3.3.5 Correlate Audit Processes

Posted on by Amira Armond
800-171 3.3.5 requirement correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity.

NIST SP 800-171 3.3.5 ๐‚๐จ๐ซ๐ซ๐ž๐ฅ๐š๐ญ๐ž ๐š๐ฎ๐๐ข๐ญ ๐ซ๐ž๐œ๐จ๐ซ๐ ๐ซ๐ž๐ฏ๐ข๐ž๐ฐ, ๐š๐ง๐š๐ฅ๐ฒ๐ฌ๐ข๐ฌ, ๐š๐ง๐ ๐ซ๐ž๐ฉ๐จ๐ซ๐ญ๐ข๐ง๐  ๐ฉ๐ซ๐จ๐œ๐ž๐ฌ๐ฌ๐ž๐ฌ ๐Ÿ๐จ๐ซ ๐ข๐ง๐ฏ๐ž๐ฌ๐ญ๐ข๐ ๐š๐ญ๐ข๐จ๐ง ๐š๐ง๐ ๐ซ๐ž๐ฌ๐ฉ๐จ๐ง๐ฌ๐ž ๐ญ๐จ ๐ข๐ง๐๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐จ๐Ÿ ๐ฎ๐ง๐ฅ๐š๐ฐ๐Ÿ๐ฎ๐ฅ, ๐ฎ๐ง๐š๐ฎ๐ญ๐ก๐จ๐ซ๐ข๐ณ๐ž๐, ๐ฌ๐ฎ๐ฌ๐ฉ๐ข๐œ๐ข๐จ๐ฎ๐ฌ, ๐จ๐ซ ๐ฎ๐ง๐ฎ๐ฌ๐ฎ๐š๐ฅ ๐š๐œ๐ญ๐ข๐ฏ๐ข๐ญ๐ฒ.

This is the 8th most likely requirement to be “other than satisfied” by defense contractors, according to the DoD’s Cybersecurity Assessment Center.

The problem is that this requirement can be read in two (totally) different ways.

๐Ÿ‘ฎ๐Ÿป Option 1) When scary logs are generated, ๐˜ด๐˜ฐ๐˜ฎ๐˜ฆ๐˜ฐ๐˜ฏ๐˜ฆ ๐˜ฏ๐˜ฐ๐˜ต๐˜ช๐˜ค๐˜ฆ๐˜ด ๐˜ข๐˜ฏ๐˜ฅ ๐˜ด๐˜ต๐˜ข๐˜ณ๐˜ต๐˜ด ๐˜ฅ๐˜ฐ๐˜ช๐˜ฏ๐˜จ ๐˜ช๐˜ฏ๐˜ค๐˜ช๐˜ฅ๐˜ฆ๐˜ฏ๐˜ต ๐˜ณ๐˜ฆ๐˜ด๐˜ฑ๐˜ฐ๐˜ฏ๐˜ด๐˜ฆ! In other words “see something, do something”.

๐Ÿ“Š Option 2) All logs from all systems need to go to a central place so that you can ‘correlate’ multiple sources of logs together using technical means.

Very different interpretations, right???

My personal take: I think that Option 1 ๐Ÿ‘ฎ๐Ÿป is the best way to interpret this requirement. I’m looking at the word ๐ฉ๐ซ๐จ๐œ๐ž๐ฌ๐ฌ๐ž๐ฌ to mean manual activities performed by people.

Without Option 1 ๐Ÿ‘ฎ๐Ÿป, we have a problem where 800-171 requires lots of logs, and it requires lots of incident response, but there is no link between the two. I think we need this requirement to tell companies that they have to start incidents when they see ๐ข๐ง๐๐ข๐œ๐š๐ญ๐ข๐จ๐ง๐ฌ ๐จ๐Ÿ ๐ฎ๐ง๐ฅ๐š๐ฐ๐Ÿ๐ฎ๐ฅ, ๐ฎ๐ง๐š๐ฎ๐ญ๐ก๐จ๐ซ๐ข๐ณ๐ž๐, ๐ฌ๐ฎ๐ฌ๐ฉ๐ข๐œ๐ข๐จ๐ฎ๐ฌ, ๐จ๐ซ ๐ฎ๐ง๐ฎ๐ฌ๐ฎ๐š๐ฅ ๐š๐œ๐ญ๐ข๐ฏ๐ข๐ญ๐ฒ.

My personal pet peeve: I’ve talked to many companies that hired external SOC services or MSSPs, are paying them thousands of dollars per month, and have had “zero” incidents in the last year. ๐‘น๐’†๐’‚๐’๐’๐’š? ๐‘ช’๐’Ž๐’๐’.

That is an example of not correlating audit record review to analysis and reporting processes.

Another argument for Option 1 ๐Ÿ‘ฎ๐Ÿป – an examinable object for this is “procedures addressing investigation of and response to suspicious activities”.

I also respect those who interpret 3.3.5 as Option 2 ๐Ÿ“Š – Have a SIEM. A test object is “mechanisms supporting analysis and correlation of audit records”. This would normally be done by collecting logs in a central location so that you can correlate different alarms and activities as an intruder passes through your different systems.

Maybe both???

In preparation for Kieri Solution’s CMMC assessment by DIBCAC, we took the “both” approach to be safe. We discussed how we have processes that ensure incidents are started when there is scary activity in the logs. We also mentioned how we use a SIEM. Our assessors were satisfied.

Leave a Reply

Your email address will not be published. Required fields are marked *