MON-16: Anomalous Behavior
Mechanisms exist to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.
Control Question: Does the organization utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities?
General (25)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC7.2 CC7.2-POF2 CC7.2-POF3 |
| CSA CCM 4 | LOG-05 |
| CSA IoT SCF 2 | CLS-08 IAM-08 MON-10 MON-11 |
| GovRAMP Moderate | AC-02(12) |
| GovRAMP High | AC-02(12) SI-04(11) |
| NIST AI 600-1 | MS-1.1-002 |
| NIST 800-53 R4 | AC-2(12) SI-4(11) |
| NIST 800-53 R4 (high) | AC-2(12) |
| NIST 800-53 R5 (source) | AC-2(12) IR-4(13) SI-4(11) |
| NIST 800-53B R5 (high) (source) | AC-2(12) |
| NIST 800-53 R5 (NOC) (source) | IR-4(13) SI-4(11) |
| NIST 800-82 R3 HIGH OT Overlay | AC-2(12) |
| NIST 800-171 R2 (source) | 3.14.7 |
| NIST 800-171 R3 (source) | 03.01.01.e 03.03.05.a 03.14.06.a.01 03.14.06.a.02 03.14.06.b 03.14.06.c |
| NIST 800-171A R3 (source) | A.03.14.06.b |
| NIST 800-172 | 3.14.2e |
| NIST 800-207 | NIST Tenet 4 |
| NIST CSF 2.0 (source) | DE.CM DE.CM-03 |
| PCI DSS 4.0.1 (source) | 3.1 |
| SWIFT CSF 2023 | 2.9 |
| SCF CORE Fundamentals | MON-16 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | MON-16 |
| SCF CORE ESP Level 1 Foundational | MON-16 |
| SCF CORE ESP Level 2 Critical Infrastructure | MON-16 |
| SCF CORE ESP Level 3 Advanced Threats | MON-16 |
US (25)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ACCESS-2.I.MIL3 SITUATION-2.D.MIL2 SITUATION-2.E.MIL2 SITUATION-2.F.MIL2 SITUATION-2.G.MIL3 SITUATION-2.H.MIL3 SITUATION-2.I.MIL3 |
| US CISA CPG 2022 | 2.G |
| US CMMC 2.0 Level 2 (source) | SI.L2-3.14.7 |
| US DoD Zero Trust Execution Roadmap | 1.6.1 1.6.2 1.6.3 2.3.1 2.3.2 7.2.5 7.3.2 7.4 7.4.1 7.4.2 7.4.3 7.4.4 |
| US DoD Zero Trust Reference Architecture 2.0 | 1.2 6.7 |
| US DHS CISA TIC 3.0 | 3.UNI.DTDIS 3.PEP.ID.BBASE |
| US DHS ZTCF | BAS-01 SEC-05 TRF-01 |
| US FedRAMP R4 | AC-2(12) SI-4(11) |
| US FedRAMP R4 (moderate) | AC-2(12) |
| US FedRAMP R4 (high) | AC-2(12) SI-4(11) |
| US FedRAMP R5 (source) | AC-2(12) SI-4(11) |
| US FedRAMP R5 (moderate) (source) | AC-2(12) |
| US FedRAMP R5 (high) (source) | AC-2(12) SI-4(11) |
| US FFIEC | D3.DC.Ev.B.1 D4.C.Co.B.4 |
| US HIPAA Administrative Simplification 2013 (source) | 164.312(b) 164.312(c)(2) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.312(b) 164.312(c)(2) |
| US HIPAA HICP Medium Practice | 3.M.C |
| US HIPAA HICP Large Practice | 3.M.C 1.L.C 4.L.B 6.L.B 8.L.D 8.L.E |
| US IRS 1075 | AC-2(12) SI-4(11) |
| US SSA EIESR 8.0 | 5.6 5.7 |
| US TSA / DHS 1580/82-2022-01 | III.D III.D.2.b |
| US - NY DFS 23 NYCRR500 2023 Amd 2 | 500.14(a)(1) |
| US - NY SHIELD Act S5575B | 4(2)(b)(ii)(C)(2) |
| US - TX TX-RAMP Level 2 | AC-2(12) |
| US - VT Act 171 of 2018 | 2447(c)(4) |
EMEA (12)
| Framework | Mapping Values |
|---|---|
| EMEA EU EBA GL/2019/04 | 3.4.5(38) 3.4.5(38)(a) 3.4.5(38)(b) 3.4.5(38)(c) |
| EMEA EU DORA | 10.1 |
| EMEA EU NIS2 Annex | 13.1.2(d) |
| EMEA Germany Banking Supervisory Requirements for IT (BAIT) | 5.5 |
| EMEA Israel CDMO 1.0 | 4.7 21.10 21.20 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-3-1-12 |
| EMEA Saudi Arabia SACS-002 | TPC-80 |
| EMEA Spain BOE-A-2022-7191 | 10.1 |
| EMEA Spain 311/2022 | 10.1 |
| EMEA UK CAF 4.0 | C1.f |
| EMEA UK CAP 1850 | C1 C2 |
| EMEA UK DEFSTAN 05-138 | 3200 3202 3203 |
APAC (3)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-1660 |
| APAC New Zealand HISF 2022 | HMS19 |
| APAC Singapore MAS TRM 2021 | 9.2.2 11.5.5 12.2.4 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 3.3.2 |
| Americas Canada ITSP-10-171 | 03.01.01.E 03.03.05.A 03.14.06.A.01 03.14.06.A.02 03.14.06.B 03.14.06.C |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.
Level 1 — Performed Informally
Continuous Monitoring (MON) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Generating event logs and the review of event logs is narrowly-focused to business-critical systems and/ or systems that store, processes and/ or transmit sensitive/regulated data.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
Level 2 — Planned & Tracked
Continuous Monitoring (MON) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for situational awareness management. o Configure alerts for critical or sensitive data that is stored, transmitted and processed on assets. o Use a structured process to review and analyze logs.
- Situational awareness management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- Secure baseline configurations generate logs that contain sufficient information to establish necessary details of activity and allow for forensics analysis.
- IT/cybersecurity personnel:
- A log aggregator, or similar automated tool, provides an event log report generation capability to aid in detecting and assessing anomalous activities on business-critical systems.
- the organization sets specific parameters on what type of audit information is permitted to be shared and what cannot be shared with third-parties, even with a NDA in place.
Level 3 — Well Defined
Continuous Monitoring (MON) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Governs asset management that ensures compliance with requirements for asset management. o Leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets. o Centrally collects logs and is protected according to the manufacturer’s security guidelines to protect the integrity of the event logs with cryptographic mechanisms. o Monitors the organization for Indicators of Compromise (IoC) and provides 24x7x365 near real-time alerting capability. o Is configured to alert incident response personnel of detected suspicious events such that incident responders can look to terminate suspicious events.
- An IT Asset Management (ITAM) function, or similar function:
- A Security Incident Event Manager (SIEM), or similar automated tool:
- Both inbound and outbound network traffic is monitored for unauthorized activities to identify prohibited activities and assist incident handlers with identifying potentially compromised systems.
- The organization sets specific parameters on what type of audit information is permitted to be shared and what cannot be shared with third-parties, even with a NDA in place.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to utilize User & Entity Behavior Analytics (UEBA) and/or User Activity Monitoring (UAM) solutions to detect and respond to anomalous behavior that could indicate account compromise or other malicious activities.
Assessment Objectives
- MON-16_A01 environments or resources which may contain or may be related to anomalous or suspected adversarial behavior are defined.
- MON-16_A02 systems are monitored to detect unauthorized local connections.
- MON-16_A03 systems are monitored to detect unauthorized network connections.
- MON-16_A04 systems are monitored to detect unauthorized remote connections.
- MON-16_A05 outbound communications traffic at the external interfaces to the system is analyzed to discover anomalies.
- MON-16_A06 outbound communications traffic at interior points is analyzed to discover anomalies.
- MON-16_A07 anomalous or suspected adversarial behavior in or related to organization-defined environments or resources are analyzed.
- MON-16_A08 unauthorized use of the system is identified.
- MON-16_A09 anomalous or suspicious behavior is defined.
- MON-16_A10 personnel or roles to report atypical usage is/are defined.
- MON-16_A11 atypical usage of system accounts is reported to organization-defined personnel or roles.
- MON-16_A12 organizational systems and system components are monitored on an ongoing basis for anomalous or suspicious behavior.
Evidence Requirements
- E-IRO-02 Indicators of Compromise (IOC)
-
Documented evidence of defined Indicators of Compromise (IOC).
Incident Response - E-MON-07 Situational Awareness
-
Documented evidence of the organization leveraging knowledge of event log generation to gain situational awareness of cross-domain activities (e.g., technology issues, security events, policy violations, service provider activities, remote workforce activities, physical security events, etc.).
Event Log Monitoring
Technology Recommendations
Micro/Small
- Indicators of Compromise (IoC)
- Indicators of Exposure (IoE)
- Managed Security Services Provider (MSSP)
Small
- Indicators of Compromise (IoC)
- Indicators of Exposure (IoE)
- Security Incident Event Manager (SIEM)
- Managed Security Services Provider (MSSP)
Medium
- Indicators of Compromise (IoC)
- Indicators of Exposure (IoE)
- Security Incident Event Manager (SIEM)
- Extended Detection and Response (XDR)
- Managed Security Services Provider (MSSP)
Large
- Indicators of Compromise (IoC)
- Indicators of Exposure (IoE)
- Security Incident Event Manager (SIEM)
- Extended Detection and Response (XDR)
- Managed Security Services Provider (MSSP)
Enterprise
- Indicators of Compromise (IoC)
- Indicators of Exposure (IoE)
- Security Incident Event Manager (SIEM)
- Extended Detection and Response (XDR)
- Managed Security Services Provider (MSSP)