SI-4 (16) Information System Monitoring I Correlate Monitoring Information (M) (H)

NIST 800-53 (r4) Control:

The organization correlates information from monitoring tools employed throughout the information system.

NIST 800-53 (r4) Supplemental Guidance:

Correlating information from different monitoring tools can provide a more comprehensive view of information system activity. The correlation of monitoring tools that usually work in isolation (e.g., host monitoring, network monitoring, anti-virus software) can provide an organization-wide view and in so doing, may reveal otherwise unseen attack patterns. Understanding the capabilities/limitations of diverse monitoring tools and how to maximize the utility of information generated by those tools can help organizations to build, operate, and maintain effective monitoring programs. Related control: AU-6.

NIST 800-53 (r5) Discussion:

Correlating information from different system monitoring tools and mechanisms can provide a more comprehensive view of system activity. Correlating system monitoring tools and mechanisms that typically work in isolation—including malicious code protection software, host monitoring, and network monitoring—can provide an organization-wide monitoring view and may reveal otherwise unseen attack patterns. Understanding the capabilities and limitations of diverse monitoring tools and mechanisms and how to maximize the use of information generated by those tools and mechanisms can help organizations develop, operate, and maintain effective monitoring programs. The correlation of monitoring information is especially important during the transition from older to newer technologies (e.g., transitioning from IPv4 to IPv6 network protocols).

38North Guidance:

Meets Minimum Requirement:

• • Obtain and correlate logging and intrusion detection information from monitoring tools such as the SIEM, HIDS/NIDS/WIDS, FIM, antivirus, EDR, firewalls, etc.

Best Practice: None

Unofficial FedRAMP Guidance: None

Assessment Evidence:

• Configuration settings of the monitoring tools (e.g., SIEM, HIDS/NIDS, FIM, antivirus, EDR, firewalls, etc.) showing the events that are monitored for system components.

CSP Implementation Tips: None