Anomalous or suspicious behavior is defined.
Monitor organizational systems and system components on an ongoing basis for anomalous or suspicious behavior.
Monitoring is used to identify unusual, suspicious, or unauthorized activities or conditions related to organizational systems and system components. Such activities or conditions can include unusual internal systems communications traffic, unauthorized exporting of information, signaling to external systems, large file transfers, long-time persistent connections, attempts to access information from unexpected locations, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. The correlation of physical, time, or geolocation audit record information to the audit records from systems may assist organizations in identifying examples of anomalous behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional information that the individual was not present at the facility when the logical access occurred is indicative of anomalous behavior. [SP 800-61] provides guidance on incident handling. [SP 800-83] provides guidance for malicious code incident prevention and handling. [SP 800-92] provides guidance on computer security log management. [SP 800-94] provides guidance on intrusion detection and prevention. [SP 800-137] provides guidance on continuous monitoring of systems.