SI — SYSTEM AND INFORMATION INTEGRITY
SI-4: INFORMATION SYSTEM MONITORING
NIST 800-53R4 Membership SI-4:
- a. Monitors the information system to detect:
- Attacks and indicators of potential attacks in accordance with [Assignment: organization-defined monitoring objectives]; and
- Unauthorized local, network, and remote connections;
- Strategically within the information system to collect organization-determined essential information; and
- At ad hoc locations within the system to track specific types of transactions of interest to the organization;
Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless.
RELATED CONTROLS: SI-4
SI-4 (1) INFORMATION SYSTEM MONITORING | SYSTEM-WIDE INTRUSION DETECTION SYSTEM
The organization connects and configures individual intrusion detection tools into an information system-wide intrusion detection system.
Supplemental Guidance: NONE
SI-4 (2) INFORMATION SYSTEM MONITORING | AUTOMATED TOOLS FOR REAL-TIME ANALYSIS
NIST 800-53R4 Membership SI-4 (2):
The organization employs automated tools to support near real-time analysis of events.
Automated tools include, for example, host-based, network-based, transport-based, or storage-based event monitoring tools or Security Information and Event Management (SIEM) technologies that provide real time analysis of alerts and/or notifications generated by organizational information systems.
SI-4 (3) INFORMATION SYSTEM MONITORING | AUTOMATED TOOL INTEGRATION
The organization employs automated tools to integrate intrusion detection tools into access control and flow control mechanisms for rapid response to attacks by enabling reconfiguration of these mechanisms in support of attack isolation and elimination.
Supplemental Guidance: NONE
SI-4 (4) INFORMATION SYSTEM MONITORING | INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC
NIST 800-53R4 Membership SI-4 (4):
The information system monitors inbound and outbound communications traffic [Assignment: organization-defined frequency] for unusual or unauthorized activities or conditions.
Unusual/unauthorized activities or conditions related to information system inbound and outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Evidence of malicious code is used to identify potentially compromised information systems or information system components.
SI-4 (5) INFORMATION SYSTEM MONITORING | SYSTEM-GENERATED ALERTS
NIST 800-53R4 Membership SI-4 (5):
The information system alerts [Assignment: organization-defined personnel or roles] when the following indications of compromise or potential compromise occur: [Assignment: organization-defined compromise indicators].
Alerts may be generated from a variety of sources, including, for example, audit records or inputs from malicious code protection mechanisms, intrusion detection or prevention mechanisms, or boundary protection devices such as firewalls, gateways, and routers. Alerts can be transmitted, for example, telephonically, by electronic mail messages, or by text messaging. Organizational personnel on the notification list can include, for example, system administrators, mission/business owners, system owners, or information system security officers.
RELATED CONTROLS: SI-4 (5)
SI-4 (6) INFORMATION SYSTEM MONITORING | RESTRICT NON-PRIVILEGED USERS
[Withdrawn: Incorporated into AC-6 (10)].
SI-4 (7) INFORMATION SYSTEM MONITORING | AUTOMATED RESPONSE TO SUSPICIOUS EVENTS
The information system notifies [Assignment: organization-defined incident response personnel (identified by name and/or by role)] of detected suspicious events and takes [Assignment: organization-defined least-disruptive actions to terminate suspicious events].
Least-disruptive actions may include, for example, initiating requests for human responses.
SI-4 (8) INFORMATION SYSTEM MONITORING | PROTECTION OF MONITORING INFORMATION
[Withdrawn: Incorporated into SI-4].
SI-4 (9) INFORMATION SYSTEM MONITORING | TESTING OF MONITORING TOOLS
The organization tests intrusion-monitoring tools [Assignment: organization-defined frequency].
Testing intrusion-monitoring tools is necessary to ensure that the tools are operating correctly and continue to meet the monitoring objectives of organizations. The frequency of testing depends on the types of tools used by organizations and methods of deployment.
RELATED CONTROLS: SI-4 (9)
SI-4 (10) INFORMATION SYSTEM MONITORING | VISIBILITY OF ENCRYPTED COMMUNICATIONS
The organization makes provisions so that [Assignment: organization-defined encrypted communications traffic] is visible to [Assignment: organization-defined information system monitoring tools].
Organizations balance the potentially conflicting needs for encrypting communications traffic and for having insight into such traffic from a monitoring perspective. For some organizations, the need to ensure the confidentiality of communications traffic is paramount; for others, mission-assurance is of greater concern. Organizations determine whether the visibility requirement applies to internal encrypted traffic, encrypted traffic intended for external destinations, or a subset of the traffic types.
SI-4 (11) INFORMATION SYSTEM MONITORING | ANALYZE COMMUNICATIONS TRAFFIC ANOMALIES
The organization analyzes outbound communications traffic at the external boundary of the information system and selected [Assignment: organization-defined interior points within the system (e.g., subnetworks, subsystems)] to discover anomalies.
Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses.
SI-4 (12) INFORMATION SYSTEM MONITORING | AUTOMATED ALERTS
The organization employs automated mechanisms to alert security personnel of the following inappropriate or unusual activities with security implications: [Assignment: organization-defined activities that trigger alerts].
This control enhancement focuses on the security alerts generated by organizations and transmitted using automated means. In contrast to the alerts generated by information systems in SI-4 (5), which tend to focus on information sources internal to the systems (e.g., audit records), the sources of information for this enhancement can include other entities as well (e.g., suspicious activity reports, reports on potential insider threats).
RELATED CONTROLS: SI-4 (12)
SI-4 (13) INFORMATION SYSTEM MONITORING | ANALYZE TRAFFIC / EVENT PATTERNS
- (a) Analyzes communications traffic/event patterns for the information system;
- (b) Develops profiles representing common traffic patterns and/or events; and
- (c) Uses the traffic/event profiles in tuning system-monitoring devices to reduce the number of false positives and the number of false negatives.
Supplemental Guidance: NONE
SI-4 (14) INFORMATION SYSTEM MONITORING | WIRELESS INTRUSION DETECTION
The organization employs a wireless intrusion detection system to identify rogue wireless devices and to detect attack attempts and potential compromises/breaches to the information system.
Wireless signals may radiate beyond the confines of organization-controlled facilities. Organizations proactively search for unauthorized wireless connections including the conduct of thorough scans for unauthorized wireless access points. Scans are not limited to those areas within facilities containing information systems, but also include areas outside of facilities as needed, to verify that unauthorized wireless access points are not connected to the systems.
RELATED CONTROLS: SI-4 (14)
SI-4 (15) INFORMATION SYSTEM MONITORING | WIRELESS TO WIRELINE COMMUNICATIONS
The organization employs an intrusion detection system to monitor wireless communications traffic as the traffic passes from wireless to wireline networks.
Supplemental Guidance: NONE
RELATED CONTROLS: SI-4 (15)
SI-4 (16) INFORMATION SYSTEM MONITORING | CORRELATE MONITORING INFORMATION
The organization correlates information from monitoring tools employed throughout the information system.
Correlating information from different monitoring tools can provide a more comprehensive view of information system activity. The correlation of monitoring tools that usually work in isolation (e.g., host monitoring, network monitoring, anti-virus software) can provide an organization-wide view and in so doing, may reveal otherwise unseen attack patterns. Understanding the capabilities/limitations of diverse monitoring tools and how to maximize the utility of information generated by those tools can help organizations to build, operate, and maintain effective monitoring programs.
RELATED CONTROLS: SI-4 (16)
SI-4 (17) INFORMATION SYSTEM MONITORING | INTEGRATED SITUATIONAL AWARENESS
The organization correlates information from monitoring physical, cyber, and supply chain activities to achieve integrated, organization-wide situational awareness.
This control enhancement correlates monitoring information from a more diverse set of information sources to achieve integrated situational awareness. Integrated situational awareness from a combination of physical, cyber, and supply chain monitoring activities enhances the capability of organizations to more quickly detect sophisticated cyber attacks and investigate the methods and techniques employed to carry out such attacks. In contrast to SI-4 (16) which correlates the various cyber monitoring information, this control enhancement correlates monitoring beyond just the cyber domain. Such monitoring may help reveal attacks on organizations that are operating across multiple attack vectors.
RELATED CONTROLS: SI-4 (17)
SI-4 (18) INFORMATION SYSTEM MONITORING | ANALYZE TRAFFIC / COVERT EXFILTRATION
The organization analyzes outbound communications traffic at the external boundary of the information system (i.e., system perimeter) and at [Assignment: organization-defined interior points within the system (e.g., subsystems, subnetworks)] to detect covert exfiltration of information.
Covert means that can be used for the unauthorized exfiltration of organizational information include, for example, steganography.
SI-4 (19) INFORMATION SYSTEM MONITORING | INDIVIDUALS POSING GREATER RISK
The organization implements [Assignment: organization-defined additional monitoring] of individuals who have been identified by [Assignment: organization-defined sources] as posing an increased level of risk.
Indications of increased risk from individuals can be obtained from a variety of sources including, for example, human resource records, intelligence agencies, law enforcement organizations, and/or other credible sources. The monitoring of individuals is closely coordinated with management, legal, security, and human resources officials within organizations conducting such monitoring and complies with federal legislation, Executive Orders, policies, directives, regulations, and standards.
SI-4 (20) INFORMATION SYSTEM MONITORING | PRIVILEGED USERS
The organization implements [Assignment: organization-defined additional monitoring] of privileged users.
Supplemental Guidance: NONE
SI-4 (21) INFORMATION SYSTEM MONITORING | PROBATIONARY PERIODS
The organization implements [Assignment: organization-defined additional monitoring] of individuals during [Assignment: organization-defined probationary period].
Supplemental Guidance: NONE
SI-4 (22) INFORMATION SYSTEM MONITORING | UNAUTHORIZED NETWORK SERVICES
The information system detects network services that have not been authorized or approved by [Assignment: organization-defined authorization or approval processes] and [Selection (one or more): audits; alerts [Assignment: organization-defined personnel or roles]].
Unauthorized or unapproved network services include, for example, services in service-oriented architectures that lack organizational verification or validation and therefore may be unreliable or serve as malicious rogues for valid services.
RELATED CONTROLS: SI-4 (22)
SI-4 (23) INFORMATION SYSTEM MONITORING | HOST-BASED DEVICES
The organization implements [Assignment: organization-defined host-based monitoring mechanisms] at [Assignment: organization-defined information system components].
Information system components where host-based monitoring can be implemented include, for example, servers, workstations, and mobile devices. Organizations consider employing host-based monitoring mechanisms from multiple information technology product developers.
SI-4 (24) INFORMATION SYSTEM MONITORING | INDICATORS OF COMPROMISE
The information system discovers, collects, distributes, and uses indicators of compromise.
Indicators of compromise (IOC) are forensic artifacts from intrusions that are identified on organizational information systems (at the host or network level). IOCs provide organizations with valuable information on objects or information systems that have been compromised. IOCs for the discovery of compromised hosts can include for example, the creation of registry key values. IOCs for network traffic include, for example, Universal Resource Locator (URL) or protocol elements that indicate malware command and control servers. The rapid distribution and adoption of IOCs can improve information security by reducing the time that information systems and organizations are vulnerable to the same exploit or attack.
- NIST Special Publication 800-137
- NIST Special Publication 800-61
- NIST Special Publication 800-83
- NIST Special Publication 800-92
- NIST Special Publication 800-94