Security Framework
10: Security Monitoring and Analysis
• This reactive security response may include modifying security control configurations, blocking services, turning off services and reverting changes.
• Prompt and enhanced forensic recording and secure logging can speed incident investigations and root cause analysis, and support future updates of analytics and operational processes.
• Appropriate personnel are notified, and dashboards, monitors and reports are updated.
• Policies and procedures defined in the incident response plan need to be followed.
10.1.3 AFTER AN INCIDENT
After an incident, normal operation of the system should be restored as soon as is safe and practical. A decay algorithm can slowly reduce the risk rating to bring the system back to a normal, steady state, resetting policy along the way.
A lessons-learned exercise after an incident can enable the update of the incident response plan so it can be more robust and effective for future incidents. In addition, the reporting dashboard for alerts should be reviewed to ensure future events are detected.
10.2 SECURITY MONITORING AND ANALYTICS
Figure 10-2: Security Monitoring During Timeline
10.2.1 PURPOSES AND KINDS OF SECURITY MONITORING
Monitoring and analysis systems support three purposes.
Forensic monitoring and analysis systems gather and store security data and make it available to security investigators seeking to determine which equipment and data was affected by a compromise and the specific sequence of events leading up to it. Recorded network traffic can help to identify where an attack came from and to which machines it may have spread.
Current monitoring and analysis systems gather and analyze data to identify attacks in progress, security policy violations in progress and currently compromised devices. Failed authentication requests and tamper sensor alerts can indicate an attack in progress.
IIC: PUB: G4: V1.0: PB: 20160926- 98-