Security Monitoring: The following table highlights Key Aspects security monitoring to consider,

and a relevant Security Monitoring Requirement for each. It also recommends

Requirements examples of what your organisation can do to meet each of the requirements.

Key Aspects Security Monitoring Requirement Recommended steps to meet the Security MonitoringRequirements
Business traffic Traffic exchanges are authorised and conform to • Collect details of imports and exports executed by internal users.
crossing a security policy. Transport of malicious content and • Track cross-boundary information exchange operations.
boundary other forms of attack by manipulation of business • Collect information on the use of any externally visible interfaces.
traffic are detected and alerted.
• Collect information and alerts from content checking and quarantining services.
Activity at a Detect suspect activity indicative of the actions of an • Collect information from firewalls and other network devices for traffic and traffic-trend.
boundary attacker attempting to breach the system boundary, • Collect information from any Intrusion Detection Service (IDS) at the boundary with any un-trusted network.
or other deviation from normal business behaviour.
Internal Detect changes to device status and configuration • Record changes to device configuration.
workstation, from accidental or deliberate acts by a user, or by • Record indications that could be attributed to accidental or malicious activity (eg system restarts or undefined system processes).
server or device malware. • Record indications of unauthorised actions in tightly controlled environments such as the attachment of USB storage devices.
• Collect information relating to access to any business critical file areas.
Internal network Detect suspicious activity that may indicate attacks • Monitor critical internal boundaries and resources within internal networks. Possible candidates for heightened internal monitoring
activity by internal users, or external attackers who have include:
penetrated the internal network. core electronic messaging infrastructure (eg email servers & directory servers)
sensitive databases (eg HR databases, finance, procurement/contracts, etc.)
project servers and file stores with restricted access requirements
Network Prevent unauthorised connections to the network • Monitor network access points that are open to connection attempts by anyone (eg WiFi access points).
connections made by remote access, VPN, wireless or any other • Monitor mobile users and remote working solutions.
transient means of network connection. • Monitor restrictive environments in which the attachment of modems and wireless access points are prohibited.
• Monitor network ports of the wired network environment.
Session activity Detect unauthorised activity and access that is • Monitor user activity and sensitive data accesses to ensure they can be made accountable for their actions.
by user & work suspicious or violates security policy requirements. • Monitor workstation connectivity, connected peripherals and data ports.
station • Profile normal user activity to enable detection of abnormal behaviour.
• Tightly control and monitor administration and service accounts.
Alerting on Be able to respond to security incidents in a time • Ensure events classed as critical are notified in as close to real-time as is achievable.
events frame appropriate to the perceived criticality of the • Ensure automation and filtering is sufficient to bring events to the attention of the right people using the right mechanism.
incident. • Establish the correct level of monitoring for the organisation, ranging from simple monitoring to integrated solutions using enterprise
level centralised security.
• Consider combining functions such as security and network management, taking into account maintaining segregation requirements.
• Implement secondary alerting channels (eg SNMP, email, SMS, etc.) using in-hours or out-of-hours services when continuous console
manning cannot be provided
Accurate time in Be able to correlate event data collected from • Provide a master clock system component which is synchronised to an atomic clock
logs disparate sources. • Update device clocks from the master clock using the Network Time Protocol (NTP)
• Record time in logs in a consistent format - Universal Co-ordinated Time (UTC) is recommended
• Provide a process to check and update device clocks on a regular basis (eg weekly)
• Define the error margin for time accuracy according to business requirements
• Provide manual maintenance for devices that do not support clock synchronisation
• Provide support for local time on human interfaces
• Provide a process to correct clock drift on mobile devices upon reconnection
Data backup Be able to recover from an event that compromises • Provide an audit trail of backup and recovery to enable identification of the last known good state of the information assets.
status the integrity or availability of information assets. • Alert storage failure events.

For more information go to: www.ncsc.gov.uk @ncsc_hmg