NIST 800-171 Compliance
Overview
Logcollect for NIST 800-171 Compliance
Logcollect combines log management with a regulatory compliance framework to effectively meet the requirements outlined in NIST 800-171 compliance. With comprehensive monitoring, analysis, and reporting capabilities organizations can identify and manage their assets, establish access controls, protect resources, and respond promptly to incidents.
By leveraging Logcollect, organizations can establish a robust cybersecurity framework aligned with the NIST 800-171 guidelines. This enables them to effectively manage risks, detect and respond to threats promptly, and enhance their overall cybersecurity posture.
Using Logcollect to meet NIST 800-171 Requirements
Control 3.1: Access Control
Logcollect provides you with role-based access control for audit logging/alerts/reports, account management or changes, as well as mechanisms to centrally review access activities.
3.1.2 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Logcollect provides you with role-based access control (RBAC) for audit logging/alerts/reports, account management or changes.
3.1.3 – Control the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations.
Logcollect provides you with monitoring activities for file and application access, USB monitoring, and email metadata analysis.
3.1.4 – Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Logcollect provides reporting and alerting on attempts to cross role boundaries, and on changes to configuration that affect separation of duties.
3.1.5 – Employ the principle of least privilege, including for specific security functions and privileged accounts.
Logcollect provides network connection monitoring, application execution, and records and monitors system logon activities.
3.1.6 – Use non-privileged accounts or roles when accessing non-security functions.
Logcollect provides process execution, application installs, and command execution, which are reported dependent on OS/application auditing.
3.1.7 – Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
Logcollect can capture the event logs that Windows creates when privilege/administrative functions are carried out, such as DNS changes and changes to system files.
3.1.8 – Limit unsuccessful logon attempts.
Logcollect provides the capability to alert and report on login failures. Access to the console is linked to the Active Directory (AD) with password controls that are generally a function of AD.
3.1.9 – Provide privacy and security notices consistent with applicable CUI rules.
Banner can be displayed upon logon to the console. Baseline configuration checks can determine non-compliant systems.
3.1.10 – Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity.
Logcollect connection sessions time out after a period of inactivity, which is generally a function of Active Directory. A screensaver hides contents from being viewed.
3.1.11 – Terminate (automatically) a user session after a defined condition.
Logcollect sessions time out after a period of inactivity.
3.1.12 – Monitor and control remote access sessions.
This control is related to remote access. Logcollect captures and reports on remote desktop sessions and VPN logs. Automated behavioral analysis provides contextual information based on time of data, multiple user connections, and after-hours usage
3.1.14 – Route remote access via managed access control points.
Logcollect provides contextual data on activities from remote access control points for designated systems and produces alerts/reports.
3.1.15 – Authorize remote execution of privileged commands and remote access to security-relevant information.
Logcollect provides contextual data on activities, and monitors where, when, “who did what?”, and “who tried to do what?”. Role-based access restricts access to privileged functions.
3.1.16 – Authorize wireless access prior to allowing such connections.
All network devices, including wireless access can be monitored for admin and other activities. Authorization process requires wireless controller, certificates, and captive portal.
3.1.17 – Protect wireless access using authentication and encryption.
Logcollect detects the wireless configuration used by a workstation and will report on the settings of that access point.
3.1.20 – Verify and control/limit connections to and use of external information systems.
Logcollect can monitor based on network connections and firewall rules and provides contextual data on the use of external systems.
3.1.21 – Limit use of organizational portable storage devices on external information systems.
Logcollect provides visibility on endpoints for all user activities pertaining to USB devices such as connect/eject, and files copied and provides the ability to block portable storage device.
Control 3.3: Audit and Accountability
Logcollect fully supports tracking, reporting, and alerting on all audit events generated by host systems. Audit events are those that are significant and relevant to the security of information systems. Logcollect provides a complete package of predefined reports and alerts based on systems/applications in use. This information is useful for incident response (IR) and demonstrating compliance activities.
3.3.2 – Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Logcollect supports tracking, reporting, and alerting on all audit events generated by host systems. Audit events are events that are significant and relevant to the security of information systems. Host systems audit records generally contain all the information, including timestamp, login id, and status. Logcollect provides a complete package of predefined reports and alerts based on systems/applications in use. This information is useful in incident response and demonstrating compliance activities, e.g. privilege commands, session information.
3.3.4 – Alert in the event of an audit process failure.
Logcollect alerts/reports when audit logs have been received with urgent notification for the highest priority and most suspicious events.
3.3.6 – Provide audit reduction and report generation to support on-demand analysis and reporting
Logcollect provides many standard reports and can create custom reports on an ad-hoc basis.
3.3.7 – Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate timestamps for audit records.
This is a function of Active Directory. Validation is required on all devices to ensure they are synced correctly.
3.3.8 – Protect audit information and audit tools from unauthorized access, modification, and deletion.
Audit logs are cryptographically hashed upon archiving, and Logcollect agent-based logs are encrypted by default in transit and at rest.
3.3.9 – Limit management of audit functionality to a subset of privileged users.
Logcollect supports Role-based Access Control (RBAC) that limits access of sensitive information and processes to privileged users with a need to know. Logcollect also enables User & Event Behavioral Analytics (UEBA) to monitor internal user actions and suspicious access.
Control 3.4: Configuration Management
3.4.1 – Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
Logcollect provides baseline configuration reports for Windows systems and detects and reports on changes. However, this is one part of configuration management. Baselines may be maintained for each system and deviations from baselines will be documented. Logcollect maintains a classification and categorization register of all assets configured in the IT environment.
3.4.2 – Establish and enforce security configuration settings for information technology products employed in organizational information systems.
This relates to security settings and require settings to documented, maintained and changes or deviations to security settings to be documented. Logcollect can report on changes to settings dependent upon the type of logs received. The internal vulnerability assessment and configuration management capabilities of Logcollect are required for configuration assessments.
3.4.3 – Track, review, approve/disapprove, and audit changes to information systems.
Audit events and changes can be monitored by the Logcollect Security Operations Center (SOC) team depending on the log data received. In addition, Logcollect provides a daily snapshot of changes to Windows systems with the Change Audit module.
3.4.8 – Apply deny-by-exception (unsafe list) policy to prevent the use of unauthorized software or deny-all, permit-byexception (safe listing) policy to allow the execution of authorized software.
Logcollect provides operational telemetry to categorize and inventory installed hardware and software, and alerts on non-safe listed applications, suspicious processes, unpatched devices, vulnerabilities, and more.
3.4.9 – Control and monitor user-installed software.
Logcollect provides operational telemetry to categorize and inventory installed hardware and software to control and monitor endpoints for user-installed software, applications, suspicious processes, unpatched devices, vulnerabilities, and more.
Control 3.5: Identification and Authorization
3.5.1 – Identify information system users, processes acting on behalf of users, or devices.
Logcollect monitors endpoints for active processes on workstations and servers. The Logcollect SOC team can set alerts based on a custom set of variables.
3.5.2 – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Logcollect can provide log data from Two Factor Authentication (2FA) systems, such as Okta or Cisco Duo.
3.5.3 – Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Logcollect logs information relating to privilege, non-privilege access for local and remote accounts. Logcollect also provides Two-Factor Authentication (2FA) as an added layer of security to all users, not just privileged users.
3.5.4 – Employ replay-resistant authentication mechanisms for network access to privileged and non- privileged accounts.
Active directory – Kerberos authentication is used as a mechanism for replay protection. Kerberos authentication is logged in Windows and consumed in Logcollect.
Control 3.7: Maintenance
3.7.1 – Perform maintenance on organizational information systems.
Logcollect monitors systems for out-of-date software and configurations and provides reports and analysis with trends and graphs to track progress.
Control 3.8: Media Protection
3.8.7 – Control the use of removable media on information system components.
Logcollect provides visibility on endpoints for all user activities pertaining to USB devices, including connect/eject, files copied, and provides the ability to block external storage device.
3.8.8 – Prohibit the use of portable storage devices when such devices have no identifiable owner.
Logcollect can safe list specific USB devices, and alert on non-approved device serial numbers when these are connected to endpoints (workstation, or server).
3.12.3 – Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Logcollect provides for continuous monitoring of security controls on endpoints such as workstations and servers through security controls benchmarking.
3.13.14 – Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
VoIP traffic can be monitored by Logcollect using an internal tap or span/mirror configuration. If the central server (Call Manager, etc.) is providing logs via syslog, that can be used for additional context and alerting.
Control 3.14: Systems and Information Integrity
3.14.3 – Monitor information system security alerts and advisories and take appropriate actions in response.
Logcollect ingests audit alerts from other security tools, such as anti-virus and firewalls, etc. Additional user context such as attacker tactics and techniques from the MITRE ATT&CK framework are layered onto the alert, helping you make informed decisions faster.
3.14.6 – Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
Logcollect monitors various audit logs to alert on unauthorized access and misuse by using the built-in behavioral analysis tool and log correlation capabilities. The agent logs all inbound/ communication and performs analysis to determine threats.
3.14.7 – Identify unauthorized use of the information system.
Logcollect monitors various logs and the agent logs perform reputation analysis of threats.