HOWTO - NIST 800-53 Compliance Solution
NIST 800-53, "Security and Privacy Controls for Information Systems and Organizations" is a recommendation from the National Institute of Standards and Technology for
securing data. It is available at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf.
PA File Sight offers powerful access and auditing capabilities for accessing files stored on Microsoft Windows file servers. See below
how PA File Sight can help fulfill the requirements of NIST 800-53.
Executive Summary: PA File Sight can assist with requirements in NIST 800-53 section 3.1 (AC-2, AC-3),
section 3.3 (AU-2, AU-3, AU-4, AU-5, AU-6, AU-7, AU-8, AU-9, AU-11, AU-12),
section 3.5 (CM-6, CM14),
section 3.10 (MP-7),
section 3.18 (SC-17, SC-43) and
section 3.19 (SI-3, SI-4, SI-5).
3.1 ACCESS CONTROLS
- AC-2 AWARENESS AND TRAINING, (g) Monitor the use of accounts
- The Trusted Applications monitor can prevent access to files based on rules you create. The rules can inspect the application being used to access the
files, the user account and group membership, etc.
- AC-2 AWARENESS AND TRAINING, (l.12.a) Monitor system accounts for atypical usage
- The File Sight monitor can alert if more than X files are accessed in Y amount of time. For example, a typical office worker might reasonably open 3-5 documents in 1 minute. If 20 documents aree read from the server within 1 minute this would
signify an action that should be investigated (it could be exporting data or malware encrypting files).
- AC-3 ACCESS ENFORCEMENT
AC-3 INFORMATION FLOW ENFORCEMENT
- The Trusted Applications monitor can allow or prevent access to files based on rules you create. The rules are configureable and can inspect the application being used to access the
files, the file itself, the location of the file, the user account and group membership, etc.
The Drive Sight monitor can block external USB drives, and the Blocked User List action can cut off access to server files completely for a specific user account when a monitor
triggers a configured threshold for a user.
3.3 AUDIT AND ACCOUNTABILITY
- AU-2 EVENT LOGGING
AU-3 CONTENT OF AUDIT RECORDS
AU-12 AUDIT RECORD GENERATION
- When users access (read, write, move, delete) files on a server their file action is recorded in a database via the File Sight monitor. In addition,
if they are denied access by Trusted Application rules, that is also recorded. The record will contain the user account, the computer/IP address where they
made the request from, the target server and target file, time, full path to the file being accessed, and optionally (if the Endpoint is on the user computer) the process
they used on their computer to do the file activity.
- AU-4 AUDIT LOG STORAGE CAPACITY
AU-11 AUDIT RECORD RETENTION
- File access records are stored in a database with a configurable time limit to control how long the records are kept. In addition, data from remote servers ("Satellites") is typically
forwarded to the Central Server for storage. The optional Endpoints also forward their data to the Central Server to help protect it and keep it centralized for reporting purposes.
- AU-5 RESPONSE TO AUDIT LOGGING PROCESS FAILURES
- PA File Sight has many built in measure to ensure auditing is proceeding correctly, including automatic perodic internal test procedures, various internal checking mechanisms,
and configurable alerting for the occasion that a problem might be found. In addition, the monitoring is done by a Windows service which can be locked to prevent it from being stopped,
even by administrator users.
- AU-6 AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING
AU-7 AUDIT RECORD REDUCTION AND REPORT GENERATION
- With the PA File Sight Ultra edition, all audit data is kept in a database. That database backs various configurable reports that can be run on demand, or which
can be scheduled and automatically delivered at a specified time.
- AU-8 TIME STAMPS
- All timestamps are recorded in UTC (Coordinated Universal Time) and are converted to local time when displayed in reports.
- AU-9 PROTECTION OF AUDIT INFORMATION
- As mentioned above, audit information is forwarded to the Central Server for storage in the database. One database that can be used is MS SQL Server which had additional
security and protection mechanisms. Audit records are never changed by the system, and are only deleted based on a maximum record-age setting.
3.5 CONFIGURATION MANAGEMENT
- CM-6 CONFIGURATION SETTINGS
- For configuration files that are stored on a Windows server, PA File Sight can monitor and alert when a configuration file is changed and record who, when and where the change was made by.
- CM-14 SIGNED COMPONENTS
- The Trusted Applications monitor can optionally use rules to prevent non-signed binary from being installed/saved to disk, thus preventing unvetted software
from being installed.
3.10 MEDIA PROTECTION
- MP-7 MEDIA USE
- The Drive Sight monitor can "prohibit the use of portable storage devices" by preventing USB drives from attaching to a server.
3.18 SYSTEM AND COMMUNICATIONS PROTECTION
- SC-17 BOUNDARY PROTECTION, (10, a) Prevent the exfiltration of information
- The File Sight's copy detection settings, the Drive Sight monitor's ability to block USB drives, and Trusted Application monitor's ability
to control which processes can read files, and to prevent writes to places such as cloud storage folders (OneDrive, Google Drive, DropBox, etc) or external drives are powerful ways
to prevent information exfiltration.
- SC-17 BOUNDARY PROTECTION, (24, b) PERSONALLY IDENTIFIABLE INFORMATION
- The Trusted Applications feature can be configured to only allow specific executable programs from accessing protected files, which allows for monitoring
and enforcing information protection.
- SC-43 USAGE RESTRICTIONS
- The Trusted Applications feature can be configured to only allow specific executable programs to run in an environment, also sometimes known as "application whitelisting".
3.19 SYSTEM AND INFORMATION INTEGRITY
- SI-3 MALICIOUS CODE PROTECTION
- The Trusted Applications feature allows for rules that defined what a 'good' program is (signed by a well known software company for example), and can
prevent any programs that do not meet the rules from being able to start.
- SI-4 SYSTEM MONITORING
- The File Sight monitor has the ability to watch for a specified number of reads AND writes happening from any user account within a short amount of time. This activity is
usually done my ransomware as it has to read a file into memory, encrypt it, and then write it back to disk. By detecting this behavior the user account can be immediately
blocked from the server and alerts sent to the IT team to investigate.
- SI-5 SECURITY ALERTS, ADVISORIES and DIRECTIVES
- All of the monitors within the PA File Sight product have the ability to send alerts, including via email, SMS, web hook, scripts and pop-up messages.