CMMC Compliance: Automated Threat Detection
NOTE: There are many changes coming for CMMC v2. In short, CMMC v2 is aligning to the NIST 800-171 standards. All of the controls below have mappings listed for CMMC v2 and NIST 800-171. The CMMC control numbers now are aligned to 800-171; for example, AC.L1-3.1.1 maps to NIST 800-171 control 3.1.1. Also see how Blumira helps customers meet NIST 800-171.
CMMC (Cybersecurity Maturity Model Certification) is a framework to ensure that controlled unclassified information (CUI) is protected by appropriate levels of cybersecurity practices and processes when it’s residing on federal contractors’ networks. CMMC applies to any federal contractor, including over 300,000 companies in the supply chain – such as small businesses, commercial item contractors and foreign suppliers.
The Department of Defense intends to incorporate CMMC into their Defense Federal Acquisition Regulation Supplement (DFARS) and use it as a requirement for contracts, according to the Office of the Under Secretary of Defense for Acquisition & Sustainment CMMC. While CMMC does encompass NIST SP 800-171 requirements, it also extends beyond it to include three different levels of compliance, Foundational (Level 1), Advanced (Level 2), and Expert (Level 3).
How Blumira Can Help
Blumira’s modern security platform helps your organization easily meet and exceed CMMC framework requirements for logging, monitoring, threat detection and response. At a high level, we either support or complement a variety of CMMC controls from Level 1-3, covering many domains.
Below is a full detailed list of the different capabilities (C) and controls that align with them, and how Blumira meets the control or can help you meet them.
Blumira’s free SIEM gives you the choice of three cloud integrations (Microsoft 365, Duo, SentinelOne, Umbrella, Webroot, Mimecast). Setup takes a matter of minutes to start streaming logs and analyzing them for threats. For more coverage and support, you can easily upgrade to a paid version.
For questions or to learn more on how we can help with compliance, contact us.
Access Control (AC)
Level 1
AC.L1-3.1.1 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
AC.L1-3.1.2 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
How Blumira Helps:
Blumira allows you to enable role-based administration to limit access to its platform. Blumira can also detect, alert and provide remediation steps if it identifies any unauthorized, suspicious or anomalous login activity to your systems.
AC.L1-3.1.20 – Verify and control/limit connections to and use of external information systems.
How Blumira Helps:
Blumira provides role-based administration to limit access to its platform.
Level 2
AC.L2-3.1.5 – Employ the principle of least privilege, including for specific security functions and privileged accounts.
AC.L2-3.1.6 – Use non-privileged accounts or roles when accessing non-security functions.
AC.L2-3.1.8 – Limit unsuccessful log-on attempts.
AC.L2-3.1.12 – Monitor and control remote access sessions.
AC.L2-3.1.4 – Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
AC.L2-3.1.7 – Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
How Blumira Helps:
Blumira provides role-based administration to limit access for your users to its platform. Blumira’s platform also allows you to monitor/alert you on privileged access use; monitor/alert you based on the number of login attempts to detect attacks such as password spraying; and monitor/alert you to remote access risks, including detection for risky public connections such as Windows Remote Desktop Protocol (RDP) and Server Message Block (SMB).
Blumira’s role-based administration and separation of log data within the cloud-delivered service helps reduce the risk of malevolent activity without collusion. Blumira’s service allows you to monitor, alert and respond to non-privileged users executing privileged functions.
AC.L2-3.1.13 – Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
AC.L2-3.1.15 – Authorize remote execution of privileged commands and remote access to security- relevant information.
How Blumira Helps:
Blumira can help by monitoring and alerting organizations of remote access, including detections of any risky connections such as Windows Remote Desktop Protocol (RDP) and Server Message Block (SMB). Blumira’s service also helps monitor remote execution of privileged commands within your environment. With dynamic blocklists, organizations can prevent known detected threats from gaining access by blocking them. They can also monitor for geo-impossible alerts during two-factor authentication.
Audit and Accountability (AU)
Level 2
AU.L2-3.3.2 – Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
AU.L2-3.3.1 – Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
AU.L2-3.3.3 – Review and update logged events.
AU.L2-3.3.4 – Alert in the event of an audit logging process failure.
How Blumira Helps:
Blumira’s centralized logging gives you the ability to track user activity, allowing you to trace their actions uniquely back to certain users to hold them accountable for their actions. Blumira’s cloud SIEM retains logs for at least a year for auditing purposes.
Blumira’s search and reporting functionality gives you deeper visibility into audit logs for review. Blumira’s platform also reports on operational changes or disruptions, including the status of Blumira’s logging sensor and diagnostics for logflow to alert you in the event of an audit logging process failure.
Level 2
AU.L2-3.3.7 – Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.
AU.L2-3.3.8 – Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
AU.L2-3.3.9– Limit management of audit logging functionality to a subset of privileged users.
How Blumira Helps:
Blumira’s cloud SIEM service separates logging and audit tools from customers’ production environments to prevent unauthorized access, modification and deletion. Blumira’s platform limits the management of audit logging functionality to only a subset of privileged users with role-based administration
Level 2
AU.L2-3.3.5 – Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.
AU.L2-3.3.6. – Provide audit record reduction and report generation to support on-demand analysis and reporting.
How Blumira Helps:
Blumira’s search and reporting functionality provides deeper visibility into audit logs. Blumira’s platform correlates audit records to indications of suspicious activity and unauthorized access, then provides data and prioritized alerts to the organization. Blumira’s pre-built reports provide the ability to support on-demand analysis and reporting.
Blumira’s threat detection library allows for the automation of audit log analysis to help identify and act on indicators of threats and suspicious activity. Blumira’s reporting provides visibility to enable organizations to perform audits on broad activity, in addition to pre-machine activity.
Configuration Management (CM)
Level 2
CM.L2-3.4.1 – Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
CM.L2-3.4.6 – Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
How Blumira Helps:
With Blumira’s logging capabilities and wide coverage of integrations, organizations can inventory their security systems. Blumira provides role-based administration for its own platform, and monitors other systems for the creation of new privileged accounts, or changes and escalations in existing account privileges to alert organizations to potentially malicious internal activity.
CM.L2-3.4.2 – Establish and enforce security configuration settings for information technology products employed in organizational systems.
CM.L2-3.4.3 – Track, review, approve, or disapprove, and log changes to organizational systems.
CM.L2-3.4.7 – Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
How Blumira Helps:
Blumira’s platform monitors and identifies any risky access to an organization’s networks, such as through public Remote Desktop Protocol (RDP) and Server Message Block (SMB) access. Blumira tracks and logs any changes to organizational systems, while monitoring and alerting organizations to the use of insecure ports.
Identification and Authentication (IA)
Level 1
IA.L1-3.5.1 – Identify information system users, processes acting on behalf of users, or devices.
How Blumira Helps:
Blumira’s service collects audit logs that can be used to identify information system users or processes acting on behalf of users or devices.
Incident Response (IR)
Level 2
IR.L2-3.6.1 – Establish an operational incident-handling capability for organizational systems that includes preparation, detection, analysis, containment, recovery, and user response activities.
Level 2
IR.L2-3.6.2 – Track, document, and report incidents to designated officials and/or authorities both internal and external to the organization.
IR.L2-3.6.3 – Test the organizational incident response capability.
How Blumira Helps:
Blumira has created guides on how to easily test a SIEM’s detections for common incidents, like password spraying, lateral movement, malicious code execution, privilege escalation and more. Blumira has also tested customer deployments to ensure that organizations are able to detect and respond to incidents.
Maintenance (MA)
Level 2
MA.L2-3.7.1 – Perform maintenance on organizational systems.
MA.L2-3.7.2 – Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
MA.L2-3.7.5 – Require multi-factor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
How Blumira Helps:
Blumira’s cloud-delivered service is automatically and frequently updated for customers with maintenance for parsers, new detection rules and more. With role-based administration, Blumira can help limit permissions for users that access its platform. Blumira also requires multi-factor authentication (MFA) for access to its cloud application.
Risk Assessment (RA)
Level 2
RA.L2-3.11.1 – Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
RA.L2-3.11.2 – Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
How Blumira Helps:
Organizations can periodically assess risk to their operations and data with the help of Blumira’s search and reporting functionality that can generate reports on security and compliance, identifying potential gaps. Blumira is a software as a service (SaaS) service that monitors itself for vulnerabilities.
Blumira’s platform employs threat intelligence to provide guidance to organizations on their system and security architecture. It can also detect access using insecure ports via RDP, SMB and others.
For questions or to learn more on how we can help with compliance, contact us.
Level 2
RA.L2-3.11.3 – Remediate vulnerabilities in accordance with risk assessments.
How Blumira Helps:
As a SaaS product, Blumira can help organizations remediate vulnerabilities in near real-time when they are identified. To enable organizations to test the effectiveness of security solutions, Blumira has created guides on how to easily test a SIEM’s detections for common incidents, like password spraying, lateral movement, malicious code execution, privilege escalation and more.
Security Assessment (CA)
Level 2
CA.L2-3.12.1 – Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
CA.L2-3.12.3 – Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
How Blumira Helps:
Blumira can help organizations assess the effectiveness of controls by monitoring and alerting them to any misconfigurations of their existing security controls, as well as providing ongoing monitoring to help ensure continued effectiveness.
System and Communications Protection (SC)
Level 2
SC.L2-3.13.3– Separate user functionality from system management functionality.
SC.L2-3.13.4 – Prevent unauthorized and unintended information transfer via shared system resources.
System and Information Integrity (SI)
Level 1
SI.L1-4.13.1 – Identify, report, and correct information and information system flaws in a timely manner.
Level 2
S1.L2-3.14.3 – Monitor system security alerts and advisories and take action in response.
How Blumira Helps:
To help organizations identify, report and correct information system flaws in a timely manner, Blumira’s search and reporting functionality gives them the ability to investigate potential security issues in real time. Blumira’s platform monitors security systems, providing prioritized alerts with predefined security playbooks that help guide customers through response.
Blumira’s platform also subscribes to multiple threat feeds to inform and enrich domain data on an ongoing basis to help inform intrusion detection and threat hunting.
SI.L2-3.14.6 – Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
SI.L2-3.14.7- Identify unauthorized use of organizational systems.
How Blumira Helps:
With Blumira’s automated detection and response capabilities, organizations can monitor their systems, inbound and outbound traffic, and detect attacks and indicators of potential attacks. Blumira can also help detect and alert on unauthorized access and use of organizational systems.
Get Started With Blumira’s Free SIEM
Blumira’s free SIEM gives you the choice of three cloud integrations (Microsoft 365, Duo, SentinelOne, Umbrella, Webroot, Mimecast, JumpCloud, Sophos, OneLogin, and/or Google Workspace). Setup takes a matter of minutes to start streaming logs and analyzing them for threats. For more coverage and support, you can easily upgrade to a paid version.
For questions or to learn more on how we can help with compliance, contact us.
For more coverage and support, you can easily upgrade to a paid version that fits your needs.
For questions or to learn more on how we can help with compliance, contact us.