search

adammontville / cis-controls-71-measures

0 stars 0 forks source link

Subcontrol 8.6 #94

Open adammontville opened 5 years ago

adammontville commented 5 years ago

Send all malware detection events to enterprise anti-malware administration tools and event log servers for analysis and alerting.

Measures

M1 = # of detected malware detection events(under test)
M2 = # of malware detection event in logs(under test)

Metrics

Enforcement quality = M2/M1
apiperCIS commented 4 years ago

Internal note (not to be included in spec): Can we make any assumptions about whether these events will be pushed from the anti-malware software if properly configured, or pulled by the anti-malware administration tools and event log servers? Probably safer not to assume, so the proposal below is an attempt at writing it generically enough to allow for both.

Inputs 1) List of software instances (anti-malware software, anti-malware administration tools, and event log servers) that need to be configured to properly send, receive, and log these malware detection events. 2) Approved configuration(s) for anti-malware software, anti-malware administration tools, and event log servers to ensure that malware detection events are properly sent, received, and logged.

Operations 1) For each software instance in Input 1, check to see if it is configured according to the appropriate approved configuration(s) in Input 2. Create a list of the software instances that are properly configured (M1) and a list of the software instances that are not properly configured (M2) noting where the deviations occur.

Measures M1: List of software instances that are properly configured for the sending/receiving of malware detection events (compliant list) M2: List of software instances that are not properly configured for the sending/receiving of malware detection events (non-compliant list) M3: Count of properly configured software instances (count of M1) M4: Total count of software instances that need to be configured to properly send/receive malware detection events (count of Input 1)

Metrics Ratio of properly configured software instances for sending/receiving malware detection events: M3 / M4

wmunyan commented 4 years ago

Inputs:

Operations:

Measures:

Metrics:

apiperCIS commented 4 years ago

1) I do see this is a config check - the software has to be configured properly to send/receive the events and alert on them. To be consistent with how we've done some similar ones, it seems like the counts of detection events and alerts would be a second level check that measures the effects of doing the sub-control, rather than the actual doing of the sub-control 2) The proposed measure has no time frame specified, so we're looking at all malware detection events on that network ever? 3) In cases where there haven't been any detection events, we're essentially checking nothing when we could be checking the configs to see if they are configured to send/receive/alert for when those events do occur

wmunyan commented 4 years ago

Combine the 2 proposals - Both the configuration and operational metrics are valuable for this one.

wmunyan commented 4 years ago

Combined Proposal:

Inputs:

  1. List of software instances (anti-malware software, anti-malware administration tools, and event log servers) that need to be configured to properly send, receive, and log these malware detection events.
  2. Approved configuration(s) for anti-malware software, anti-malware administration tools, and event log servers to ensure that malware detection events are properly sent, received, and logged.
  3. The total number of malware detection events (M1)
  4. The number of alerts being correlated in a central service (M2)

Operations:

  1. For each software instance in Input 1, check to see if it is configured according to the appropriate approved configuration(s) in Input 2.
  2. Create a list of the software instances that are properly configured (M1)
  3. Create a list of the software instances that are not properly configured (M2) noting where the deviations occur.

Measures:

Metrics: