Guidance

10 Steps: Monitoring

Updated 16 January 2015

This guidance was withdrawn on

This content has been moved to the CESG website: https://www.cesg.gov.uk/10-steps-cyber-security

1. Summary

Monitoring Information and Communications Technologies (ICT) activity allows businesses to better detect attacks and react to them appropriately whilst providing a basis upon which lessons can be learned to improve the overall security of the business. In addition, monitoring the use of ICT systems allows the business to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with security, legal and regulatory requirements.

2. What is the risk?

Monitoring the organisation’s ICT systems provides the business with the means to assess how they are being used by authorised users and if they have been or are being attacked. Without the ability to monitor, an organisation will not be able to:

Detect attacks

Either originating from outside the organisation or attacks as a result of deliberate or accidental insider activity

React to attacks

So that an appropriate and proportionate response can be taken to prevent or minimise the resultant impact of an attack on the business

Account for activity

The business will not have a complete understanding of how their ICT systems or information assets are being used or enforce user accountability

Failure to monitor ICT systems and their use for specific business processes could lead to non-compliance with the corporate security policy and legal or regulatory requirements or result in attacks going unnoticed.

3. How can the risk be managed?

Businesses need to put strategies, policies, systems and processes in place to ensure that they are capable of monitoring their ICT systems and respond appropriately to attacks. A consistent approach to monitoring needs to be adopted across the business that is based on a clear understanding of the risks.

3.1 Establish a monitoring strategy and supporting policies

Develop and implement an organisational monitoring strategy and policy based on an assessment of the risks. The strategy should take into account any previous security incidents and attacks and align with the organisation’s incident management policies.

3.2 Monitor all ICT systems

Ensure that the solution monitors all networks and host systems (such as clients and servers) potentially through the use of Network and Host Intrusion Detection Systems (NIDS/HIDS) and Prevention Solutions (NIPS/HIPS), supplemented as required by Wireless Intrusion Detection Systems (WIDS). These solutions should provide both signature based capabilities to detect known attacks and heuristic capabilities to detect potentially unknown attacks through new or unusual system behaviour.

3.3 Monitor network traffic

The inbound and outbound network traffic traversing network boundaries should be continuously monitored to identify unusual activity or trends that could indicate attacks and the compromise of data. The transfer of sensitive information, particularly large data transfers or unauthorised encrypted traffic should automatically generate a security alert and prompt a follow up investigation. The analysis of network traffic can be a key tool in preventing the loss of data.

3.4 Monitor all user activity

The monitoring capability should have the ability to generate audit logs that are capable of identifying unauthorised or accidental input, misuse of technology or data. Critically, it should be able to identify the user, the activity that prompted the alert and the information they were attempting to access.

Ensure that the monitoring processes comply with legal or regulatory constraints on the monitoring of user activity.

3.6 Fine-tune monitoring systems

Ensure that monitoring systems are fine-tuned appropriately only to collect logs, events and alerts that are relevant in the context of delivering the requirements of the monitoring policy. Inappropriate collection of monitoring information could breach data protection and privacy legislation. It could also be costly in terms storing the audit information and could hinder the efficient detection of real attacks.

3.7 Establish a centralised collection and analysis capability

Develop and deploy a centralised capability that can collect and analyse accounting logs and security alerts from ICT systems across the organisation, including user systems, servers, network devices, and including security appliances, systems and applications. Much of this should be automated due to the volume of data involved enabling analysts to quickly identify and investigate anomalies. Ensure that the design and implementation of the centralised solution does not provide an opportunity for attackers to bypass normal network security and access controls.

3.8 Ensure there is sufficient storage

Security managers should determine the types of information needed to satisfy the organisation’s monitoring policy. Vast quantities of data can be generated and appropriate storage will need to be made available. The organisation will also need to consider the sensitivity of the processed audit logs and any requirement for archiving to satisfy any regulatory or legal requirements.

3.9 Provide resilient and synchronised timing

Ensure that the monitoring and analysis of audit logs is supported by a centralised and synchronised timing source that is used across the entire organisation to time-stamp audit logs, alerts and events to support incident response, security investigations and disciplinary or legal action.

3.10 Train the security personnel

Ensure that security personnel receive appropriate training on the deployment of monitoring capability and the analysis of security alerts, events and accounting logs.

3.11 Align the incident management policies

Ensure that policies and processes are in place to appropriately manage and respond to incidents detected by monitoring solutions.

3.12 Conduct a lessons learned review

Ensure that processes are in place to test monitoring capabilities and learn from security incidents and improve the efficiency of the monitoring capability.