SI-4

SI-4 INFORMATION SYSTEM MONITORING

Overview

Number	Title	Impact	Priority	Subject Area
SI-4	Information System Monitoring	LOW	P1	System And Information Integrity

Instructions
The organization: SI-4a. Monitors the information system to detect: SI-4a.1. Attacks and indicators of potential attacks in accordance with Assignment: organization-defined monitoring objectives; and SI-4a.2. Unauthorized local, network, and remote connections; SI-4b. Identifies unauthorized use of the information system through Assignment: organization-defined techniques and methods; SI-4c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization; SI-4d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion; SI-4e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information; SI-4f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and SI-4g. Provides Assignment: organization-defined information system monitoring information to Assignment: organization-defined personnel or roles Selection (one or more): as needed; Assignment: organization-defined frequency.

Instructions

The organization:

SI-4a.

Monitors the information system to detect:

SI-4a.1.

Attacks and indicators of potential attacks in accordance with Assignment: organization-defined monitoring objectives; and

SI-4a.2.

Unauthorized local, network, and remote connections;

SI-4b.

Identifies unauthorized use of the information system through Assignment: organization-defined techniques and methods;

SI-4c.

Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;

SI-4d.

Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

SI-4e.

Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

SI-4f.

Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and

SI-4g.

Provides Assignment: organization-defined information system monitoring information to Assignment: organization-defined personnel or roles Selection (one or more): as needed; Assignment: organization-defined frequency.

Guidance
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.

Guidance

Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.

Enhancements

SI-4 (1) System-Wide Intrusion Detection System

The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.

SI-4 (2) Automated Tools For Real-Time Analysis

MODERATE

Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems.

The organization employs automated tools to support near real-time analysis of events.

SI-4 (3) Automated Tool Integration

The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.

SI-4 (4) Inbound And Outbound Communications Traffic

MODERATE

Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.

The information system monitors inbound and outbound communications traffic Assignment: organization-defined frequency for unusual or unauthorized activities or conditions.

SI-4 (5) System-Generated Alerts

MODERATE

Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers.

The information system alerts Assignment: organization-defined personnel or roles when the following indications of compromise or potential compromise occur: Assignment: organization-defined compromise indicators.

SI-4 (6) Restrict Non-Privileged Users

Withdrawn: Incorporated into AC-6 (10).

SI-4 (7) Automated Response To Suspicious Events

Least-disruptive actions may include, for example, initiating requests for human responses.

The information system notifies Assignment: organization-defined incident response personnel (identified by name and/or by role) of detected suspicious events and takes Assignment: organization-defined least-disruptive actions to terminate suspicious events.

SI-4 (8) Protection Of Monitoring Information

Withdrawn: Incorporated into SI-4.

SI-4 (9) Testing Of Monitoring Tools

Testing intrusion-monitoring tools is necessary to ensure that the tools are operating correctly and continue to meet the monitoring objectives of organizations. The frequency of testing depends on the types of tools used by organizations and methods of deployment.

The organization tests intrusion-monitoring tools Assignment: organization-defined frequency.

SI-4 (10) Visibility Of Encrypted Communications

Organizations balance the potentially conflicting needs for encrypting communications traffic and for having insight into such traffic from a monitoring perspective. For some organizations, the need to ensure the confidentiality of communications traffic is paramount; for others, mission-assurance is of greater concern. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.

The organization makes provisions so that Assignment: organization-defined encrypted communications traffic is visible to Assignment: organization-defined information system monitoring tools.

SI-4 (11) Analyze Communications Traffic Anomalies

Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.

The organization analyzes outbound communications traffic at the external boundary of the information system and selected Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems) to discover anomalies.

SI-4 (12) Automated Alerts

This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by information systems in SI-4 (5), which tend to focus on information sources internal to the systems (e.g., audit records), the sources of information for this enhancement can include other entities as well (e.g., suspicious activity reports, reports on potential insider threats).

The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: Assignment: organization-defined activities that trigger alerts.

SI-4 (13) Analyze Traffic / Event Patterns

The organization:

SI-4 (13)(a)

Analyzes communications traffic/event patterns for the information system;

SI-4 (13)(b)

Develops profiles representing common traffic patterns and/or events; and

SI-4 (13)(c)

Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives.

SI-4 (14) Wireless Intrusion Detection

Wireless signals may radiate beyond the confines of organization-controlled facilities. Organizations proactively search for unauthorized wireless connections including the conduct of thorough scans for unauthorized wireless access points. Scans are not limited to those areas within facilities containing information systems, but also include areas outside of facilities as needed, to verify that unauthorized wireless access points are not connected to the systems.

The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.

SI-4 (15) Wireless To Wireline Communications

The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.

SI-4 (16) Correlate Monitoring Information

Correlating information from different monitoring tools can provide a more comprehensive view of information system activity. The correlation of monitoring tools that usually work in isolation (e.g., host monitoring, network monitoring, anti-virus software) can provide an organization-wide view and in so doing, may reveal otherwise unseen attack patterns. Understanding the capabilities/limitations of diverse monitoring tools and how to maximize the utility of information generated by those tools can help organizations to build, operate, and maintain effective monitoring programs.

The organization correlates information from monitoring tools employed throughout the information system.

SI-4 (17) Integrated Situational Awareness

This control enhancement correlates monitoring information from a more diverse set of information sources to achieve integrated situational awareness. Integrated situational awareness from a combination of physical, cyber, and supply chain monitoring activities enhances the capability of organizations to more quickly detect sophisticated cyber attacks and investigate the methods and techniques employed to carry out such attacks. In contrast to SI-4 (16) which correlates the various cyber monitoring information, this control enhancement correlates monitoring beyond just the cyber domain. Such monitoring may help reveal attacks on organizations that are operating across multiple attack vectors.

The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.

SI-4 (18) Analyze Traffic / Covert Exfiltration

Covert means that can be used for the unauthorized exfiltration of organizational information include, for example, steganography.

The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks) to detect covert exfiltration of information.

SI-4 (19) Individuals Posing Greater Risk

Indications of increased risk from individuals can be obtained from a variety of sources including, for example, human resource records, intelligence agencies, law enforcement organizations, and/or other credible sources. The monitoring of individuals is closely coordinated with management, legal, security, and human resources officials within organizations conducting such monitoring and complies with federal legislation, Executive Orders, policies, directives, regulations, and standards.

The organization implements Assignment: organization-defined additional monitoring of individuals who have been identified by Assignment: organization-defined sources as posing an increased level of risk.

SI-4 (20) Privileged User

The organization implements Assignment: organization-defined additional monitoring of privileged users.

SI-4 (21) Probationary Periods

The organization implements Assignment: organization-defined additional monitoring of individuals during Assignment: organization-defined probationary period.

SI-4 (22) Unauthorized Network Services

Unauthorized or unapproved network services include, for example, services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.

The information system detects network services that have not been authorized or approved by Assignment: organization-defined authorization or approval processes and Selection (one or more): audits; alerts Assignment: organization-defined personnel or roles.

SI-4 (23) Host-Based Devices

Information system components where host-based monitoring can be implemented include, for example, servers, workstations, and mobile devices. Organizations consider employing host-based monitoring mechanisms from multiple information technology product developers.

The organization implements Assignment: organization-defined host-based monitoring mechanisms at Assignment: organization-defined information system components.

SI-4 (24) Indicators Of Compromise

Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. IOCs for the discovery of compromised hosts can include for example, the creation of registry key values. IOCs for network traffic include, for example, Universal Resource Locator (URL) or protocol elements that indicate malware command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that information systems and organizations are vulnerable to the same exploit or attack.

The information system discovers, collects, distributes, and uses indicators of compromise.