|SI-4 (1) System-Wide Intrusion Detection System || |
The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.
|SI-4 (2) Automated Tools For Real-Time Analysis ||MODERATE |
Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems.
The organization employs automated tools to support near real-time analysis of events.
|SI-4 (3) Automated Tool Integration || |
The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
|SI-4 (4) Inbound And Outbound Communications Traffic ||MODERATE |
Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.
The information system monitors inbound and outbound communications traffic Assignment: organization-defined frequency for unusual or unauthorized activities or conditions.
|SI-4 (5) System-Generated Alerts ||MODERATE |
Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers.
The information system alerts Assignment: organization-defined personnel or roles when the following indications of compromise or potential compromise occur: Assignment: organization-defined compromise indicators.
|SI-4 (6) Restrict Non-Privileged Users || |
Withdrawn: Incorporated into AC-6 (10).
|SI-4 (7) Automated Response To Suspicious Events || |
Least-disruptive actions may include, for example, initiating requests for human responses.
The information system notifies Assignment: organization-defined incident response personnel (identified by name and/or by role) of detected suspicious events and takes Assignment: organization-defined least-disruptive actions to terminate suspicious events.
|SI-4 (8) Protection Of Monitoring Information || |
Withdrawn: Incorporated into SI-4.
|SI-4 (9) Testing Of Monitoring Tools || |
Testing intrusion-monitoring tools is necessary to ensure that the tools are operating correctly and continue to meet the monitoring objectives of organizations. The frequency of testing depends on the types of tools used by organizations and methods of deployment.
The organization tests intrusion-monitoring tools Assignment: organization-defined frequency.
|SI-4 (10) Visibility Of Encrypted Communications || |
Organizations balance the potentially conflicting needs for encrypting communications traffic and for having insight into such traffic from a monitoring perspective. For some organizations, the need to ensure the confidentiality of communications traffic is paramount; for others, mission-assurance is of greater concern. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.
The organization makes provisions so that Assignment: organization-defined encrypted communications traffic is visible to Assignment: organization-defined information system monitoring tools.
|SI-4 (11) Analyze Communications Traffic Anomalies || |
Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.
The organization analyzes outbound communications traffic at the external boundary of the information system and selected Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems) to discover anomalies.
|SI-4 (12) Automated Alerts || |
This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by information systems in SI-4 (5), which tend to focus on information sources internal to the systems (e.g., audit records), the sources of information for this enhancement can include other entities as well (e.g., suspicious activity reports, reports on potential insider threats).
The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: Assignment: organization-defined activities that trigger alerts.
|SI-4 (13) Analyze Traffic / Event Patterns || |
The organization: SI-4 (13)(a)
Analyzes communications traffic/event patterns for the information system; SI-4 (13)(b)
Develops profiles representing common traffic patterns and/or events; and SI-4 (13)(c)
Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives.
|SI-4 (14) Wireless Intrusion Detection || |
Wireless signals may radiate beyond the confines of organization-controlled facilities. Organizations proactively search for unauthorized wireless connections including the conduct of thorough scans for unauthorized wireless access points. Scans are not limited to those areas within facilities containing information systems, but also include areas outside of facilities as needed, to verify that unauthorized wireless access points are not connected to the systems.
The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.
|SI-4 (15) Wireless To Wireline Communications || |
The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
|SI-4 (16) Correlate Monitoring Information || |
Correlating information from different monitoring tools can provide a more comprehensive view of information system activity. The correlation of monitoring tools that usually work in isolation (e.g., host monitoring, network monitoring, anti-virus software) can provide an organization-wide view and in so doing, may reveal otherwise unseen attack patterns. Understanding the capabilities/limitations of diverse monitoring tools and how to maximize the utility of information generated by those tools can help organizations to build, operate, and maintain effective monitoring programs.
The organization correlates information from monitoring tools employed throughout the information system.
|SI-4 (17) Integrated Situational Awareness || |
This control enhancement correlates monitoring information from a more diverse set of information sources to achieve integrated situational awareness. Integrated situational awareness from a combination of physical, cyber, and supply chain monitoring activities enhances the capability of organizations to more quickly detect sophisticated cyber attacks and investigate the methods and techniques employed to carry out such attacks. In contrast to SI-4 (16) which correlates the various cyber monitoring information, this control enhancement correlates monitoring beyond just the cyber domain. Such monitoring may help reveal attacks on organizations that are operating across multiple attack vectors.
The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.
|SI-4 (18) Analyze Traffic / Covert Exfiltration || |
Covert means that can be used for the unauthorized exfiltration of organizational information include, for example, steganography.
The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks) to detect covert exfiltration of information.
|SI-4 (19) Individuals Posing Greater Risk || |
Indications of increased risk from individuals can be obtained from a variety of sources including, for example, human resource records, intelligence agencies, law enforcement organizations, and/or other credible sources. The monitoring of individuals is closely coordinated with management, legal, security, and human resources officials within organizations conducting such monitoring and complies with federal legislation, Executive Orders, policies, directives, regulations, and standards.
The organization implements Assignment: organization-defined additional monitoring of individuals who have been identified by Assignment: organization-defined sources as posing an increased level of risk.
|SI-4 (20) Privileged User || |
The organization implements Assignment: organization-defined additional monitoring of privileged users.
|SI-4 (21) Probationary Periods || |
The organization implements Assignment: organization-defined additional monitoring of individuals during Assignment: organization-defined probationary period.
|SI-4 (22) Unauthorized Network Services || |
Unauthorized or unapproved network services include, for example, services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.
The information system detects network services that have not been authorized or approved by Assignment: organization-defined authorization or approval processes and Selection (one or more): audits; alerts Assignment: organization-defined personnel or roles.
|SI-4 (23) Host-Based Devices || |
Information system components where host-based monitoring can be implemented include, for example, servers, workstations, and mobile devices. Organizations consider employing host-based monitoring mechanisms from multiple information technology product developers.
The organization implements Assignment: organization-defined host-based monitoring mechanisms at Assignment: organization-defined information system components.
|SI-4 (24) Indicators Of Compromise || |
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. IOCs for the discovery of compromised hosts can include for example, the creation of registry key values. IOCs for network traffic include, for example, Universal Resource Locator (URL) or protocol elements that indicate malware command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that information systems and organizations are vulnerable to the same exploit or attack.
The information system discovers, collects, distributes, and uses indicators of compromise.