Level 1

Description:

System monitoring includes external and internal monitoring. System monitoring can detect unauthorized use of organizational systems. System monitoring is an integral part of continuous monitoring and incident response programs. Monitoring is achieved through a variety of tools and techniques (e.g., intrusion detection systems, intrusion prevention systems, malicious code protection software, scanning tools, audit record monitoring software, network monitoring software). Output from system monitoring serves as input to continuous monitoring and incident response programs. Unusual/unauthorized activities or conditions related to inbound and outbound communications traffic include internal traffic that indicates the presence of malicious code in systems or propagating among system components, the unauthorized exporting of information, or signaling to external systems. Evidence of malicious code is used to identify potentially compromised systems or system components. System monitoring requirements, including the need for specific types of system monitoring, may be referenced in other requirements. [SP 800-94] provides guidance on intrusion detection and prevention systems.


Priority: High


Domain:  SYSTEM AND INFORMATION INTEGRITY (SI)


Category Vulnerability Management 


Services Associated with AWS:

  1. AWS Systems Manager
  2. Amazon Inspector
  3. AWS Security Hub
  4. AWS Config


Services Associated with Azure: 

  1. Azure Log Analytics
  2. Azure Policy
  3. Azure Network Watcher
  4. Azure Sentinel
  5. Azure Monitor


Objective Evidence:

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate the "secure practices" used to build technology platform-specific secure baseline configurations
  • Administrative: supporting documentation of how anti-malware solutions are deployed and maintained
  • Technical: screen shot of anti-malware configuration settings 


Possible Technology Considerations : 

  • Secure Baseline Configurations (SBC)
  • Antimalware Solution


What needs to be answered?

Does the company update information system protection mechanisms (e.g., anti-virus signatures) within 5 days of new releases? Are these updates completed in accordance with configuration management policy and procedures?


Checks for AWS: 

  • Malicious Code Protection Mechanism Update Check
    Description: This check verifies that malicious code protection mechanisms, such as anti-virus signature definitions and reputation-based technologies, are regularly updated with the latest releases. It ensures that organizations have processes in place to receive updates from vendors or trusted sources and apply them promptly to the relevant systems.
  • Comprehensive Software Integrity Control Check
    Description: This check ensures that comprehensive software integrity controls, including pervasive configuration management, are implemented to prevent the execution of unauthorized code. It verifies that organizations have processes in place to update these controls when new releases or patches are available, thereby strengthening protection against malicious code.


Checks for Azure:

  • Malicious Code Protection Mechanism Update Check:
    Description: This check verifies that malicious code protection mechanisms, such as anti-virus signature definitions and reputation-based technologies, are regularly updated with the latest releases. It ensures that organizations have processes in place to receive updates from vendors or trusted sources and apply them promptly to the relevant systems.
  • Comprehensive Software Integrity Control Check:
    Description: This check ensures that comprehensive software integrity controls, including pervasive configuration management, are implemented to prevent the execution of unauthorized code. It verifies that organizations have processes in place to update these controls when new releases or patches are available, thereby strengthening protection against malicious code.
  • Secure Baseline Configurations (SBC) Compliance Check:
    Description: This check ensures that the Azure resources deployed within the organization adhere to the secure baseline configurations (SBC). Secure baseline configurations provide a set of recommended security settings that help protect the resources from common security vulnerabilities. The check verifies that the SBC policies are applied and maintained across the Azure environment.
  • Antimalware Solution Deployment Check:
    Description: This check validates the deployment of an antimalware solution across Azure resources. It verifies whether the required antimalware solution is installed and configured properly on virtual machines and other relevant resources. This check ensures that organizations have implemented appropriate measures to detect and mitigate malware threats within their Azure environment.
  • Log Monitoring Configuration Check:
    Description: This check ensures that log monitoring is properly configured within the Azure environment. It verifies whether the necessary log sources are enabled, log retention policies are in place, and log monitoring solutions are correctly configured. This check helps organizations identify and respond to security incidents by collecting and analyzing relevant log data.
  • Network Traffic Monitoring Check:
    Description: This check validates that network traffic monitoring is effectively implemented within the Azure environment. It verifies whether network monitoring solutions, such as Azure Network Watcher, are deployed and configured to capture and analyze network traffic. This check helps organizations detect and respond to suspicious network activities or potential security breaches.

More Details:

Malicious code systems updated automatically upon release of new definitions.