DER.1 Detection of Security-Relevant Events
To protect IT systems, security-relevant events must be detected and handled in a timely manner. To achieve this, institutions must plan, implement, and regularly...
Description
Introduction
To protect IT systems, security-relevant events must be detected and handled in a timely manner. To achieve this, institutions must plan, implement, and regularly practice appropriate organizational, personnel, and technical measures in advance. If a predefined and tested procedure can be drawn upon, response times can be reduced and existing processes can be optimized.
A security-relevant event is defined as an event that affects information security and can compromise confidentiality, integrity, or availability. Typical consequences of such events include stolen, manipulated, or destroyed information. The causes are varied. Malware, outdated IT system infrastructures, or insider threats all play a role, among others. Attackers also frequently exploit zero-day exploits — security vulnerabilities in programs before a patch exists for them. Another serious threat is that of so-called Advanced Persistent Threats (APTs). These are targeted cyber attacks on selected institutions and organizations in which attackers gain persistent access to a network and subsequently expand that access to further IT systems. These attacks are characterized by very high resource investment and significant technical capabilities on the part of the attackers, and they are often difficult to detect.
Objective
This building block presents a systematic approach to collecting, correlating, and evaluating information so that security-relevant events can be detected as completely and promptly as possible. The insights gained from detection are intended to improve the ability of institutions to recognize security-relevant events and respond to them appropriately.
Scope and Modeling
The building block DER.1 Detection of Security-Relevant Events is to be applied once to the information network.
The building block contains fundamental requirements that must be observed and fulfilled when security-relevant events are to be detected. A prerequisite for this is comprehensive logging. The requirements necessary for this are not described in the present building block, but are contained in building block OPS.1.1.5 Logging.
Prior to detecting security-relevant events, it is important that responsibilities and competencies are clearly defined and assigned. Particular attention should be paid to the principle of separation of duties. This topic is not part of this building block, but is addressed in building block ORP.1 Organization.
Furthermore, this building block does not describe how to handle security-relevant events after they have been detected. Requirements for this are set out in building blocks DER.2.1 Security Incident Handling and DER.2.2 Precautions for IT Forensics. Likewise, the topic of data privacy is not addressed here; it is covered in building block CON.2 Privacy.
To detect security-relevant events, additional programs are often required, such as antivirus programs, firewalls, or Intrusion Detection/Intrusion Prevention Systems (IDS/IPS). Security aspects of these systems are also not the subject of the present building block. They are addressed, for example, in building blocks OPS.1.1.4 Protection Against Malicious Programs and NET.3.2 Firewall.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular importance for building block DER.1 Detection of Security-Relevant Events.
Disregard of Legal Regulations and Employee Co-Determination Rights
Programs that detect security-relevant events and evaluate log data often collect extensive information about the network structure and the internal operations of an institution. This can include information worthy of protection, such as personal data, confidential data, or employee workflows. The storage of such data, however, can infringe on personal rights or co-determination rights. Under certain conditions, the institution may also be in violation of applicable data protection laws.
Insufficient Qualification of Employees
In the daily IT operations of an institution, many disruptions and errors can occur — for example, incoming log data may suddenly increase sharply. If the responsible parties are not sufficiently sensitized and trained, they may fail to identify security-relevant events as such, allowing attacks to go undetected. Even when the responsible parties are sufficiently sensitized and trained in information security matters, it cannot be ruled out that they might still fail to recognize security incidents. Examples include:
- A person who has not been logged into their institution’s local network for some time considers it normal that their notebook has been noticeably slower for a week when accessing the internet. They do not notice that a malicious program is running in the background. They were not trained, or only insufficiently trained, to inform incident management about suspicious anomalies.
- A production manager does not notice that data in the production systems and the control display systems have been secretly altered. They do not become suspicious when the SCADA control system for the production facility displays strange values, since this only occurred briefly. The incident is not reported because all values again correspond to the expected display values. The fact that malware has manipulated the display values goes unnoticed.
Faulty Administration of Detection Systems
Incorrect configurations can cause deployed detection systems to not function properly. For example, if alerting is configured incorrectly, an increased number of false alarms may occur. The responsible parties may then no longer be able to distinguish between a false alarm and a security-relevant event. They may also not notice messages quickly enough because too many alarms are being generated. As a result, attacks may go undetected. Furthermore, the effort required to evaluate the volume of messages increases significantly.
Missing Information About the Information Network to Be Protected
If no or only insufficient information about the information network to be protected is available, it may happen that essential areas of the information network are not adequately covered by detection systems. This allows attackers to easily penetrate the institution’s network and, for example, access information worthy of protection. It also enables them to remain undetected in the system for extended periods and maintain persistent access to the network.
Insufficient Use of Detection Systems
If no detection systems are deployed and the detection functions built into IT systems and applications are also not used, attackers can more easily penetrate the institution’s network undetected. They could then gain unauthorized access to sensitive information. It is particularly critical when transitions between network boundaries are only inadequately monitored.
Insufficient Personnel Resources
If there is insufficient staff to evaluate log data, security-relevant events cannot be fully detected. As a result, attacks may remain hidden for long periods or may only be discovered after a large volume of protected information has already been exfiltrated. If too few staff are available to evaluate external information sources, security vulnerabilities may also remain open for too long. These can then be exploited to gain unauthorized access to the institution’s IT systems.
Requirements
The following are the specific requirements of building block DER.1 Detection of Security-Relevant Events. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and verified in accordance with the established security concept. The ISO MUST always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled insofar as this is reasonable and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | IT Operations |
| Additional responsibilities | Employees, Subject Matter Experts, Users, Supervisors |
Exactly one role should be primarily responsible. In addition, there may be additional responsibilities. If one of these additional roles is primarily responsible for fulfilling a requirement, that role is listed in square brackets after the requirement heading. The use of singular or plural does not indicate how many people should fill these roles.
Basic Requirements
The following requirements MUST be fulfilled as a priority for this building block.
DER.1.A1 Creation of a Security Policy for the Detection of Security-Relevant Events (B)
Based on the institution’s general security policy, a specific security policy for the detection of security-relevant events MUST be created. The specific security policy MUST describe in a comprehensible manner the requirements and specifications for how the detection of security-relevant events can be planned, established, and operated securely. The specific security policy MUST be known to all employees responsible for detection and MUST be fundamental to their work. If the specific security policy is changed or if deviations from requirements are made, this MUST be coordinated and documented with the responsible ISO. It MUST be regularly verified whether the specific security policy is still correctly implemented. The results of the verification MUST be documented in a meaningful manner.
DER.1.A2 Compliance with Legal Conditions When Evaluating Log Data (B)
When log data is evaluated, the provisions of current federal and state data protection laws MUST be observed. When detection systems are deployed, the personal rights and co-determination rights of employee representatives MUST be respected. It MUST also be ensured that all other relevant legal provisions are observed, such as the Telemedia Act (TMG), the Works Constitution Act, and the Telecommunications Act.
DER.1.A3 Establishment of Reporting Channels for Security-Relevant Events (B)
Appropriate reporting and alerting channels for security-relevant events MUST be established and documented. It MUST be determined which parties are to be informed when. It MUST be stated how the respective persons can be reached. Depending on urgency, a security-relevant event MUST be reported through various communication channels.
All persons relevant to reporting or alerting MUST be informed of their responsibilities. All steps in the reporting and alerting process MUST be described in detail. The established reporting and alerting channels SHOULD be regularly checked, tested, and updated if necessary.
DER.1.A4 Raising Awareness Among Employees (B) [Supervisors, Users, Employees]
All users MUST be made aware that they must not simply ignore or close event notifications from their clients. They MUST forward the messages to the responsible incident management in accordance with the alerting channels (see DER.2.1 Security Incident Handling).
All employees MUST immediately report any security incident they detect to incident management.
DER.1.A5 Use of Built-In System Functions for Detection (B) [Subject Matter Experts]
If deployed IT systems or applications have functions for detecting security-relevant events, these MUST be activated and used. If a security-relevant incident occurs, the messages from the affected IT systems MUST be evaluated. In addition, the logged events of other IT systems MUST also be reviewed. Event messages collected SHOULD also be spot-checked at regularly defined intervals.
It MUST be examined whether additional malicious code scanners should be installed on central IT systems. If additional malicious code scanners are deployed, they MUST enable their messages and logs to be evaluated via central access. It MUST be ensured that malicious code scanners automatically report security-relevant events to those responsible. Those responsible MUST evaluate and investigate the messages.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be fulfilled.
DER.1.A6 Continuous Monitoring and Evaluation of Log Data (S)
All log data SHOULD be actively monitored and evaluated as continuously as possible. Employees SHOULD be designated who are responsible for this.
If the responsible employees must actively search for security-relevant events, for example when checking or testing IT systems, such tasks SHOULD be documented in appropriate procedural guidelines.
Sufficient personnel resources SHOULD be made available for the detection of security-relevant events.
DER.1.A7 Training of Responsible Parties (S) [Supervisors]
All responsible parties who monitor event notifications SHOULD receive further training and qualifications. When new IT components are procured, a budget for training SHOULD be planned. Before responsible parties receive training for new IT components, a training concept SHOULD be developed.
DER.1.A8 DISCONTINUED (S)
This requirement has been discontinued.
DER.1.A9 Use of Additional Detection Systems (S) [Subject Matter Experts]
Based on the network plan, it SHOULD be determined which network segments must be protected by additional detection systems. The information network SHOULD be supplemented with additional detection systems and sensors. Malicious code detection systems SHOULD be deployed and centrally managed. The transitions between internal and external networks defined in the network plan SHOULD also be supplemented with network-based Intrusion Detection Systems (NIDS).
DER.1.A10 Use of TLS/SSL Proxies (S) [Subject Matter Experts]
At transitions to external networks, TLS/SSL proxies SHOULD be deployed that interrupt the encrypted connection and thereby allow the transmitted data to be checked for malware. All TLS/SSL proxies SHOULD be protected against unauthorized access. Security-relevant events SHOULD be automatically detected on TLS/SSL proxies. An organizational policy SHOULD be created specifying under which data privacy conditions log data may be manually evaluated.
DER.1.A11 Use of a Central Logging Infrastructure for Evaluating Security-Relevant Events (S) [Subject Matter Experts]
The event messages from IT systems and applications stored in a central logging infrastructure (see OPS.1.1.5 Logging) SHOULD be retrievable using a tool. The selected tool SHOULD be capable of evaluating the messages. The collected event messages SHOULD be regularly checked for anomalies. The signatures of detection systems SHOULD always be current and consistent so that security-relevant events can also be recognized after the fact.
DER.1.A12 Evaluation of Information from External Sources (S) [Subject Matter Experts]
To gain new insights into security-relevant events for the institution’s own information network, external sources SHOULD be consulted. Reports received through various channels SHOULD also be recognized as relevant by employees and forwarded to the appropriate party. Information from reliable sources SHOULD generally be evaluated. All information provided SHOULD then be assessed for relevance to the institution’s own information network. If this is the case, the information SHOULD be escalated in accordance with security incident handling procedures.
DER.1.A13 Regular Audits of Detection Systems (S)
The existing detection systems and measures taken SHOULD be reviewed in regular audits to determine whether they are still current and effective. The metrics that arise, for example, when security-relevant events are recorded, reported, and escalated SHOULD be evaluated. The results of the audits SHOULD be documented in a comprehensible manner and compared against the target state. Deviations SHOULD be investigated.
Requirements for High Protection Needs
The following are exemplary proposals for requirements that go beyond the level of protection corresponding to the state of the art for this building block. The proposals SHOULD be considered when there are elevated protection needs. The specific determination is made within the framework of an individual risk analysis.
DER.1.A14 Evaluation of Log Data by Specialized Personnel (H)
Employees SHOULD be specifically tasked with monitoring all log data. Monitoring log data SHOULD be the primary task of the designated employees. The designated employees SHOULD receive specialized advanced training and qualifications. A group of persons SHOULD be designated who are exclusively responsible for the evaluation of log data.
DER.1.A15 Centralized Detection and Real-Time Verification of Event Messages (H)
Central components SHOULD be deployed to detect and evaluate security-relevant events. Centralized, automated analyses using software tools SHOULD be deployed. These centralized, automated software analyses SHOULD record all events occurring in the system environment and correlate them with one another. Security-relevant processes SHOULD be made visible. All submitted data SHOULD be viewable and evaluable without gaps in the log management system. The data SHOULD be evaluated as continuously as possible. If defined thresholds are exceeded, automatic alerting SHOULD occur. Personnel SHOULD ensure that, when an alert is triggered, a qualified response appropriate to the need is initiated without delay. In this context, the affected employees SHOULD also be immediately notified.
System administrators SHOULD regularly audit and adjust the analysis parameters if necessary. In addition, already reviewed data SHOULD be regularly and automatically re-examined for security-relevant events.
DER.1.A16 Use of Detection Systems Based on Protection Needs Requirements (H)
Applications with elevated protection needs SHOULD be protected by additional detection measures. For this purpose, detection systems SHOULD be deployed that can technically ensure the elevated protection needs.
DER.1.A17 Automatic Response to Security-Relevant Events (H)
In the event of a security-relevant event, the deployed detection systems SHOULD automatically report the event and respond with appropriate protective measures. Procedures SHOULD be used that automatically detect possible attacks, abuse attempts, or security violations. It SHOULD be possible to automatically intervene in the data stream to prevent a possible security incident.
DER.1.A18 Conducting Regular Integrity Checks (H)
All detection systems SHOULD be regularly checked to verify they are still intact. User permissions SHOULD also be checked. In addition, sensors SHOULD perform integrity checks on files. If changing values are detected, an automatic alert SHOULD be triggered.
Additional Information
Good to Know
The Federal Office for Information Security (BSI) regulates the logging and detection of security-relevant events (SRE) in its minimum standard “BSI Minimum Standard for Logging and Detection of Cyber Attacks”. The minimum standards are to be implemented by the authorities of the federal administration named in Section 8(1) sentence 1 of the BSIG.
The BSI has published the supplementary document “BSI Guide to the Introduction of Intrusion Detection Systems, Version 1.0” on the subject of intrusion detection.
The Information Security Forum (ISF) sets out requirements for the use of Intrusion Detection Systems in Chapter TS1.5 Intrusion Detection of its standard “The Standard of Good Practice for Information Security”.