NIST 800-171

Automated Threat Detection and NIST 800-171 Compliance

The National Institute of Standards and Technology Special Publication (NIST SP) 800-171 is a set of compliance controls and security framework that applies to federal government contractors and subcontractors. It provides guidance on how to handle and secure Controlled Unclassified Information (CUI).

Blumira’s modern security platform helps your organization easily meet and exceed NIST 800-171 compliance requirements for logging, monitoring, threat detection and response.

Here’s how Blumira helps address the needs of NIST 800-171, version 2.0, for section 3.3.1-3.3.9 on Audit and Accountability.

NIST 800-171: Section 3.3 – Audit and Accountability

Basic Security Requirements

3.3.1 – Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.

How Blumira helps:
By integrating with your firewalls, servers, endpoint security and other technologies, Blumira ingests system logs into its platform, centralizing your logging and monitoring. Blumira retains security event logs for up to one year, providing an audit trail that helps you with investigation and reporting.

Our platform also parses log data, provides contextual information about threats, uses rule-based detections and threat intelligence correlation to analyze logs, then sends meaningful security alerts to your team for triage and response.


3.3.2 – Ensure that the actions of individual system users can be uniquely traced to those users so they can be held accountable for their actions.

How Blumira helps:
Blumira retains security event logs for up to one year, providing an audit trail that helps you trace malicious activity back to specific users, with IP addresses, usernames, timestamps and more to help your organization investigate any suspicious activity related to both insider and external threats. Blumira’s platform monitors remote access attempts (through VPNs, two-factor authentication, etc.) and any anomalous user activity, such as data exfiltration or lockouts, that may be indicative of compromised accounts or attacker lateral movement.


Derived Security Requirements

NIST 3.3.3 – Review and update logged events.

How Blumira helps:
Blumira’s platform ingests and monitors security log event data for any potentially risky, suspicious or anomalous activity and alerts you to them. Organizations should also periodically reevaluate which logged events generated by their systems should be logged, which Blumira’s security team can help provide guidance on.


NIST 3.3.4 – Alert in the event of an audit logging process failure.

How Blumira helps:
In addition to suspicious or threat-like activity, Blumira alerts your organization about any system changes, including if the Blumira sensor is down or if there is a significant log decrease from a device, which can indicate disruptions or failure of an audit logging process.


NIST 3.3.5 – Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity

How Blumira helps:
Blumira’s platform correlates data across several different systems to help better inform threat analysis and provide a rich dataset for reporting purposes.


NIST 3.3.6 – Provide audit record reduction and report generation to support on-demand analysis and reporting.

How Blumira helps:
To cut down on the noise of false-positive alerts, Blumira’s platform only surfaces the most important findings and automatically prioritizes threats and suspicious activity by severity and response time. This enables limited teams to triage and respond to only the most critical security events. Blumira’s platform also analyzes and provides guided security workflows/playbooks to walk you through remediation.


NIST 3.3.7 – Provide a system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.

How Blumira helps:
Blumira can help by providing an authoritative time source by attaching our own time of parse to every log entry. This allows us to know the correct UTC time provided by Google Cloud Platform NTP (network time protocol) servers. Blumira moves times to UTC, validates times found in log files against known current UTC time and converts time from local to UTC. If this is not possible, we mark the log as an outlier, helping analysts and organizations query for any logs that don’t meet expected times.


NIST 3.3.8 – Protect audit information and audit logging tools from unauthorized access, modification, and deletion.

How Blumira helps:
Blumira protects log data both in transit and at rest to ensure attackers cannot gain access to log archives to read data without the appropriate keys. The Blumira log database is only accessible to internal Blumira services and parties that require access. Blumira maintains raw log data while tracking and identifying log messages to ensure data integrity and validation.

Through periodic review and internal processes, Blumira validates that incoming logs have not been tampered with, while alerting customers if any audit logs are cleared. Blumira can also provide alerting for FIM (file integrity monitoring) technologies when changes are determined.


NIST 3.3.9 – Limit management of audit logging functionality to a subset of privileged users

How Blumira helps:
As mentioned in 3.3.8, Blumira’s log database is only accessible to internal Blumira services and parties that require access, enacting the concept of least privilege access, or limiting it to only those that need access to complete a job function.