HOWTO - NIST 800-171 Auditing and Accountability Software Solution

NIST 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" is a recommendation from the National Institute of Standards and Technology for securing data. It is available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf.

PA File Sight offers powerful access and auditing capabilities for accessing files stored on Microsoft Windows file servers. See below how PA File Sight can help fulfill the requirements of NIST 800-171.

Executive Summary: PA File Sight can assist with requirements in NIST 800-171 section 3.1 (3.1.1, 3.1.3, 3.1.11, 3.1.21) and section 3.3 (3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9)

3.1 ACCESS CONTROLS

Section 3.1 of the document discusses access controls. See below for how PA File Sight can help with specific requirements.

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)
...and...
3.1.3 Control the flow of CUI in accordance with approved authorizations

The Trusted Applications monitor can prevent access to files based on rules you create. The rules can inspect the application being used to access the files, the user account and group membership, etc.

3.1.11 Terminate (automatically) a user session after a defined condition

The Block User List action can be triggered by any monitor, and when a user is on that list, they are prevented from accessing any files on the Windows servers where PA File Sight is protecting file structures.

3.1.21 Limit use of portable storage devices on external systems

The Drive Sight monitor can prevent USB drives from attaching to the system, thus preventing data getting copied to them. The Trusted Applications monitor can also prevent files from being written to USB drive as well as common cloud drives (OneDrive, Google Drive, DropBox, etc).

3.3 AUDIT AND ACCOUNTABILITY

3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity

The File Sight monitor can record who accesses files (user account, from which computer/IP) on the server, and with the optional Endpoint you can also see which process was used on the user's computer, as well as if the file was then written out (a copy operation). Operations that can be recorded include file reads, writes, moves and deletes.

In addition, the Trusted Applications rules can be triggered not only on failed access (when access is prevented) but can also be used to record access to the database for later reporting.

When using the Ultra version of PA File Sight, the collected data is kept in a database which can be used for running reports later during audit investigations.

3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions

When PA File Sight records a file I/O operation, it records the user account used and also includes the user's IP address from which they requested file data.

3.3.3 Review and update logged events

As mentioned, PA File Sight's Ultra Edition records monitoring data to a database. Ad hoc reports can be run to view the data. It is also often helpful to schedule daily or weekly reports to be reviewed by personnel. These reports can be viewed via web browser or emailed in PDF form.

3.3.4 Alert in the event of an audit logging process failure

PA File Sight has many built in measure to ensure auditing is proceeding correctly, including automatic perodic internal test procedures, various internal checking mechanisms, and configurable alerting for the occasion that a problem might be found. In addition, the monitoring is done by a Windows service which can be locked to prevent it from being stopped, even by administrator users.

3.3.5 Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity

Reports in PA File Sight make it simple to see who interacted with specific files, or to see all file activity performed my a specific user during a specific time period. This aids in analysis and correlation of unauthorized activity.

In addition, alert thresholds can be created to monitor for unusual activity levels, such as a high level of data file read activity, or a high number of file deletes.

3.3.6 Provide audit record reduction and report generation to support on-demand analysis and reporting

Besides scheduled reports which can be scheduled for any timeframe, ad-hoc or one-off reports can be quickly run to support on-demand analysis.

3.3.7 Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records

PA File Sight relies on the Windows system clock for timestamps. Windows computers can be configured to use an NTP time source to provide accurate time. In addition, PA File Sight has a built in periodic check to detect if the system time is ever tampered with (moved forward or backwards).

3.3.8 Protect audit information and audit logging tools from unauthorized access, modification, and deletion

Access to the PA File Sight software can be configured to require a login, even on the local host where it is installed. The monitoring service can be locked such that it cannot be stopped.

Audit data is stored by default in local database files, and it can also be configured to be stored in a Microsoft SQL Server database with all of the security protection that product provides. In addition, when remote "Satellite" servers are monitored, their auditing data is forwarded to the "Central" server for data storage, so the auditing data is not even necessarily on the target server.

3.3.9 Limit management of audit logging functionality to a subset of privileged users

PA File Sight supports multiple logins for multiple users, and each user can have different rights in the system (just view reports, run reports, and administrative access). In addition, if many servers are monitored, access to specific servers can be locked down to specific personnel.