ECAT-2

ECAT-2 Audit Trail, Monitoring, Analysis and Reporting

Overview

An automated, continuous on-line monitoring and audit trail creation capability is deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user configurable capability to automatically disable the system if serious IA violations are detected.

MAC / CONF	Impact	Subject Area
CLASSIFIED MACI MACII	Medium	Enclave Computing Environment

Details

Threat
Lack of automated, continuous on-line monitoring and audit capability would cause the delay of detection of security violations, and further damage to the system would not be prevented in a timely manner. This implementation guide is aimed to help network administrators implement an automated auditing tool that can provide continuous on-line monitoring and audit report generation to provide effective and efficient detection of minor and/or major security violations that affect critical system operations.

Threat

Lack of automated, continuous on-line monitoring and audit capability would cause the delay of detection of security violations, and further damage to the system would not be prevented in a timely manner. This implementation guide is aimed to help network administrators implement an automated auditing tool that can provide continuous on-line monitoring and audit report generation to provide effective and efficient detection of minor and/or major security violations that affect critical system operations.

Guidance
1. The system engineering team (consisting of project manager, system engineer, network administrator, security engineer, IA personnel) shall identify a list of DOD approved automated, continuous on-line monitoring tools (e.g. intrusion detection system). 2. The system project management team shall perform an analysis of advantages and disadvantages of individual monitoring tools based on tool functions, system environment, and fund. 3. The system project management team shall select an automated, continuous on-line monitoring tool that is the best suitable to the system environment. 4. The network administrator shall install the selected automated, continuous on-line monitoring tool in a lab environment and configure the tool properly in accordance with vendor security checklists and/or industry best practices. 5. The network administrator shall test the tool, at a minimum, the following capabilities: · Recording and monitoring security events on real-time · Alerting personnel immediately of any unusual or inappropriate security activity · Disabling the system if serious IA violations are detected based on detection signatures. 6. The network administrator shall determine the options of alerting via pager, email, or cell phone and configure it so that is alerts operators immediately when a security violation is detected. 7. If the tool works as planned, the network administrator shall implement the tool into the system in the operational environment.

Guidance

1. The system engineering team (consisting of project manager, system engineer, network administrator, security engineer, IA personnel) shall identify a list of DOD approved automated, continuous on-line monitoring tools (e.g. intrusion detection system).
2. The system project management team shall perform an analysis of advantages and disadvantages of individual monitoring tools based on tool functions, system environment, and fund.
3. The system project management team shall select an automated, continuous on-line monitoring tool that is the best suitable to the system environment.
4. The network administrator shall install the selected automated, continuous on-line monitoring tool in a lab environment and configure the tool properly in accordance with vendor security checklists and/or industry best practices.
5. The network administrator shall test the tool, at a minimum, the following capabilities:
  · Recording and monitoring security events on real-time
  · Alerting personnel immediately of any unusual or inappropriate security activity
  · Disabling the system if serious IA violations are detected based on detection signatures.
6. The network administrator shall determine the options of alerting via pager, email, or cell phone and configure it so that is alerts operators immediately when a security violation is detected.
7. If the tool works as planned, the network administrator shall implement the tool into the system in the operational environment.

References

CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
CJCSM 6510.01, Defense-in-Depth: Information Assurance (IA) and Computer Network Defense (CND), 10 August 2004
DISA Network Infrastructure STIG, 29 September 2003
NIST - Guide to Intrusion Detection and Prevention Systems (IDPS)
NIST SP 800-36, Guide to Selecting Information Security Products, October 2003