Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The information system provides an audit reduction and report generation capability that:
a. Supports on-demand audit review, analysis, and reporting requirements and after-the-fact investigations of security incidents; and
b. Does not alter the original content or time ordering of audit records.
NIST 800-53 (r4) Supplemental Guidance:
Audit reduction is a process that manipulates collected audit information and organizes such information in a summary format that is more meaningful to analysts. Audit reduction and report generation capabilities do not always emanate from the same information system or from the same organizational entities conducting auditing activities. Audit reduction capability can include, for example, modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the information system can generate customizable reports. Time ordering of audit records can be a significant issue if the granularity of the timestamp in the record is insufficient. Related control: AU-6.
References: None.
NIST 800-53 (r5) Discussion:
Audit record reduction is a process that manipulates collected audit log information and organizes it into a summary format that is more meaningful to analysts. Audit record reduction and report generation capabilities do not always emanate from the same system or from the same organizational entities that conduct audit logging activities. The audit record reduction capability includes modern data mining techniques with advanced data filters to identify anomalous behavior in audit records. The report generation capability provided by the system can generate customizable reports. Time ordering of audit records can be an issue if the granularity of the timestamp in the record is insufficient.
38North Guidance:
Meets Minimum Requirement:
Part a.
The Cloud Service Offering (CSO) is required to provide audit reduction and generation capability that supports, on-demand audit review, analysis, reporting requirements, and after-the-fact investigations of security incidents. This is typically accomplished with the implementation of a Security Information and Event Management (SIEM) tool that has the ability organize the CSO component audit logs into a summary format for CSO personnel.
Part b.
The organization provides an audit reduction and report generation capability that does not alter the original content or time ordering of audit records. This is typically accomplished with the implementation of a SIEM tool.
Best Practice:
SIEM tool should have the capability to generate on-demand reports as well as standard reporting so that snapshots of the audit capability can be viewed for analysis etc.
The SIEM should be robust enough to support after-the-fact investigations for potential incident investigations.
The SIEM should have the level of granularity to view logs by the seconds and milliseconds.
Audit logs should be stored at rest encrypted and unable to be altered by any personnel.
Access should be restricted to only permit a limited amount of administrators to delete or move logs. No modification of logs should be permitted.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
SIEM reports that demonstrate that audit reports can be generated based off of criteria such as logins to a particular system component etc...
Incident response investigations that show an audit trail that demonstrates the who, what, when, where, and how.
Active Directory account listing of user roles with capabilities to make audit capability changes to information system components.
SIEM tool user privileges demonstrating who has the ability to make changes to the audit tool.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse