Home
Join

9 Replies

  • Active Directory already does most of this, or is capable of doing it when configured to do so, but you are not telling us the context/scope of these requirements: is it just within the Firewall? If so, then this is just about logging what websites staff access?

    If it's not limited to the firewall, then is it an app? Is it a file access?

    This isn't "bank" level of auditing requirements, but it's close to it. You might have to sit down with them, to get a clearer understanding of what they expect.

    1 of 2 found this helpful thumb_up thumb_down
  • The first step is to understand the requirement. Similar to BenoitT's comment - what does it apply to. These lists are often very generic.

    Taking the first requirement 3.3.1 as an example - does this just apply to perimeter/boundary devices (firewall, router, vpn)? or all systems - every desktop?
    The second again needs to be coped - is this required for all applications? often apps do not provide this level of audit. There is a big difference between logging an authentication and logging an action (who accessed a record, updated it, deleted it). Using single sign on to a single directory will help provide the tracing to an individual.

    Then once the requirement is known you will need a solution for logging and storing - I do not know of an MSP platform that provides this etc, but some hosted platforms are mulit-tennat/msp friendly. Opiton 1 on premises option 2 hosted. Security Event and Incident Management (SEIM) is a useful term.

    googling cloud SEIM comes up with some hosted options. It is likely that you will need local plugins, or local connectors to obtain the logs and send them to the cloud platform.

    1 of 2 found this helpful thumb_up thumb_down
  • For which platforms do you want to monitor the audit logs, I mean logs of Active Directory changes, File servers, or any cloud platform? You can take a look at Lepide Auditor which is capable to audit on-premise and cloud platform changes. 

    0 of 1 found this helpful thumb_up thumb_down
  • BenoitT​ Thanks! I'll definitely play around with AD some more. I had another chat with them and they are concerned with both firewall/network and app/file access

    This client in particular isn't a bank, but they are a small government contractor. They don't handle any real sensitive or classified material, but they do have stricter security requirements than most other companies I've dealt with.

    m@ttshaw They indicated that they consider both the perimeter devices as well as every desktop device to be included in the logging/auditing/monitoring.

    They have a handful of applications outside of the typical office products, but you're right; I do not see a way to audit or track those third party apps.

    Thanks! I'll definitely check into some SEIM options.

    Rupesh (Lepide)​ I think they are primarily concerned with monitoring AD, file servers and local desktops. I will check into that. Thanks!

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Do you happen to have an RMM or something in place to manage your clients? If not, it might be worth a look into.

    Was this post helpful? thumb_up thumb_down
  • Looks like your client needs to be CMMC compliant. CMMC does apply to all devices on your network of course, no matter what the OS. It's generally a good idea anyways to monitor all end points, and not just a select few.

    Just running Windows with AD is obviously not enough to get your CMMC compliant, you will need to invest in some sort of log management software / SIEM. Unfortunately it's somewhat of a challenge to find something that works for the budget of small companies - most SIEMs are either expensive, overkill, difficult to setup or all of it :-).

    If they have to be CMMC compliant, then the requirements you posted are only a part of it of course, they may need other things like MFA etc. I do have some experience with CMMC so I can give you some hints. You can PM me.

    The first thing you'll want to do for them is make sure they have the correct audit policy on their network. So this is completely separate from the software you'll end up slapping on it - this ensures that the audit data is at least being captured. Take a look here: https://system32.eventsentry.com/compliance/CMMC. Again, do this regardless of what you'll end up deploying.

    I found EventSentry to cover the logging requirements for CMMC pretty well, they have more information here. Nice thing about their solution is that they have a bunch of reports, packages etc. built-in for CMMC. And it doesn't cost an arm and a leg.

    Hope that helps.

    Pepper graySpice (1) flagReport
    Was this post helpful? thumb_up thumb_down
  • Brittany (NinjaOne)​ I have them on Avast Cloud Care which provides their endpoint firewall and AV service. It provides some addition info but nothing that in depth. Do you have any suggestions?

    petersaraby​ Yes, they do need to be CMMC compliant. The section I uploaded was the section they indicated to me that they needed help with. Thanks! I will definitely check into EventSentry as well as drop you a PM.

    Was this post helpful? thumb_up thumb_down
  • MCT901 wrote:

    Brittany (NinjaOne)​ I have them on Avast Cloud Care which provides their endpoint firewall and AV service. It provides some addition info but nothing that in depth. Do you have any suggestions?

    petersaraby​ Yes, they do need to be CMMC compliant. The section I uploaded was the section they indicated to me that they needed help with. Thanks! I will definitely check into EventSentry as well as drop you a PM.

    So, I might be biased but NinjaOne has a great unified IT operations solution :) this will include visibility over endpoints, event logs, patching, and a lot more. Here's a link to our site for more info: https://www.ninjaone.com/rmm/Opens a new window

    But, if you want additional opinions from other IT professionals, here are a few conversations that I've seen/been a part of lately around this topic. They might give you some insight into the community's thoughts about other options:

    Hope that helps, let me know if you have any questions about NinjaOne!

    • local_offer Tagged Items
    • Tag by MCT901MCT901
    Was this post helpful? thumb_up thumb_down
  • I would take a look at something like www.wazuh.comOpens a new window.  Free, open-source software for centralized logging.  We use this along with Sysmon integration for multiple clients to accomplish what is listed in the requirements.  Very easy to use and customizable.  You can create your own dashboards, specify app logs for consumption by the agent on the various devices, etc.  You can create custom alerting (including real-time alerting) for certain types of events.  It's a pretty amazing tool. 

    Was this post helpful? thumb_up thumb_down

Read these next...