Network Monitoring and Defense

Issue/Question

What is the USD security policy on Network Monitoring and Defense

Environment

  • CIS Control 13

Cause

Protect against cybersecurity threats, establish cybersecurity norms, enhance cybersecurity maturity

Resolution

Network Monitoring and Defense

Policy Statement: The University recognizes the critical importance of proactive network monitoring and defense mechanisms to detect, prevent, and respond to cybersecurity threats. This policy outlines guidelines for implementing network monitoring and defense measures to safeguard University information assets and maintain the integrity and availability of its network infrastructure.

Policy Implementation:

  1. Continuous Network Monitoring:

    • The University will deploy continuous network monitoring tools and technologies to monitor network traffic, detect anomalies, and identify potential security incidents in real-time.
    • Monitoring solutions will encompass both internal and external network traffic, including ingress and egress points, to detect unauthorized access, malware infections, and other malicious activities.
    • Network monitoring using SIEM, XDR, and NDR products will occur.

  2. Access Control for Remote Assets

    • The University will manage access control for assets remotely connecting to enterprise resources.
    • Authorized and secure methods of remote access will be offered via an allow list to users who have a business need for such access.  
    • Only University owned equipment, or equipment secured with University security controls, can be used to remotely access on-prem resources.
    • Access to enterprise resources will require: up-to-date anti-malware EDR software installed, active DNS security, up-to-date operating systems and applications, non-anomalous MFA and IAM telemetry, and configuration compliance with the enterprise's secure configuration process.

  3. Intrusion Detection and Prevention Systems (IDPS):

    • Intrusion detection and prevention systems (IDPS) will be deployed at strategic points within the network infrastructure to monitor and analyze network traffic for signs of suspicious behavior and known attack patterns.
    • IDPS sensors will be configured to generate alerts and trigger automated responses to block or mitigate detected threats, such as blocking malicious IP addresses or terminating suspicious connections.
    • Both network and host-based IDS will be employed

  4. Network Traffic Analysis and Defense:

    • Network traffic analysis tools will be used to inspect and analyze network packets, protocols, and flows for signs of abnormal behavior, unauthorized access attempts, and data exfiltration.
    • Deep packet inspection (DPI) techniques will be employed to identify and block malicious payloads, command-and-control communications, and other indicators of compromise.
    • traffic filtering between network segments will be employed.
    • Secure access control will occur at the port-level.  
    • Application layer filtering will occur with a WAF product.

  5. Security Information and Event Management (SIEM):

    • A Security Information and Event Management (SIEM) system will be implemented to aggregate, correlate, and analyze security events and logs from various network devices and security controls.
    • SIEM solutions will provide centralized visibility into network security events, facilitate incident detection and response, and support forensic investigations and compliance reporting.

  6. Incident Response and Mitigation:

    • The University will establish incident response procedures and protocols to facilitate a coordinated response to network security incidents, including unauthorized access, data breaches, and denial-of-service (DoS) attacks.
    • Incident response teams will be trained, equipped, and empowered to contain and mitigate security incidents promptly, minimize the impact on University operations, and restore normal network functionality.
    • Security alerting will be reviewed and reported on monthly.

Compliance and Enforcement: All members of the University community are responsible for adhering to this policy and actively participating in network monitoring and defense activities.

Policy Review: This policy will be reviewed annually to ensure alignment with emerging threats, changes in technology, and regulatory requirements. Updates will be made as necessary to maintain the effectiveness and relevance of network monitoring and defense measures.

This policy provides a comprehensive framework for implementing CIS Control 13 within the University environment.  It policy provides guidelines for implementing network monitoring and defense mechanisms within the University environment, focusing on proactive threat detection, incident response, and mitigation to protect University information assets and ensure the integrity and availability of its network infrastructure.

Please contact the Service Desk if you need further assistance

Print Article

Related Services / Offerings (1)

VPN Remote Access
Request access and install VPN.