HOWTO - NIST 800-53 Compliance Solution

NIST 800-53, "Security and Privacy Controls for Information Systems and Organizations" is a recommendation from the National Institute of Standards and Technology for securing data. It is available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf.

PA File Sight offers powerful access and auditing capabilities for accessing files stored on Microsoft Windows file servers. See below how PA File Sight can help fulfill the requirements of NIST 800-53.

Executive Summary: PA File Sight can assist with requirements in NIST 800-53 section 3.1 (AC-2, AC-3), section 3.3 (AU-2, AU-3, AU-4, AU-5, AU-6, AU-7, AU-8, AU-9, AU-11, AU-12), section 3.5 (CM-6, CM14), section 3.10 (MP-7), section 3.18 (SC-17, SC-43) and section 3.19 (SI-3, SI-4, SI-5).

3.1 ACCESS CONTROLS

AC-2 AWARENESS AND TRAINING, (g) Monitor the use of accounts

The Trusted Applications monitor can prevent access to files based on rules you create. The rules can inspect the application being used to access the files, the user account and group membership, etc.

AC-2 AWARENESS AND TRAINING, (l.12.a) Monitor system accounts for atypical usage

The File Sight monitor can alert if more than X files are accessed in Y amount of time. For example, a typical office worker might reasonably open 3-5 documents in 1 minute. If 20 documents aree read from the server within 1 minute this would signify an action that should be investigated (it could be exporting data or malware encrypting files).

AC-3 ACCESS ENFORCEMENT
AC-3 INFORMATION FLOW ENFORCEMENT

The Trusted Applications monitor can allow or prevent access to files based on rules you create. The rules are configureable and can inspect the application being used to access the files, the file itself, the location of the file, the user account and group membership, etc.

The Drive Sight monitor can block external USB drives, and the Blocked User List action can cut off access to server files completely for a specific user account when a monitor triggers a configured threshold for a user.

3.3 AUDIT AND ACCOUNTABILITY

AU-2 EVENT LOGGING
AU-3 CONTENT OF AUDIT RECORDS
AU-12 AUDIT RECORD GENERATION

When users access (read, write, move, delete) files on a server their file action is recorded in a database via the File Sight monitor. In addition, if they are denied access by Trusted Application rules, that is also recorded. The record will contain the user account, the computer/IP address where they made the request from, the target server and target file, time, full path to the file being accessed, and optionally (if the Endpoint is on the user computer) the process they used on their computer to do the file activity.

AU-4 AUDIT LOG STORAGE CAPACITY
AU-11 AUDIT RECORD RETENTION

File access records are stored in a database with a configurable time limit to control how long the records are kept. In addition, data from remote servers ("Satellites") is typically forwarded to the Central Server for storage. The optional Endpoints also forward their data to the Central Server to help protect it and keep it centralized for reporting purposes.

AU-5 RESPONSE TO AUDIT LOGGING PROCESS FAILURES

PA File Sight has many built in measure to ensure auditing is proceeding correctly, including automatic perodic internal test procedures, various internal checking mechanisms, and configurable alerting for the occasion that a problem might be found. In addition, the monitoring is done by a Windows service which can be locked to prevent it from being stopped, even by administrator users.

AU-6 AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING
AU-7 AUDIT RECORD REDUCTION AND REPORT GENERATION

With the PA File Sight Ultra edition, all audit data is kept in a database. That database backs various configurable reports that can be run on demand, or which can be scheduled and automatically delivered at a specified time.

AU-8 TIME STAMPS

All timestamps are recorded in UTC (Coordinated Universal Time) and are converted to local time when displayed in reports.

AU-9 PROTECTION OF AUDIT INFORMATION

As mentioned above, audit information is forwarded to the Central Server for storage in the database. One database that can be used is MS SQL Server which had additional security and protection mechanisms. Audit records are never changed by the system, and are only deleted based on a maximum record-age setting.

3.5 CONFIGURATION MANAGEMENT

CM-6 CONFIGURATION SETTINGS

For configuration files that are stored on a Windows server, PA File Sight can monitor and alert when a configuration file is changed and record who, when and where the change was made by.

CM-14 SIGNED COMPONENTS

The Trusted Applications monitor can optionally use rules to prevent non-signed binary from being installed/saved to disk, thus preventing unvetted software from being installed.

3.10 MEDIA PROTECTION

MP-7 MEDIA USE

The Drive Sight monitor can "prohibit the use of portable storage devices" by preventing USB drives from attaching to a server.

3.18 SYSTEM AND COMMUNICATIONS PROTECTION

SC-17 BOUNDARY PROTECTION, (10, a) Prevent the exfiltration of information

The File Sight's copy detection settings, the Drive Sight monitor's ability to block USB drives, and Trusted Application monitor's ability to control which processes can read files, and to prevent writes to places such as cloud storage folders (OneDrive, Google Drive, DropBox, etc) or external drives are powerful ways to prevent information exfiltration.

SC-17 BOUNDARY PROTECTION, (24, b) PERSONALLY IDENTIFIABLE INFORMATION

The Trusted Applications feature can be configured to only allow specific executable programs from accessing protected files, which allows for monitoring and enforcing information protection.

SC-43 USAGE RESTRICTIONS

The Trusted Applications feature can be configured to only allow specific executable programs to run in an environment, also sometimes known as "application whitelisting".

3.19 SYSTEM AND INFORMATION INTEGRITY

SI-3 MALICIOUS CODE PROTECTION

The Trusted Applications feature allows for rules that defined what a 'good' program is (signed by a well known software company for example), and can prevent any programs that do not meet the rules from being able to start.

SI-4 SYSTEM MONITORING

The File Sight monitor has the ability to watch for a specified number of reads AND writes happening from any user account within a short amount of time. This activity is usually done my ransomware as it has to read a file into memory, encrypt it, and then write it back to disk. By detecting this behavior the user account can be immediately blocked from the server and alerts sent to the IT team to investigate.

SI-5 SECURITY ALERTS, ADVISORIES and DIRECTIVES

All of the monitors within the PA File Sight product have the ability to send alerts, including via email, SMS, web hook, scripts and pop-up messages.