SI-4: System Monitoring

PF v1.0 References:

Baselines:

Previous Version:

Control Statement

1. Strategically within the system to collect organization-determined essential information; and 1. At ad hoc locations within the system to track specific types of transactions of interest to the organization;

  1. Monitor the system to detect:
    1. Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and
    2. Unauthorized local, network, and remote connections;
  2. Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];
  3. Invoke internal monitoring capabilities or deploy monitoring devices:
  4. Analyze detected events and anomalies;
  5. Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
  6. Obtain legal opinion regarding system monitoring activities; and
  7. Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Assignment (one or more): as needed, [Assignment: organization-defined frequency] ].

Supplemental Guidance

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.

Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

Control Enhancements

SI-4(4): Inbound and Outbound Communications Traffic

Baseline(s):

  • Moderate
  • High

Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions].

SI-4(5): System-generated Alerts

Baseline(s):

  • Moderate
  • High

Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].

SI-4(7): Automated Response to Suspicious Events

Baseline(s):

(Not part of any baseline)

Notify [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events; and Take the following actions upon detection: [Assignment: organization-defined least-disruptive actions to terminate suspicious events].

SI-4(10): Visibility of Encrypted Communications

Baseline(s):

  • High

Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms].

SI-4(11): Analyze Communications Traffic Anomalies

Baseline(s):

(Not part of any baseline)

Analyze outbound communications traffic at the external interfaces to the system and selected [Assignment: organization-defined interior points within the system] to discover anomalies.

SI-4(12): Automated Organization-generated Alerts

Baseline(s):

  • High

Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts].

SI-4(13): Analyze Traffic and Event Patterns

Baseline(s):

(Not part of any baseline)

Analyze communications traffic and event patterns for the system; Develop profiles representing common traffic and event patterns; and Use the traffic and event profiles in tuning system-monitoring devices.

SI-4(14): Wireless Intrusion Detection

Baseline(s):

  • High

Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.

SI-4(17): Integrated Situational Awareness

Baseline(s):

(Not part of any baseline)

Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.

SI-4(18): Analyze Traffic and Covert Exfiltration

Baseline(s):

(Not part of any baseline)

Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system].

SI-4(19): Risk for Individuals

Baseline(s):

(Not part of any baseline)

Implement [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk.

SI-4(20): Privileged Users

Baseline(s):

  • High

Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring].

SI-4(21): Probationary Periods

Baseline(s):

(Not part of any baseline)

Implement the following additional monitoring of individuals during [Assignment: organization-defined probationary period]: [Assignment: organization-defined additional monitoring].

SI-4(22): Unauthorized Network Services

Baseline(s):

  • High

Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and [Assignment (one or more): Audit, Alert [Assignment: organization-defined personnel or roles] ] when detected.

SI-4(23): Host-based Devices

Baseline(s):

(Not part of any baseline)

Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms].

SI-4(24): Indicators of Compromise

Baseline(s):

(Not part of any baseline)

Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources].

SI-4(25): Optimize Network Traffic Analysis

Baseline(s):

(Not part of any baseline)

Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.