Achieving NIST 800-171 Compliance with Cloud SIEM
The National Institute of Standards and Technology Special Publication (NIST SP) 800-171 is a set of compliance controls and security framework that applies to non-federal agencies that work with government entities. That includes any government contractors and subcontractors. It provides guidance on how to handle and secure Controlled Unclassified Information (CUI). The Blumira modern security platform helps your organization easily meet and exceed NIST 800-171 compliance requirements for logging, monitoring, threat detection and response.
Audit and Accountability
Here’s how Blumira helps address the needs of NIST 800-171, version 2.0, for section 3.3.1-3.3.9 on Audit and Accountability.
-
Audit logs and records: 3.3.1
Audit logs and records: 3.3.1
3.3.1 – Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Blumira helps by integrating with your firewalls, servers, endpoint security and other technologies and ingesting system logs into its platform, centralizing your logging and monitoring. Blumira retains security event logs for up to one year, providing an audit trail that helps you with investigation and reporting.
Our platform also parses log data, provides contextual information about threats, uses rule-based detections and threat intelligence correlation to analyze logs, then sends meaningful security alerts to your team for triage and response.
-
Tracing individual users: 3.3.2
Tracing individual users: 3.3.2
3.3.2 – Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Blumira retains security event logs for up to one year. That gives you an audit trail to trace malicious activity back to specific users, with IP addresses, usernames, timestamps, and more to help your organization investigate any suspicious activity related to both internal and external threats. The Blumira platform monitors remote access attempts (through VPNs, two-factor authentication, etc.) and any anomalous user activity, such as data exfiltration or lockouts, that may be indicative of compromised accounts or attacker lateral movement. -
Logged events: 3.3.3
Logged events: 3.3.3
NIST 3.3.3 – Review and update logged events.
The Blumira platform ingests and monitors security log event data for any potentially risky, suspicious, or anomalous activity and alerts you to them. The Blumira security team can also provide guidance to help organizations periodically reevaluate which events generated by their systems should be logged.
-
Failure alerts: 3.3.4
Failure alerts: 3.3.4
NIST 3.3.4 – Alert in the event of an audit logging process failure.
In addition to suspicious or threat-like activity, Blumira alerts your organization about any system changes, including if the Blumira sensor is down or if there is a significant log decrease from a device, which can indicate disruptions or failure of an audit logging process.
-
Audit and reporting: 3.3.5
Audit and reporting: 3.3.5
NIST 3.3.5 – Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity
The Blumira platform correlates data across several different systems to help better inform threat analysis and provide a rich dataset for reporting purposes.
Audit logs and records: 3.3.1
3.3.1 – Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
Blumira helps by integrating with your firewalls, servers, endpoint security and other technologies and ingesting system logs into its platform, centralizing your logging and monitoring. Blumira retains security event logs for up to one year, providing an audit trail that helps you with investigation and reporting.
Our platform also parses log data, provides contextual information about threats, uses rule-based detections and threat intelligence correlation to analyze logs, then sends meaningful security alerts to your team for triage and response.
Tracing individual users: 3.3.2
3.3.2 – Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.
Blumira retains security event logs for up to one year. That gives you an audit trail to trace malicious activity back to specific users, with IP addresses, usernames, timestamps, and more to help your organization investigate any suspicious activity related to both internal and external threats. The Blumira platform monitors remote access attempts (through VPNs, two-factor authentication, etc.) and any anomalous user activity, such as data exfiltration or lockouts, that may be indicative of compromised accounts or attacker lateral movement.
Logged events: 3.3.3
NIST 3.3.3 – Review and update logged events.
The Blumira platform ingests and monitors security log event data for any potentially risky, suspicious, or anomalous activity and alerts you to them. The Blumira security team can also provide guidance to help organizations periodically reevaluate which events generated by their systems should be logged.
Failure alerts: 3.3.4
NIST 3.3.4 – Alert in the event of an audit logging process failure.
In addition to suspicious or threat-like activity, Blumira alerts your organization about any system changes, including if the Blumira sensor is down or if there is a significant log decrease from a device, which can indicate disruptions or failure of an audit logging process.
Audit and reporting: 3.3.5
NIST 3.3.5 – Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity
The Blumira platform correlates data across several different systems to help better inform threat analysis and provide a rich dataset for reporting purposes.
-
Analysis and response: 3.3.6
Analysis and response: 3.3.6
NIST 3.3.6 – Provide audit record reduction and report generation to support on-demand analysis and reporting.
To cut down on the noise of false-positive alerts, the Blumira platform only surfaces the most important findings and automatically prioritizes threats and suspicious activity by severity and response time. This enables limited teams to triage and respond to only the most critical security events. Blumira also analyzes and provides guided security workflows/playbooks to walk you through remediation.
-
Synchronized clocks and timestamps: 3.3.7
Synchronized clocks and timestamps: 3.3.7
NIST 3.3.7 – Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.
Blumira can help by providing an authoritative time source by attaching our own time of parse to every log entry. This allows us to know the correct UTC time provided by Google Cloud Platform NTP (network time protocol) servers. Blumira moves times to UTC, validates times found in log files against known current UTC time and converts time from local to UTC. If this is not possible, we mark the log as an outlier, helping analysts and organizations query for any logs that don’t meet expected times.
-
Log data protection: 3.3.8
Log data protection: 3.3.8
NIST 3.3.8 – Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Blumira protects log data both in transit and at rest to ensure attackers cannot gain access to log archives to read data without the appropriate keys. The Blumira log database is only accessible to internal Blumira services and parties that require access. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation.
Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared. Blumira can also provide alerting for FIM (file integrity monitoring) technologies when changes are determined.
-
Privileged user access: 3.3.9
Privileged user access: 3.3.9
NIST 3.3.9 – Limit management of audit logging functionality to a subset of privileged users
The Blumira log database is only accessible to internal Blumira services and parties that require access, enacting the concept of least privilege access, or limiting it to only those that need access to complete a job function.
Analysis and response: 3.3.6
To cut down on the noise of false-positive alerts, the Blumira platform only surfaces the most important findings and automatically prioritizes threats and suspicious activity by severity and response time. This enables limited teams to triage and respond to only the most critical security events. Blumira also analyzes and provides guided security workflows/playbooks to walk you through remediation.
Synchronized clocks and timestamps: 3.3.7
NIST 3.3.7 – Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.
Blumira can help by providing an authoritative time source by attaching our own time of parse to every log entry. This allows us to know the correct UTC time provided by Google Cloud Platform NTP (network time protocol) servers. Blumira moves times to UTC, validates times found in log files against known current UTC time and converts time from local to UTC. If this is not possible, we mark the log as an outlier, helping analysts and organizations query for any logs that don’t meet expected times.
Log data protection: 3.3.8
NIST 3.3.8 – Protect audit information and audit logging tools from unauthorized access, modification, and deletion.
Blumira protects log data both in transit and at rest to ensure attackers cannot gain access to log archives to read data without the appropriate keys. The Blumira log database is only accessible to internal Blumira services and parties that require access. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation.
Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared. Blumira can also provide alerting for FIM (file integrity monitoring) technologies when changes are determined.
Privileged user access: 3.3.9
NIST 3.3.9 – Limit management of audit logging functionality to a subset of privileged users
The Blumira log database is only accessible to internal Blumira services and parties that require access, enacting the concept of least privilege access, or limiting it to only those that need access to complete a job function.
Prove NIST Compliance With Blumira’s Global Reports
Any organization seeking to meet NIST compliance requirements needs to show proof of their compliance. Blumira SIEM quickly and easily provides the reports you need for these NIST controls. Available to all paid Blumira customers, these pre-built reports can be searched, run, and scheduled to send to your inbox regularly. That way, when you need to prove your compliance to an auditor, you can easily hand over time/date-stamped reports created automatically on the Blumira platform.
Additional Compliance Resources
View moreCustomer Story: Erinapp
Read MoreNavigating the FTC Safeguards Rule: A Guide for Auto Dealerships
Read More4 key steps to building an incident response plan
Read MoreGet Started for Free
Experience the Blumira Free SIEM, with automated detection and response and compliance reports for 3 cloud connectors, forever.