Network Monitoring and Defense
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise's network infrastructure and user base.
Why Is This Control Critical?
We cannot rely on network defenses to be perfect. Adversaries continue to evolve and mature, as they share, or sell, information among their community on exploits and bypasses to security controls. Even if security tools work 'as advertised,' it takes an understanding of the enterprise risk posture to configure, tune, and log them effectively. Often, misconfigurations due to human error or lack of knowledge of tool capabilities lead to a false sense of security. Security tools can only be effective if they are supporting a process of continuous monitoring that allows staff and automation to detect and act on events.
Related Policy Templates
Safeguards (11)
| ID | Title | Function | IG | Checklist Items | Evidence |
|---|---|---|---|---|---|
| 13.1 | Centralize Security Event Alerting | Detect |
IG2
IG3
|
10 | 5 |
| 13.2 | Deploy a Host>Based Intrusion Detection Solution | Detect |
IG2
IG3
|
6 | 3 |
| 13.3 | Deploy a Network Intrusion Detection Solution | Detect |
IG2
IG3
|
8 | 5 |
| 13.4 | Perform Traffic Filtering Between Network Segments | Protect |
IG2
IG3
|
6 | 3 |
| 13.5 | Manage Access Control for Remote Assets | Protect |
IG2
IG3
|
12 | 8 |
| 13.6 | Collect Network Traffic Flow Logs | Detect |
IG2
IG3
|
8 | 5 |
| 13.7 | Deploy a Host>Based Intrusion Prevention Solution | Protect |
IG3
|
7 | 5 |
| 13.8 | Deploy a Network Intrusion Prevention Solution | Protect |
IG3
|
5 | 3 |
| 13.9 | Deploy Port>Level Access Control | Protect |
IG3
|
10 | 5 |
| 13.10 | Perform Application Layer Filtering | Protect |
IG3
|
7 | 5 |
| 13.11 | Tune Security Event Alerting Thresholds | Detect |
IG3
|
6 | 3 |
Audit Verification Details
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Deploy a network intrusion detection solution on enterprise assets, where appropriate. Example implementations include the use of a Network Intrusion Detection System (NIDS) or equivalent cloud service provider (CSP) service.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Contracts with third parties include security requirements.
Contract excerpts showing security clauses
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Third-party service providers are inventoried and risk-assessed.
Vendor inventory, risk assessment reports, security scorecards
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Record | Third-party risk assessment reports and scorecards | Annually per vendor |
| Document | Vendor contracts with security requirements | Per contract cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Perform traffic filtering between network segments, where appropriate.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Network segmentation is implemented between defined trust zones.
Network architecture diagram, segmentation test results
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Manage access control for assets remotely connecting to enterprise resources. Determine amount of access to enterprise resources based on: up-to-date anti-malware software installed, configuration compliance with the enterprise’s secure configuration process, and ensuring the operating system and applications are up-to-date.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Systems are configured per an approved hardening baseline (CIS Benchmarks, DISA STIGs).
Compliance scan results against the approved baseline
Access is granted based on least privilege and role-based access control.
RBAC configuration, access matrix documentation
Anti-malware is deployed on all applicable endpoints with current signatures.
Deployment status dashboard, signature update timestamps
Changes to protection controls follow the change management process.
Change tickets, approval records
Configuration drift is detected and remediated within defined timeframes.
Drift detection reports, remediation tickets
Access reviews and recertifications are completed on schedule.
Access review records with sign-off and remediation actions
Privileged access is monitored and audited.
Privileged access logs, PAM session recordings or reports
Malware detections are investigated and resolved.
Detection logs, investigation and resolution records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Configuration compliance scan results against approved baseline | Scanned monthly |
| Document | Approved baseline configuration documentation | Reviewed quarterly |
| Record | Access review/recertification records with sign-off | Quarterly |
| Technical | Access control configuration evidence (RBAC settings, group memberships) | Reviewed quarterly |
| Technical | Anti-malware deployment status and detection statistics | Monthly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Collect network traffic flow logs and/or network traffic to review and alert upon from network devices.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Audit logging is enabled on all in-scope systems and forwarded to centralized SIEM.
SIEM source status dashboard, log forwarding configuration
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
Logs are retained per the defined retention period and reviewed on schedule.
Retention policy config, log review records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Technical | SIEM dashboard showing log sources and collection status | Captured monthly |
| Record | Log review records and findings | Per review cycle |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Incident response plan is documented, current, and includes escalation paths.
IR plan with review date, escalation contact list
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
Post-incident reviews are conducted and findings drive improvements.
Post-incident review reports, corrective action tracking
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Incident response plan and playbooks | Reviewed bi-annually |
| Record | Incident reports and post-incident review documentation | Per incident |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Deploy a network intrusion prevention solution, where appropriate. Example implementations include the use of a Network Intrusion Prevention System (NIPS) or equivalent CSP service.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Changes to protection controls follow the change management process.
Change tickets, approval records
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Deploy port-level access control. Port-level access control utilizes 802.1x, or similar network access control protocols, such as certificates, and may incorporate user and/or device authentication.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Multi-factor authentication is enforced on all in-scope systems and accounts.
MFA enrollment status reports, conditional access policy config
Access is granted based on least privilege and role-based access control.
RBAC configuration, access matrix documentation
Changes to protection controls follow the change management process.
Change tickets, approval records
MFA exceptions are documented, approved, and compensating controls are in place.
Exception records with compensating control documentation
Access reviews and recertifications are completed on schedule.
Access review records with sign-off and remediation actions
Privileged access is monitored and audited.
Privileged access logs, PAM session recordings or reports
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Access review/recertification records with sign-off | Quarterly |
| Technical | Access control configuration evidence (RBAC settings, group memberships) | Reviewed quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Required protection controls are deployed and configured per the approved baseline.
Configuration exports, screenshots, or compliance scan results
Control effectiveness has been validated through testing.
Test results, validation reports, or scan output
Firewall rules conform to a documented baseline and deny-by-default policy.
Firewall rule export, baseline comparison report
Changes to protection controls follow the change management process.
Change tickets, approval records
Firewall rules are reviewed on schedule and unused rules are removed.
Rule review records, change tickets for rule cleanup
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Technical | Firewall rule set export and review documentation | Reviewed quarterly |
| Record | Firewall change request and approval records | Per change |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |
Tune security event alerting thresholds monthly, or more frequently.
Audit Verification Checklist
A governing policy or procedure exists, is approved by management, and was reviewed within the last 12 months.
Signed/approved policy document with review date
Roles and responsibilities for this safeguard are formally assigned and communicated.
RACI matrix, role assignment records, or job descriptions
Detection tools are deployed and actively collecting data.
Dashboard screenshots showing agent/sensor status and data flow
Alerting is configured with defined thresholds and notification channels.
Alert rule configuration exports, notification channel setup
Alerts are reviewed and triaged within the defined SLA.
Alert response logs, triage records with timestamps
Detection coverage has been tested with simulated events.
Detection test results, purple team exercise reports
| Type | Evidence Item | Frequency |
|---|---|---|
| Technical | Detection tool deployment evidence (dashboard screenshots, agent status) | Captured monthly |
| Technical | Sample alert/detection output demonstrating capability | Captured quarterly |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |