Skip to main content

THR-11: Behavioral Baselining

THR 5 — Medium Govern

Automated mechanisms exist to establish behavioral baselines that capture information about user and entity behavior to enable dynamic threat discovery.

Control Question: Does the organization use automated mechanisms to establish behavioral baselines that capture information about user and entity behavior to enable dynamic threat discovery?

General (3)
Framework Mapping Values
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) THR-11
SCF CORE ESP Level 2 Critical Infrastructure THR-11
SCF CORE ESP Level 3 Advanced Threats THR-11
US (4)
Framework Mapping Values
US DoD Zero Trust Execution Roadmap 3.4.5 3.4.6 7.2.5 7.3.2 7.4 7.4.2
US DoD Zero Trust Reference Architecture 2.0 1.2
US DHS CISA TIC 3.0 3.UNI.DTDIS 3.PEP.ID.BBASE
US DHS ZTCF BAS-01 SEC-05 TRF-01

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of an automated capability to establish behavioral baselines that capture information about user and entity behavior to enable dynamic threat discovery.

Level 1 — Performed Informally

Threat Management (THR) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Threat management is decentralized.
  • IT personnel subscribe to threat feeds to maintain situational awareness of emerging threats.
Level 2 — Planned & Tracked

Threat Management (THR) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for threat management. o Subscribe to threat feeds to maintain situational awareness of emerging threats.

  • Threat management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • The HR department, in conjunction with cybersecurity personnel, helps ensure secure practices are implemented in personnel management operations to help manage threats.
  • IT/cybersecurity personnel:
Level 3 — Well Defined

Threat Management (THR) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Subscribes to threat feeds to maintain situational awareness of emerging threats. o Develops Indicators of Exposure (IOE) to better understand potential attack vectors that attackers could use to attack the organization. o Implements a Threat Awareness Program (TAP) that includes a cross-organization information-sharing capability. o Implements a “threat hunting” capability to actively identify internal threats.

  • A Security Operations Center (SOC), or similar function:
  • An Integrated Security Incident Response Team (ISIRT), or similar function, exists to form an on-demand, integrated team of cybersecurity, IT, data privacy and business function representatives that can execute coordinated incident response operations, including a cross-discipline incident handling capability.
  • Cybersecurity personnel enable security awareness training on recognizing and reporting potential indicators of insider threat.
Level 4 — Quantitatively Controlled

Threat Management (THR) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement. In addition to CMM Level 3 criteria, CMM Level 4 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

Threat Management (THR) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
  • Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.

Assessment Objectives

  1. THR-11_A01 baselines are captured to establish behavioral baselines about user and entity behavior.
  2. THR-11_A02 behavioral baselines about user and entity behavior are leveraged for dynamic threat discovery purposes.

Evidence Requirements

E-THR-08 Behavioral Baselining

Documented evidence of behavioral baselining to determine normal vs abnormal activities.

Threat Management

Technology Recommendations

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free