NIST CSF Series #14: Detect – Anomalies and Events

NIST CSF Detect - Anomalies and Events

Function:   Detect (DE)
Category:  Anomalies and Events (AE)

“Anomalous activity is detected in a timely manner and the potential impact of events is understood.”

DE.AE-1:  A baseline of network operations and expected data flows for users and systems is established and managed.

Information flow control regulates where information is allowed to travel within an information system and between information systems.  These flows may include, for example, blocking outside traffic that claims to be from within the organization (anti-spoofing), restricting web requests to the Internet that are not from an internal web proxy server, and limiting information transfers between segmented networks based on data content.  Many organizations provide this flow control through the deployment of network control mechanisms (routers, firewalls).  Some may control information directly on the system itself.

Remote access is an important consideration in flow control as well.  Users or processes acting on behalf of users communicating through external networks should be managed through VPN or other provision that adequately provides confidentiality and integrity protections.  Remote access controls apply to any system that is not a public web server or systems designed for public access.

Audit Considerations

Auditors may obtain a copy of the organization’s logical network diagram, data flow diagrams, and other network and communication diagrams.  They may review the diagrams for frequency of updating, accuracy and completeness, scope of the diagrams.  They may look to see if tools designed to establish a typical baseline of traffic to better detect abnormal traffic are in place.

Applicable CIS Critical Controls:

CIS Control 9 –  Limitation and Control of Network Ports, Protocols, and Services

Attackers search for remotely accessible network services that are exploitable.  Managing data flows to systems, especially those that do not need to be accessed publicly, reduces attack vectors for an organization.

DE.AE-2:  Detected events are analyzed to understand attack targets and methods.

Alerts and notifications from monitoring devices should be analyzed to detect abnormal events.   Due to the large volume of logs and events, an automated mechanisms to provide analysis and reporting is useful.  The information found in the analysis of detected events are often used to inform incident response teams or develop mitigating control strategies.

Audit Considerations

Auditors may obtain a copy of policies and procedures regarding system and network monitoring.  A copy of detected events (e.g. alerts from an IDS) and the organization’s response to them may also be reviewed to ensure thorough analysis of detected events is performed.

DE.AE-3:  Event data are aggregated and correlated from multiple sources and sensors.

Information security events are found on multiple data sources.   These sources and sensor should be aggregated and correlated in a centralized system.  Manual review of large data sources is not efficient, effective, or even practical.   A central location to manage the flow of security events is often required to successfully detect and respond to events.

Audit Considerations

Auditors may obtain a listing of event and monitoring systems in use in the organization (e.g. SIEM, event log correlation systems).  Additionally, data sources that feed these systems may need to be listed and reviewed to determine if there is adequate monitoring coverage.

DE.AE-4:  Impact of events is determined.

Identifying the potential impact of events is a necessary part of planning.  Whether this is through a risk assessment or part of contingency planning, understanding the potential impacts of events guides decisions related to deployment of security controls.

Audit Considerations

Auditors may obtain a copy of detected events and the organization’s responses to them.  Reviewing the events, tickets, and responses to ensure the organization is documenting the impact of anomalous activity using metrics that are applicable may be an audit task.

They may also look at planning documents to see if impacts are addressed.

DE.AE-5:  Incident alert thresholds are established.

As part of incident handling and incident response, setting thresholds determines when an event is identified as an incident.  Thresholds are defined that trigger incident response, legal response, communication requirements, data collection needs, or requirement to move to business continuity or disaster recovery plans.  Thresholds trigger escalation to higher level of response capabilities and senior management communications.

Audit Considerations

Auditors may obtain copies of alert messages, meeting minutes, reports, and other documentation where detected events were escalated.   They may review for timeliness of escalation and communication to appropriate authorities.