NIST CSF Series #15: Detect – Security Continuous Monitoring

NIST CSF Detect Continuous Monitoring

Function:   Detect (DE)
Category:  Security Continuous Monitoring (CM)

“The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.” 


DE.CM-1: The network is monitored to detect potential cybersecurity events.

Network controls, such as firewalls and routers, are monitored and produce auditable logs to alert and provide notification of potential cybersecurity events across a network.   Often, these events are fed into a central log management (CLM), Security Incident and Event Management (SIEM), or other location.   Events may be determined via firewall logs or netflow analysis.

Application and operating system logs also contribute to the monitoring of the overall network as these logs identify potential abuse against systems, ports, services, account privileges, etc.

Additionally, systems are in place to monitor potential Distributed Denial of Service attacks and provide notification of such attacks.

Audit Considerations

Auditors may obtain a list of monitoring controls implemented by the organization to detect events such as DDoS, unauthorized account access, unauthorized system access, privilege escalation attacks, SQL injection, among others).

Applicable CIS Critical Controls:

CIS Control 6 –  Maintenance, Monitoring, and Analysis of Audit Logs

Without solid audit logs, an attack may go unnoticed indefinitely and the particular damages done may be irreversible.  Poor or non-existent log analysis processes, allows attackers to control systems for months or even years without anyone in the target organization knowing.   A SIEM or log analytic tool for log aggregation and correlation is necessary given the massive volume of security log data being generated.

CIS Control 16 –  Account Monitoring and Control

Monitoring account usage to determine dormant (aka “stale”) accounts and then taking action to disable such accounts is a good security practice.   Monitoring and controlling privileged accounts is part of an overall security management program.


DE.CM-2:  The physical environment is monitored to detect potential cybersecurity events.

Monitoring physical access of employees and visitors provides control over theft or unauthorized access.   Knowledge of physical access devices such as keys, locks, combinations, card readers, and managing the location and disposition of these access controls is important.   Suspicious physical access attempts (e.g. access outside of normal business hours, repeated access to areas not normally accessed, out-of-sequence access) should be monitored and alerted on.   Visitor access is controlled and logged.

Audit Considerations

Auditors may obtain an inventory of critical facilities and determine if proper security monitoring controls are implemented and appropriate to detect potential events.


DE.CM-3:  Personnel activity is monitored to detect potential cybersecurity events.

Identifying and managing access for authorized users and detecting unauthorized access or abuse of privileges should be performed.  This may include review of role and group membership, access authorization process, alerting on privileged account activity, logging of account creation, enabling, disable, and removal.

Enabling auditing controls as well as, on some occasions as authorized, session auditing for sensitive transactions or information access may fall into this area.

Audit Considerations

Auditors may obtain a list of monitoring controls implemented by the organization that deal with account management, user access roles, user activity monitoring, and file/database access.  Are alerting mechanisms in place for events such as unauthorized account access, unauthorized file/system access, access out of hours, access to sensitive data, unusual access, or privilege escalation attacks?

Applicable CIS Critical Controls:

CIS Control 16 –  Account Monitoring and Control

Monitoring account usage to determine dormant (aka “stale”) accounts and then acting to disable such accounts is a good security practice.   Monitoring and controlling privileged accounts is part of an overall security management program.  Controls and alerting should be in place to detect and respond to unauthorized access events.


DE.CM-4:  Malicious code is detected.

There are multiple entry and exit points for malicious code to be introduced into the information system and data environment.   Viruses, worms, Trojan horses, spyware, among other malicious code types, can be encoded in various formats and use various techniques to avoid detection.   Beyond malicious code, attackers also use legitimate system utilities to bypass traditional anti-malware and anti-virus detection.  Centralized monitoring and control over malicious code protections provides additional capabilities to push updates and provide alerting mechanisms.

Audit Considerations

Auditors may look for processes and procedures used to detect malicious code on the network and servers/workstations.  They may examine if such controls are installed on all applicable systems and control points and that they are updated on a regular basis.   They may spot-check end-user devices to verify that malicious code controls are installed, updated, and capable of detecting malware (e.g. EICAR test virus).

Applicable CIS Critical Controls:

CIS Control 8 –  Malware defenses

Malicious software can be designed to attack systems, devices, or data.  It can move rapidly throughout the organization and enter through several points such as end-user devices, email attachments, web pages, cloud services, user actions, and removable media.  Modern malware can be designed to avoid defenses or use legitimate system sources (e.g. PowerShell) to conduct actions.

Malware defenses must be able to operate in this dynamic environment that, today, goes beyond traditional file-based detection and mitigation capabilities.  Centralized infrastructure that provides real time alerting and ability to push updates is an essential component.

 


DE.CM-5:  Unauthorized mobile code is detected.

Mobile code technologies include, for example, Java, JavaScript, ActiveX, Postscript, PDF, Flash, and VBScript.  An organization should determine the use of such code against the potential damage it may cause.  Policy and procedures should address the development, acquisition, or introduction of unacceptable mobile code within the information systems.   A process for maintaining appropriate updates and version of mobile code technology should be maintained and enforced.

Some controls may include:  Detecting and blocking mobile code in email attachments (.exe, .js); detecting and blocking mobile code portions of websites; removing the ability to run mobile code on systems that do not require this functionality; blocking execution of mobile code that is not signed with an approved code signing certificate.

Audit Considerations

Auditors may look for processes and procedures used to detect unauthorized mobile code that is run on servers, workstations, and other devices.


DE.CM-6:  External service provider activity is monitored to detect potential cybersecurity events.

Establishing procedures for personnel that access systems should be defined separately from internal users.  This would include controls surrounding consultants and contractors and the ability to monitor their access to information systems and data.

Additionally, as part of the acquisition process, third party services should provide adequate assurances of their information security capabilities, and the ability to monitor access to the organization’s data.  Security safeguards for data should be included in contract language and should include, among other provisions, notification of cybersecurity events, termination of employees who had credentials to access systems, security controls that are equivalent to the organizations controls.

Audit Considerations

Auditors may obtain and review contracts executed with external service providers to determine if the contract provides for appropriate security controls to protect the organization’s data and systems.


DE.CM-7:  Monitoring for unauthorized personnel, connections, devices, and software is performed.

Appropriate auditing of networks, servers, workstations, and physical access should be in place and provide adequate alerting capabilities for unauthorized activity.  Logs should be time-correlated so that individual audit records can be reliably related to other records.   A process and procedure should be in place to control physical access, especially to critical areas, of employees and visitors.

Audit Considerations

Auditors may obtain a copy of processes and procedures designed to detect unauthorized access to facilities and systems.  Among other items, they may look for sign-in/out logs and monitoring of excessive failed login attempts.  They may spot-check access controls by accessing facilities and systems with permission but not standard authorization to verify alert notification is generated.

Applicable CIS Critical Controls:

CIS Control 6 –  Maintenance, Monitoring, and Analysis of Audit Logs

Without solid audit logs, an attack may go unnoticed indefinitely and the damages done may be irreversible.  Poor or non-existent log analysis processes, allows attackers to control systems for months or even years without anyone in the target organization knowing.   A SIEM or log analytic tool for log aggregation and correlation is necessary given the massive volume of security log data being generated.


DE.CM-8:  Vulnerability scans are performed.

Organizations should determine the required vulnerability scanning for all information system components.  Vulnerability analysis for custom applications may require static analysis, dynamic analysis or a hybrid approach to identify vulnerabilities.   Scanning for patch levels, unauthorized and non-secure open ports, and improper configuration should be included in scans and reports.   A process should be in place to mitigate found vulnerabilities or provide approved exceptions.

Using known naming conventions and tools to express vulnerabilities, such as the Common Vulnerabilities and Exposures (CVE) nomenclature, helps ensure consistent reporting and identification of known vulnerabilities.

Audit Considerations

Auditors may obtain a copy of the organization’s schedule for performing internal and external vulnerability scans and the results of the most recent scan.   They may review the schedule for frequency, successful completion, and documented resolution or mitigation of identified vulnerabilities.   They may verify that the scope of scans covers all critical systems.

Applicable CIS Critical Controls:

CIS Control 4 –  Continuous Vulnerability Assessment and Remediation

Software updates, patches, security advisories, threat bulletins are part of the constant stream of new information that security personnel must manage.  Attackers often have the same information and take advantage of gaps between the appearance of new vulnerabilities and remediation deployed by an organization.  Organizations that do not scan for vulnerabilities and proactively address discovered flaws face a significant likelihood of having their systems compromised.