Insider Threat Management

NIST 800-14–Principles and Practices for Securing IT Systems

(Updated on 10/11/2020)

The National Institute of Standards and Technology (NIST) is providing a baseline that organizations can use to structure and review its IT security strategies. NIST 800-14 gives specific security requirements that all companies should follow to properly secure their IT resources.

NIST 800-14

Key Compliance Requirements of NIST 800-14

Here are some of the compliance requirements of NIST 800-14:

1) Individual accountability by tracking user actions

NIST regulations understand the importance of individual accountability. While users can’t be prevented from using the resources they need to do their job, they can be held accountable for the actions they take with these resources.

2) Reconstruction of user actions by “after the fact” investigation of how, when, and why

While easily compiling records and logs for compliance purposes is helpful, it doesn’t do your company much good after a breach if these logs can’t be used to investigate the attack. NIST requires that audit trails include enough information to determine what events occurred and who or what caused them. When you face a data breach, your records should be able to tell you the type of event that caused the breach, when the event occurred, the applications or commands used, and any user ID associated.

3) Intrusion detection as the events occur or “after the fact”

According to NIST, if the audit trails you are providing are being used properly to record the right information, they should also be useful in intrusion detection. Whether it is through your audit trails or your other alerts, having processes that can detect intrusions is a vital resource for preventing damage to your organization. Usually, intruders won’t find exactly what they’re looking for when they enter your system. Detecting and removing them as soon as possible could prevent any data from being compromised. Failing to do so could give intruders months to move around your network looking for valuable data.

4) Problem identification through auditing and monitoring

Data breaches and cyber-attacks aren’t the only problems a business faces. Your security tools can also be used to help identify problems like changes in coding, broken integrations, or other problems in your system. Being able to leverage your auditing and monitoring can help find the root cause of a problem and get it fixed much quicker.

Proofpoint Insider Threat Management (ITM) is a user activity monitoring solution that can fulfill all of the above NIST 800-14 requirements. Below is a list of corresponding ITM support capabilities and how they are used to fulfill NIST 800-14.

1) ITM supports individual accountability by tracking user actions

ITM provides audit logs of every action taken by each of your users. When someone logs into a server using a shared account, ITM will require a secondary log-in screen to identify specifically who they are. This makes sure each individual is accountable, not an entire department.

2) ITM supports reconstruction of user actions by “after the fact” investigation of how, when, and why

ITM provides bulletproof forensic evidence to give you all the information you need to investigate and respond to breaches. With video recording and playback of every command and action of your users you can see exactly what occurred to cause an issue inside your system.

3) ITM supports intrusion detection as the events occur or “after the fact”

ITM’s real-time alerts allow instant response to suspicious user actions. Being able to detect unusual user behavior, events, unauthorized code, connections, devices and software is not only required by NIST, it’s necessary to keep your business safe.

4) ITM supports problem identification through auditing and monitoring

With ITM, you can review every action to know who worked on which services and what actions they performed. When something breaks you don’t have to point the finger anymore, you can immediately know what happened and how to fix it.

Final Thoughts

While providing audit logs for compliance can add work to your team, doing so with an effective solution can limit the time spent and greatly increase your preparedness for a data breach. As cyber-threats continue to evolve, look towards regulations like NIST 800-14 to make sure your network is properly secured and make sure the IT security solutions you choose are ready for the challenge.

Click here for a free trial of ITM to see first-hand how it can enable companies to meet the NIST 800-14 requirements.

Subscribe to the Proofpoint Blog