Satellite" servers are monitored, their auditing data is forwarded to the "Central" server
for data storage, so the auditing data is not even necessarily on the target server.
- 3.3.9 Limit management of audit logging functionality to a subset of privileged users
- PA File Sight supports multiple logins for multiple users, and each user can have different rights in the system (just view reports, run reports, and administrative access). In addition,
if many servers are monitored, access to specific servers can be locked down to specific personnel.