SI-4 Information System Monitoring (L) (M) (H)

NIST 800-53 (r4) Control:

The organization:

a. Monitors the information system to detect:

1. Attacks and indicators of potential attacks in accordance with [Assignment: organization- defined monitoring objectives]; and

2. Unauthorized local, network, and remote connections;

b. Identifies unauthorized use of the information system through [Assignment: organization- defined techniques and methods];

c. Deploys monitoring devices: (i) strategically within the information system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the organization;

d. Protects information obtained from intrusion-monitoring tools from unauthorized access, modification, and deletion;

e. Heightens the level of information system monitoring activity whenever there is an indication of increased risk to organizational operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information;

f. Obtains legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations; and

g. Provides [Assignment: organization-defined information system monitoring information] to [Assignment: organization-defined personnel or roles] [Selection (one or more): as needed; [Assignment: organization-defined frequency]].

SI-4 Additional FedRAMP Requirements and Guidance: See US-CERT Incident Response Reporting Guidelines.

NIST 800-53 (r4) Supplemental Guidance:

Information system monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at the information system boundary (i.e., part of perimeter defense and boundary protection). Internal monitoring includes the observation of events occurring within the information system. Organizations can monitor information systems, for example, by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives may guide determination of the events. Information system monitoring capability is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Strategic locations for monitoring devices include, for example, selected perimeter locations and near server farms supporting critical applications, with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be included as monitoring devices. The granularity of monitoring information collected is based on organizational monitoring objectives and the capability of information systems to support such objectives. Specific types of transactions of interest include, for example, Hyper Text Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. Information system monitoring is an integral part of organizational continuous monitoring and incident response programs. Output from system monitoring serves as input to continuous monitoring and incident response programs. A network connection is any connection with a device that communicates through a network (e.g., local area network, Internet). A remote connection is any connection with a device communicating through an external network (e.g., the Internet). Local, network, and remote connections can be either wired or wireless. Related controls: AC-3, AC-4, AC-8, AC-17, AU-2, AU-6, AU-7, AU-9, AU-12, CA-7, IR-4, PE-3, RA-5, SC-7, SC-26, SC-35, SI-3, SI-7.

References: NIST Special Publications 800-61, 800-83, 800-92, 800-94, 800-137.

NIST 800-53 (r5) Discussion:

System monitoring includes external and internal monitoring. External monitoring includes the observation of events occurring at external interfaces to the system. Internal monitoring includes the observation of events occurring within the system. Organizations monitor systems by observing audit activities in real time or by observing other system aspects such as access patterns, characteristics of access, and other actions. The monitoring objectives guide and inform the determination of the events. System monitoring capabilities are achieved through a variety of tools and techniques, including intrusion detection and prevention systems, malicious code protection software, scanning tools, audit record monitoring software, and network monitoring software.

Depending on the security architecture, the distribution and configuration of monitoring devices may impact throughput at key internal and external boundaries as well as at other locations across a network due to the introduction of network throughput latency. If throughput management is needed, such devices are strategically located and deployed as part of an established organization-wide security architecture. Strategic locations for monitoring devices include selected perimeter locations and near key servers and server farms that support critical applications. Monitoring devices are typically employed at the managed interfaces associated with controls SC-7 and AC-17. The information collected is a function of the organizational monitoring objectives and the capability of systems to support such objectives. Specific types of transactions of interest include Hypertext Transfer Protocol (HTTP) traffic that bypasses HTTP proxies. System monitoring is an integral part of organizational continuous monitoring and incident response programs, and output from system monitoring serves as input to those programs. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other controls (e.g., AC-2g, AC-2(7), AC-2(12)(a), AC-17(1), AU-13, AU-13(1), AU-13(2), CM-3f, CM-6d, MA-3a, MA-4a, SC-5(3)(b), SC-7a, SC-7(24)(b), SC-18b, SC-43b). Adjustments to levels of system monitoring are based on law enforcement information, intelligence information, or other sources of information. The legality of system monitoring activities is based on applicable laws, executive orders, directives, regulations, policies, standards, and guidelines.

38North Guidance:

Meets Minimum Requirement:

• Part a. Predominantly implemented by system boundary devices although host-based solutions such as Endpoint Detection and Response (EDR) may supplement. Many of our customers will claim monitoring mechanisms that are host-based and that's acceptable, as long as, the usual suspects are also deployed at the perimeter (e.g. firewalls, proxies, etc.) and the logs of said devices are sent to the SIEM. The control implementation statement should describe how all traffic is monitored. In addition, the perimeter firewall monitoring capabilities should be leveraged from the IaaS information system. If the SIEM is ingesting logs from the IaaS firewalls, this should be described as well to ensure it is clear that the CSP can aggregate inbound/outbound traffic events and information from a centralized tool.

• Part b. Identify unauthorized use of the information system through real-time monitoring from audit logging tool(s), intrusion detection systems and/or intrusion prevention systems, and/or other monitoring tool(s) including the security information and event monitoring (SIEM) tool.

• Part c. Deploy monitoring devices: (i) strategically within the system to collect organization-determined essential information; and (ii) at ad hoc locations within the system to track specific types of transactions of interest to the CSP.

• Part d. Protect information obtained from intrusion-monitoring and audit logging tools from unauthorized access, modification, and deletion. Access to intrusion-monitoring tools must be restricted to necessary users based on their role/function. Records of user activity from intrusion-monitoring tools must be logged, sent to a SIEM, and monitored for suspicious activity.

• Part e. Heighten the level of information system monitoring activity whenever there is an indication of increased risk to CSP operations and assets, individuals, other organizations, or the Nation based on law enforcement information, intelligence information, or other credible sources of information. Utilize threat intelligence sources (e.g., SIEM alerts, submitted incidents, industry alerts, news outlets, social media, etc.) to determine appropriate level of monitoring activity.

• Part f. Obtain legal opinion with regard to information system monitoring activities in accordance with applicable federal laws, Executive Orders, directives, policies, or regulations.

• Part g. Provide all pertinent security logging and monitoring information to organization-defined personnel or roles at required intervals. Leverage US-CERT Incident Response Reporting Guidelines.

Best Practice: Common SIEM solution is Splunk.

Unofficial FedRAMP Guidance: None

Assessment Evidence:

• Part a. Configuration settings of intrusion monitoring tools including audit logging tool(s), intrusion detection systems and/or intrusion prevention systems, and/or other monitoring tool(s) including the security information and event monitoring (SIEM) tool, showing the events that are monitored for system components. Evidence that all monitored devices on the system inventory are forwarding logs to the SIEM.

• Part b. Example security alert notifications from the audit logging tool and/or other monitoring tools.

• Part c. Same as Part a.

• Part d. User groups and audit events logged for intrusion-monitoring and audit logging tools.

• Part e. Sources that are monitored for an increased level of risk (e.g., SIEM alerts, submitted incidents, industry alerts, news outlets, social media, etc.).

• Part f. System and user monitoring activities that are subject to legal ramifications, and who is consulted regarding those system monitoring activities (e.g., legal, customer, etc.)

• Part g. SIEM reports generated for system monitoring aggregation and analysis of intrusion-monitoring and audit logs.

CSP Implementation Tips:

• Amazon Web Services (AWS): Amazon GuardDuty may be leveraged as the overarching IDS as it is included in the AWS GovCloud FedRAMP High JAB P-ATO dated 6/21/2016.