In reviewing the DFS Cybersecurity regulation Section 500.02, I immediately began thinking of the NIST Framework. Section B has several subsections that map to NIST:
| Identify Risks | Identify |
| Defensive Infrastructure | Protect |
| Detect Cybersecurity Events | Detect |
| Respond to Events | Respond |
| Recover from Events | Recovery |
While Quest does not offer tools that are going to help across all of your systems, we do offer capabilities to assist in each of these categories around your Microsoft platforms. Here’s how we can help in each of these categories from a product perspective to help establish your cybersecurity Program:
Identify: Enterprise Reporter can identify who is a member of sensitive groups, who has access to unstructured data both on-premises and in Office 365, where delegated permissions may exist in Active Directory as well as many more built in reports. Identification of privileged users is a great start to know what should be cleaned in your environment. There are plenty of other risks where we can help you identify access and over privileged permissions.
Protect: Active Roles, GPOADmin and Change Auditor all have protection capabilities. Active Roles protects by helping you setup a least privilege access model for Active Directory. GPOADmin does the same thing for your Group Policies and Change Auditor can add an additional layer of protection to prevent even privileged accounts from making changes in your environment.
Detect: Change Auditor provides additional information than you can’t natively get in Active Directory, such as exactly what was changed – who, what, where, when, and workstation – as well as the before and after values. InTrust can also detect changes made to native operating system logs to notify you of any issues. Also, Quest is soon to have a new solution released which will detect unusual activity in your environment and generate alerts when suspicious activity occurs that could indicate a security breach or compromised account.
Respond: InTrust has response actions that can be configured to execute when a specific event has occurred. This can execute automatically to help minimize your pain in case an event does happen.
Recover: Recovery Manager for Active Directory Forest Edition can recover not only object and attribute level changes, but also forest level corruption.
DFS Cybersecurity Regulation
Section 500.03 covers creating Cybersecurity Policies. While our tools can’t create policies, some of the data from our tools can give you information about activity in your environment so that you can create policies without affecting the productivity of your admins. Here’s what you can do to help setup your least privilege access policy with Active Directory.
Section 500.06 establishes the need for an audit trail. Both InTrust and Change Auditor provide additional value. First, InTrust is amazing at log retention and event boasts the ability to have agent side caching (protects you in event logs roll over or someone clears logs maliciously. Now that you have to store all logs for five years, this can be of tremendous value. Change Auditor gives you additional information that you can’t get natively.
Section 500.07 covers who has access to what. Enterprise Reporter has ability to identify who has sensitive rights in your environment so that you can attest later on if those users need those rights.
While Quest can’t help you out with each section, there is plenty that we can do to make your life easier, whether you’re implementing the NIST framework for the first-time as a commercial organization or you’re a federal customer looking for solutions to meet your NIST needs. If we can provide more information please reach out!
