Control Summary
Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.
Why is it needed?
We cannot place absolute reliance on network defences being flawless. Adversaries continually advance and mature their tactics, sharing or trading information within their community regarding exploits and methods to circumvent security measures. Even when security tools function precisely as intended, their effectiveness hinges on configuring, fine-tuning, and logging them with a deep understanding of the enterprise’s risk posture. Frequently, misconfigurations arise from human error or a lack of familiarity with the capabilities of these tools, leading to a false sense of security within enterprises.
The efficacy of security tools is contingent upon their role in supporting a continuous monitoring process, enabling staff to receive timely alerts and respond to security incidents promptly. Enterprises that solely rely on technology-driven approaches may encounter a higher rate of false alarms due to their excessive dependence on tool-generated alerts. To identify and counteract these threats, it is essential to maintain visibility across all potential threat vectors within the infrastructure and integrate human expertise into the phases of detection, analysis, and response.
Implementing Control
Developing situational awareness requires an organisation to understand its critical business functions, data flows, network architecture, vendor and partner connections and end-user devices and accounts. A good understanding of this environment drives the development of a sound security architecture and the implementation of appropriate security controls and monitoring and response processes.
Safeguards at level 2 or 3
13.1 Centralise Security Event Alerting
13.2 Deploy a Host-Based Intrusion Detection Solution
13.3 Deploy a Network Intrusion Detection Solution
13.4 Perform Traffic Filtering Between Network Segments
13.5 Manage Access Control for Remote Assets
13.6 Collect Network Traffic Flow Logs
13.7 Deploy a Host-Based Intrusion Prevention Solution
13.8 Deploy a Network Intrusion Prevention Solution
13.9 Deploy Port-Level Access Control
13.10 Perform Application Layer Filtering
13.11 Tune Security Event Alerting Thresholds
Incident Response Solutions 