Continuously Monitor Networks and Systems

(Back)

Objective

Establish a baseline for acceptable activity patterns within the organization to detect attacks and indicators of potential attacks.

Description

• Setup logging functionality for systems and networks, in accordance with GC Event Logging Guidance.
• Limit access to logs to those who need to review them.
• Implementing automatic alerting in order for anomalies in activity patterns to be flagged and reviewed, as well as potential vulnerabilities and events that need risk mitigation action to be taken.
• Continuously monitor directory services (and other primary user stores) for indicators of compromise or active attack.

References

TBS

1. DSM Appendix B (B.2.3.7, B.2.3.8, B2.3.8.2)
2. GC Event Logging Guidance
3. GC Enterprise Information Security Continuous Monitoring Framework (DRAFT), and
4. DSD Appendix G: Account Management Configuration Requirements (13)
5. DSD Appendix G: Web Sites and Services Management Configurations (15)
6. Appendix G: Endpoint Management Configuration Requirement (13)

CCCS

1. Ransomware playbook (ITSM.00.099) (2.2.2)

SSC

1. SSC Standard on the Management of Security Logs (4.3.1)

Related Security Controls (ITSG-33)

SI‑2, SI‑4, SI-4(23), AU‑2, AU‑3, AU‑6, AU‑8, AU‑9, AU‑9(4), AU‑12