Threat-Based Methodology: Auditing

This is the third post in the Threat-Based Methodology blog series. In the first post, we introduced Threat Based Methodology and the analysis conducted by the FedRAMP PMO and NIST. In that post, we ended by listing the top seven controls based on their Protection Value. The second post explored configuration settings in greater depth and explained how Devo supports the ability to meet the CM-6 control.

In this post, we’ll explore the AU-6 family of controls more deeply and share how Devo supports meeting these controls.

The AU-6 controls that are at the top include:

• AU-6: AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING
• AU-6(1): AUTOMATED PROCESS INTEGRATION
• AU-6(3): CORRELATE AUDIT RECORD REPOSITORIES
• AU-6(4): CENTRAL REVIEW AND ANALYSIS
• AU-6(5): INTEGRATED ANALYSIS OF AUDIT RECORDS
• AU-6(6): CORRELATION WITH PHYSICAL MONITORING

All of these controls score a Protection Value of 206.65, which is not far from the top performer, CM-6, with a top score of 208.86.

The analysis performed highlights the importance of auditing with respect to protecting your environment. You can’t protect anything if you don’t have visibility into what you are protecting. While this sounds obvious, robust auditing is often not a high priority for many users.

Devo exceeds all of the requirements listed in the AU-6 control and sub-controls. Here are some highlights regarding the specific controls.

AU-6: AUDIT RECORD REVIEW, ANALYSIS, AND REPORTING

Devo enables users to review and analyze all of the system audit records forwarded to our platform. Devo has a comprehensive data search, filtering, reporting and analysis toolset. The audit records are enriched by multiple threat and intelligence feeds and can automatically detect and alert on inappropriate or unusual activity.

AU-6(1): AUTOMATED PROCESS INTEGRATION

Devo is an automated processing platform for audit records. It also is an enterprise-class data operations platform and has multiple applications to automate audit record processing.

AU-6(3): CORRELATE AUDIT RECORD REPOSITORIES

Devo is inherently multitenant, providing large organizations with the ability to limit access to specific audit records by department or location while maintaining the ability to correlate the entire organization’s audit records from a single pane of glass.

AU-6(4): CENTRAL REVIEW AND ANALYSIS

Devo allows for centralized review and analysis of an organization’s complete audit records, regardless of the source. This makes it easy for audit records from on-premises, cloud and all technologies to be processed together.

AU-6(5): INTEGRATED ANALYSIS OF AUDIT RECORDS

Devo is able to ingest data from multiple third-party providers such as vulnerability scanners and endpoint protection solutions. This information may be correlated with any of the other audit records as necessary to perform an integrated analysis.

AU-6(6): CORRELATION WITH PHYSICAL MONITORING

Devo is able to ingest audit records from physical monitoring systems that can be integrated with the Devo Platform. Additionally, Devo is able to enrich the data with physical location information such as IP address geolocation data. Through these processes, it is possible to leverage physical security aspects in the analysis of potentially suspicious activities.

Devo is able to exceed all of these requirements and bring the highest Protection Value to our customers.