Establish and maintain expertise on the desired state of the organisation’s information systems

Organization must describe the baseline of normal behaviour for the use of network and data systems, which is used as a starting point for identifying anomalies.

When defining the baseline, the following must be taken into account:

• monitoring the use of data systems during both normal and peak times
• usual times of use, places of use and frequency of use for each user and user group

Monitoring systems must be configured against the baseline to identify anomalous behavior such as:

• unplanned termination of systems or processes
• traffic related to malware or malicious IP addresses or domains
• known attack characteristics (e.g. denial of service or buffer overflow)
• unusual system use (e.g. keystroke logging)
• bottlenecks and overloads (e.g. network queues, latency levels)
• unauthorized access (actual or attempted) to systems or data
• unauthorized scanning of data systems and networks
• successful and failed attempts to access protected resources (e.g. DNS servers, web portals and file systems)
• unusual user and system behavior

In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.

Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.

An appropriate log is generated from the use of the network to enable the detection of actions relevant to cyber security.

The normal state of network traffic (traffic volumes, protocols, and connections) is known. In order to detect anomalies, there is a procedure for detecting events that are different from the normal state of network traffic (for example, anomalous connections or their attempts).

Organization's data systems and network must be monitored to detect abnormal use. When anomalities are detected, the organization must take the necessary measures to assess the possibility of security incident.

The monitoring should utilize tools that enable real-time or regular monitoring, taking into account the organization's requirements. Monitoring practices should be able to manage large amounts of data, adapt to changing threat environment, and send alerts immediately when necessary.

Inclusion of the following sources in the monitoring system should be considered:

• outbound and inbound network and data system traffic

  li>

• access to critical data systems, servers, network devices and the monitoring system itself
• critical system and network configuration files
• logs from security tools (e.g. antivirus, IDS, IPS, network filters, firewalls)

Organization must also establish procedures for identifying and correcting "false positive" results, including tuning monitoring software for more accurate anomaly detection.