Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization integrates analysis of audit records with analysis of [FedRAMP Selection (one or more): (H) vulnerability scanning information; performance data; information system monitoring information; penetration test data; [Organization-defined data/information collected from other sources]] to further enhance the ability to identify inappropriate or unusual activity.
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement does not require vulnerability scanning, the generation of performance data, or information system monitoring. Rather, the enhancement requires that the analysis of information being otherwise produced in these areas is integrated with the analysis of audit information. Security Event and Information Management System tools can facilitate audit record aggregation/consolidation from multiple information system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans and correlating attack detection events with scanning results. Correlation with performance data can help uncover denial of service attacks or cyber attacks resulting in unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations. Related controls: AU-12, IR-4, RA-5.
NIST 800-53 (r5) Discussion:
Integrated analysis of audit records does not require vulnerability scanning, the generation of performance data, or system monitoring. Rather, integrated analysis requires that the analysis of information generated by scanning, monitoring, or other data collection activities is integrated with the analysis of audit record information. Security Information and Event Management tools can facilitate audit record aggregation or consolidation from multiple system components as well as audit record correlation and analysis. The use of standardized audit record analysis scripts developed by organizations (with localized script adjustments, as necessary) provides more cost-effective approaches for analyzing audit record information collected. The correlation of audit record information with vulnerability scanning information is important in determining the veracity of vulnerability scans of the system and in correlating attack detection events with scanning results. Correlation with performance data can uncover denial-of-service attacks or other types of attacks that result in the unauthorized use of resources. Correlation with system monitoring information can assist in uncovering attacks and in better relating audit information to operational situations.
38North Guidance:
Meets Minimum Requirement:
As part of the Cloud Service Offering (CSO) audit review for identification of inappropriate or unusual activity the Cloud Service Provider (CSP) integrates analysis of Security Information and Event Management (SIEM) audit logs along with CSO vulnerability scanning output, security alerts, or penetration testing data to help identify inappropriate or unusual activity for the CSO. The correlation between sources can assist in uncovering potential attacks.
Best Practice:
Reviews for inappropriate or unusual activity should be tracked within the CSO ticketing system and include the sources of input used to perform the review.
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Review recent tickets generated that show an audit review of the CSO included not only a review of SIEM logs but also included review of CSO vulnerability scanning output, security alerts or penetration testing data.
Review recent incident response after action reports to determine the types of data used in correlating potential attacks to the CSO.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse