System And Information Integrity
Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.
Monitoring for anomalous or suspicious behavior can be done with signatures, statistical analysis, analytics or machine learning on user activity events. The analysis seeks to find patterns amongst data generated by user activity. This is different than traditional security applications that analyze events. This class of analysis is typically called User and Entity Behavior Analytics (UEBA). Example You are working the night shift in the Security Operations Center (SOC). You notice alerts related to someone from accounting. That person doesn’t use their computer at this time of night so the monitoring system has identified anomalous activity. The algorithms identify activity outside business hours and an excessive data upload from a key server on the network using that account. You initiate an investigation to determine the source and risk from the data exfiltration.
DRAFT NIST SP 800-171B Monitoring is used to identify unusual or unauthorized activities or conditions related to individual users and system components, for example, unusual internal systems communications traffic; unauthorized exporting of information; signaling to external systems; large file transfers; long-time persistent connections; attempts to access information from unexpected locations; unusual protocols and ports in use; and attempted communications with suspected malicious external addresses The correlation of physical audit record information and the audit records from systems may assist organizations in identifying examples of anomalous behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional information that the individual was not present at the facility when the logical access occurred, is indicative of anomalous behavior. Indications of increased risk from individuals can be obtained from many sources including human resource records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of specific individuals is closely coordinated with management, legal, security, privacy, and human resource officials in organizations conducting such monitoring, and in certain circumstances requires the prior authorization by a specified senior organizational official.
CIS Controls v7.1 13.3, 16.12, 16.13
NIST SP 800-53 Rev 4 SI-4
NIST CSF v1.1 DE.CM-1, DE.CM-3
CERT RMM v1.2 MON:SG1.SP3
Draft NIST SP 800-171B 3.14.2e