Industrial Internet Security Framework v 1.0 | Page 98

Security Framework
10 : Security Monitoring and Analysis
• This reactive security response may include modifying security control configurations , blocking services , turning off services and reverting changes .
• Prompt and enhanced forensic recording and secure logging can speed incident investigations and root cause analysis , and support future updates of analytics and operational processes .
• Appropriate personnel are notified , and dashboards , monitors and reports are updated .
• Policies and procedures defined in the incident response plan need to be followed .
10.1.3 AFTER AN INCIDENT
After an incident , normal operation of the system should be restored as soon as is safe and practical . A decay algorithm can slowly reduce the risk rating to bring the system back to a normal , steady state , resetting policy along the way .
A lessons-learned exercise after an incident can enable the update of the incident response plan so it can be more robust and effective for future incidents . In addition , the reporting dashboard for alerts should be reviewed to ensure future events are detected .
10.2 SECURITY MONITORING AND ANALYTICS
Figure 10-2 : Security Monitoring During Timeline
10.2.1 PURPOSES AND KINDS OF SECURITY MONITORING
Monitoring and analysis systems support three purposes .
Forensic monitoring and analysis systems gather and store security data and make it available to security investigators seeking to determine which equipment and data was affected by a compromise and the specific sequence of events leading up to it . Recorded network traffic can help to identify where an attack came from and to which machines it may have spread .
Current monitoring and analysis systems gather and analyze data to identify attacks in progress , security policy violations in progress and currently compromised devices . Failed authentication requests and tamper sensor alerts can indicate an attack in progress .
IIC : PUB : G4 : V1.0 : PB : 20160926 - 98 -