Skip to contentCYBERINFO
|

Control 8.16 : Monitoring Activities

Summary

Networks, systems and applications should be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents. This proactive layer of defense ensures that threats are identified in real-time before they can cause significant damage.

Applicability

In-Scope: Mandatory for all organizations. It provides the eyes and ears for the security team, moving from a static defense to an active detection posture. It is essential for identifying compromised accounts and lateral movement.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

  • Security Operations: Deploy Microsoft Sentinel (SIEM) to aggregate and correlate monitoring data from all Microsoft 365 services and Azure resources.

  • Behavioral Analytics: Utilize Microsoft Defender for Identity to monitor for suspicious on-premises and cloud identity behaviors, such as Pass-the-Hash or Golden Ticket attacks.

  • Real-time Alerting: Configure automated alerts in Microsoft Defender XDR that trigger when a user exhibits anomalous activity, such as accessing a high volume of sensitive files in a short period.

Evidence Checklist

  • Monitoring Strategy: A documented plan defining what activities are monitored and the thresholds for triggering security alerts.

  • Active Alert Logs: Records from Microsoft Sentinel or Defender showing detected anomalies and the subsequent investigation steps.

  • Dashboard Proof: Evidence of real-time monitoring dashboards used by the security team for daily oversight.

Practical Audit Advice

Here are some questions the auditor might ask:

  • What specific baseline is used to define normal behavior versus an anomaly within your environment?

  • How does the organization ensure that security alerts are triaged and responded to outside of regular business hours?

  • Can you demonstrate how the system identifies a user logging in from a geographic location that is inconsistent with their known travel patterns?

  • What process is in place to review and tune monitoring rules to reduce false positives and ensure high-fidelity alerting?