SI-4: System Monitoring
Control Family:
CSF v1.1 References:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- SI-4: Information System Monitoring
Control Statement
1. Strategically within the system to collect organization-determined essential information; and 1. At ad hoc locations within the system to track specific types of transactions of interest to the organization;
- Monitor the system to detect:
- Attacks and indicators of potential attacks in accordance with the following monitoring objectives: [Assignment: organization-defined monitoring objectives]; and
- Unauthorized local, network, and remote connections;
- Identify unauthorized use of the system through the following techniques and methods: [Assignment: organization-defined techniques and methods];
- Invoke internal monitoring capabilities or deploy monitoring devices:
- Analyze detected events and anomalies;
- Adjust the level of system monitoring activity when there is a change in risk to organizational operations and assets, individuals, other organizations, or the Nation;
- Obtain legal opinion regarding system monitoring activities; and
- Provide [Assignment: organization-defined system monitoring information] to [Assignment: organization-defined personnel or roles] [Assignment (one or more): as needed, [Assignment: organization-defined frequency] ].
Supplemental Guidance
System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.
Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.
Control Enhancements
SI-4(1): System-wide Intrusion Detection System
Baseline(s):
Connect and configure individual intrusion detection tools into a system-wide intrusion detection system.
SI-4(2): Automated Tools and Mechanisms for Real-time Analysis
Baseline(s):
- Moderate
- High
Employ automated tools and mechanisms to support near real-time analysis of events.
SI-4(3): Automated Tool and Mechanism Integration
Baseline(s):
Employ automated tools and mechanisms to integrate intrusion detection tools and mechanisms into access control and flow control mechanisms.
SI-4(4): Inbound and Outbound Communications Traffic
Baseline(s):
- Moderate
- High
Determine criteria for unusual or unauthorized activities or conditions for inbound and outbound communications traffic; Monitor inbound and outbound communications traffic [Assignment: organization-defined frequency] for [Assignment: organization-defined unusual or unauthorized activities or conditions].
SI-4(5): System-generated Alerts
Baseline(s):
- Moderate
- High
Alert [Assignment: organization-defined personnel or roles] when the following system-generated indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].
SI-4(7): Automated Response to Suspicious Events
Baseline(s):
Notify [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events; and Take the following actions upon detection: [Assignment: organization-defined least-disruptive actions to terminate suspicious events].
SI-4(9): Testing of Monitoring Tools and Mechanisms
Baseline(s):
Test intrusion-monitoring tools and mechanisms [Assignment: organization-defined frequency].
SI-4(10): Visibility of Encrypted Communications
Baseline(s):
- High
Make provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined system monitoring tools and mechanisms].
SI-4(11): Analyze Communications Traffic Anomalies
Baseline(s):
Analyze outbound communications traffic at the external interfaces to the system and selected [Assignment: organization-defined interior points within the system] to discover anomalies.
SI-4(12): Automated Organization-generated Alerts
Baseline(s):
- High
Alert [Assignment: organization-defined personnel or roles] using [Assignment: organization-defined automated mechanisms] when the following indications of inappropriate or unusual activities with security or privacy implications occur: [Assignment: organization-defined activities that trigger alerts].
SI-4(13): Analyze Traffic and Event Patterns
Baseline(s):
Analyze communications traffic and event patterns for the system; Develop profiles representing common traffic and event patterns; and Use the traffic and event profiles in tuning system-monitoring devices.
SI-4(14): Wireless Intrusion Detection
Baseline(s):
- High
Employ a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises or breaches to the system.
SI-4(15): Wireless to Wireline Communications
Baseline(s):
Employ an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
SI-4(16): Correlate Monitoring Information
Baseline(s):
Correlate information from monitoring tools and mechanisms employed throughout the system.
SI-4(17): Integrated Situational Awareness
Baseline(s):
Correlate information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.
SI-4(18): Analyze Traffic and Covert Exfiltration
Baseline(s):
Analyze outbound communications traffic at external interfaces to the system and at the following interior points to detect covert exfiltration of information: [Assignment: organization-defined interior points within the system].
SI-4(19): Risk for Individuals
Baseline(s):
Implement [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk.
SI-4(20): Privileged Users
Baseline(s):
- High
Implement the following additional monitoring of privileged users: [Assignment: organization-defined additional monitoring].
SI-4(21): Probationary Periods
Baseline(s):
Implement the following additional monitoring of individuals during [Assignment: organization-defined probationary period]: [Assignment: organization-defined additional monitoring].
SI-4(22): Unauthorized Network Services
Baseline(s):
- High
Detect network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes]; and [Assignment (one or more): Audit, Alert [Assignment: organization-defined personnel or roles] ] when detected.
SI-4(23): Host-based Devices
Baseline(s):
Implement the following host-based monitoring mechanisms at [Assignment: organization-defined system components]: [Assignment: organization-defined host-based monitoring mechanisms].
SI-4(24): Indicators of Compromise
Baseline(s):
Discover, collect, and distribute to [Assignment: organization-defined personnel or roles], indicators of compromise provided by [Assignment: organization-defined sources].
SI-4(25): Optimize Network Traffic Analysis
Baseline(s):
Provide visibility into network traffic at external and key internal system interfaces to optimize the effectiveness of monitoring devices.