This document summarizes a webinar presented by SolarWinds on supporting contractors with NIST SP 800-171 compliance. The webinar covered an overview of SolarWinds and its security and compliance products, a review of the NIST SP 800-171 security controls, and demonstrations of the Log & Event Manager and Network Configuration Manager products for compliance.
27. The SolarWinds, SolarWinds & Design, Orion, and THWACK trademarks are the
exclusive property of SolarWinds Worldwide, LLC or its affiliates, are registered
with the U.S. Patent and Trademark Office, and may be registered or pending
registration in other countries. All other SolarWinds trademarks, service marks,
and logos may be common law marks or are registered or pending
registration. All other trademarks mentioned herein are used for identification
purposes only and are trademarks of (and may be registered trademarks) of their
respective companies.
Trademark Notice
Editor's Notes
MacDill
Introduction (10)
Slides (20)
Demo (20)
Wrap-up and Q&A (10)
When presenting Database pillar, please refer back to “vision” slide and discuss deployment options-
We monitor and optimize these databases on physical servers, on VMware® virtual servers, and in the Cloud, including Amazon AWS® EC2®, RDS, and Azure™.
(optional) primarily for new channel partners
800-171 is based on FIPS 200 and 800-53, with narrowed scope and derived details
Note from lisa- We just need to be sure in the voice over here we factor in that the audience is integrators – they signed up to hear about 800-171, but it’s good for them to know about all else that we do as they support government customers
3.1.5 – Employ the principle of least privilege, including for specific security functions and privileged accounts.
SolarWinds Log & Event Manger (LEM) can audit deviations from least privilege—e.g., unauthorized file access and unexpected system access. Auditing can be done in real-time or via reports. LEM can also monitor Microsoft® Active Directory® (AD) for unexpected escalated privileges being assigned to a user.
3.1.6 – Use of non-privileged accounts when accessing non-security functions.
SolarWinds LEM can monitor privileged account usage and audit the use of privileged accounts for non-security functions.
3.1.7 – Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
Execution of privileged functions such as creating and modifying registry keys and editing system files can be audited in real-time or via reports in LEM. On the network device side, SolarWinds Network Configuration Manager (NCM) includes a change approval system which helps ensure that non-privileged users cannot execute privileged functions without approval from a privileged user.
3.1.8 – Limit unsuccessful logon attempts.
The number of logon attempts before lockout are generally set at the domain/system policy level, but LEM can confirm if the lockout policy is being enforced via reports/nDepth. LEM can also be used to report on unsuccessful logon attempts, as well as automatically lock a user account via the Active Response feature.
3.1.12 – Monitor and control remote access sessions.
LEM can monitor and report on remote logons. Correlation rules can be configured to alert and respond to unexpected remote access (e.g., access outside normal business hours). SolarWinds NCM can audit how remote access is configured on your network device, identify any configuration violations, and remediate accordingly.
3.1.21 – Limit use of organizational portable storage devices on external information systems.
LEM can audit and restrict usage of portable storage devices with its USB Defender feature.
3.3.3 – Review and update audited events.
LEM helps with the review of audited events, provided the appropriate logs are sent to LEM.
3.3.4 – Alert in the event of an audit process failure.
LEM can generate alerts when agents go offline or the log storage database is running low on space. LEM can also alert on behalf of systems when audit logs are cleared—e.g., if a user clears the Windows® event log.
3.3.5 – Correlate audit review, analysis and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
LEM’s correlation engine and reporting can assist with audit log reviews and help ensure that administrators are alerted to indications of inappropriate, suspicious, or unusual activity.
3.3.6 – Provide audit reduction and report generation to support on-demand analysis and reporting.
Audit logs can generate a huge amount of information. LEM can analyze event logs and generate scheduled or on-demand reports to assist with analysis. However, you will need to ensure that your audit policies and logging levels are appropriately configured.
3.3.7 – Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
LEM satisfies this requirement through Network Time Protocol server synchronization. LEM also includes a predefined correlation rule that monitors for time synchronization failures.
3.3.8 – Protect audit information and audit tools from unauthorized access, modification, and deletion.
LEM helps satisfy this requirement through the various mechanisms outlined in this post: Log & Event Manager Appliance Security and Data Protection.
3.3.9 – Limit management of audit functionality to a subset of privileged users.
As per the response to 3.3.8, LEM provides role-based access control, which limits access and functionality to a subset of privileged users.
3.4.3 – Track, review, approve/disapprove, and audit changes to information systems.
NCM’s real-time change detection, change approval management and tracking reports can be used to detect, validate, and document changes to network devices. LEM can monitor and audit changes to information systems, provided the appropriate logs are sent to LEM.
3.4.8 – Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
LEM can monitor for the use of unauthorized software. Thanks to Active Response, you can configure LEM to automatically kill nonessential programs and services.
3.4.9 – Control and monitor user-installed software.
LEM can audit software installations and alert accordingly. Patch Manager can inventory machines on your network and report on the software and patches installed.
3.6.3 – Test the organizational incident response capability.
LEM can play a role in the incident generation and the subsequent investigation. LEM can generate an incident based on a defined correlation trigger and respond to an incident via the Active Responses. Reports can be produced based on detected incidents.
3.7.6 – LEM can assist with the 3.7.6 requirement that states “Supervise the maintenance activities of maintenance personnel without required access authorization.” Provided the appropriate logs are being generated and sent to LEM, reports can be used to audit the activity performed by maintenance personnel. NCM also comes into play, allowing you to compare configurations before and after maintenance windows.
3.8.7 – Control the use of removable media on information system components.
LEM’s USB Defender feature can monitor for usage of USB removable media and can automatically detach USB devices when unauthorized usage is detected.
3.9.2 – Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers
LEM can assist with 3.9.2 by auditing usage of credentials of terminated personnel, validating that accounts are disabled in a timely manner, and validating group/permission changes after a personnel transfer.
3.11.2 – Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.
Patch Manager cannot perform vulnerability scans, but it can be used to identify missing application patches on your Windows machines. NCM identifies risks to network security based on device configuration. NCM also accesses the NIST National Vulnerability Database to get updates on potential emerging vulnerabilities in Cisco® ASA and IOS® based devices.
3.11.3 – Remediate vulnerabilities in accordance with assessments of risk.
Patch Manager can remediate software vulnerabilities on your Windows machines via Microsoft® and third-party updates. Patch Manager can be used to install updates on a scheduled basis or on demand. On the network device side, NCM performs Cisco IOS® firmware upgrades to potentially mitigate identified vulnerabilities.