Level 1

Description:

There are many publicly available sources of system security alerts and advisories. For example, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) generates security alerts and advisories to maintain situational awareness across the federal government and in nonfederal organizations. Software vendors, subscription services, and industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories. Examples of response actions include notifying relevant external organizations, for example, external mission/business partners, supply chain partners, external service providers, and peer or supporting organizations.  [SP 800-161] provides guidance on supply chain risk management.


Priority: High


Domain:  SYSTEM AND INFORMATION INTEGRITY (SI) 


Category Situational Awareness 


Services Associated with AWS:

  1. AWS Security Hub
  2. Amazon GuardDuty
  3. AWS Systems Manager
  4. AWS Config

Services Associated with Azure: 

  1. Azure Security Center
  2. Azure Sentinel
  3. Azure Monitor
  4. Azure Functions
  5. Azure Security Center's Threat Intelligence


Objective Evidence:

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation of centralized event log collection and review to maintain situational awareness
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing event log analysis and response roles
  • Administrative: supporting documentation of log reviews being performed
  • Technical: screen shot of groups and membership assignment
  • Technical: screen shot of logs from SIEM 


Possible Technology Considerations
 : 

  • Emerging Threats (ET) Intelligence Feed
  • Threat Intelligence Program (TIP)


What needs to be answered?

Does the company receive security alerts, advisories, and directives from reputable external organizations? Does the company disseminate this information to individuals with need-to-know in the company? Are alerts responded to in a timely manner? Are internal security alerts, advisories, and directives generated?


Checks for AWS: 

  • System Security Alert Monitoring Check
    Description: This check verifies that system security alerts and advisories from various sources, such as CISA, software vendors, subscription services, and industry ISACs, are regularly monitored. It ensures that organizations have mechanisms in place to receive and review these alerts in a timely manner.
  •  Response Action Execution Check
    Description: This check ensures that appropriate actions are taken in response to system security alerts and advisories. It verifies that relevant external organizations, such as mission/business partners, supply chain partners, service providers, and peer organizations, are promptly notified when necessary. It also ensures that internal response actions, such as applying patches, updating configurations, or initiating incident response procedures, are executed in a timely manner.


Checks for Azure: 

  • System Security Alert Monitoring Check:
    Description: This check verifies that the company receives security alerts, advisories, and directives from reputable external organizations. It ensures that mechanisms are in place to monitor these alerts regularly. The goal is to maintain situational awareness and promptly identify any potential security threats or vulnerabilities.
  • Response Action Execution Check:
    Description: This check ensures that appropriate actions are taken in response to system security alerts, advisories, and directives. It verifies that the company disseminates this information to individuals within the organization who have a need-to-know. It also confirms that the company responds to alerts in a timely manner.
  • External Organization Notification Check:
    Description: This check verifies that relevant external organizations, such as mission/business partners, supply chain partners, service providers, and peer organizations, are promptly notified when necessary. The goal is to ensure effective communication and collaboration with external entities to mitigate potential security risks or impacts.
  • Internal Security Alert Generation Check:
    Description: This check examines whether the company generates internal security alerts, advisories, and directives. It aims to ensure that the organization is proactive in identifying and addressing security issues or emerging threats within its own environment.


More Details:

Security alerts and industry advisories monitored by IT staff and changes made as needed.