Industrial Internet Security Framework v 1.0 | Page 100

Security Framework

10: Security Monitoring and Analysis

Figure 10-3: Security Monitoring Data Analysis Variants

10.3 CAPTURING AND STORING DATA FOR ANALYSIS
10.3.1 LOGGING AND EVENT MONITORING
All security monitoring designs must consider the risk that a successful intruder can erase all
evidence of their activities. Transmitting the most important security monitoring data to external
monitoring systems in a secure and timely manner mitigates this risk. Endpoints must log data
based on both local endpoint events and communications events. Logging to a network log
system can also mitigate attempts of intruders to interfere with the integrity of log data.
Security monitoring gathers security-related event data, then aggregates, correlates and analyzes
it. It should be able to monitor and control the various endpoints and communications in a
generic and consistent way. Common APIs help.
There is a distinction between operational monitoring and security monitoring. Operational
monitoring concerns itself with such events as ensuring that the cooling tank water level remains
at a certain height, the temperature of a sensor doesn’t exceed a certain threshold, and the
velocity on a conveyer belt remains constant. Security monitoring concerns itself with such
events as detecting a successful login from an unexpected endpoint, followed by a blocked
connection attempt or an application whitelisting violation, that together indicate a potential
attack in progress.
10.3.2 CAPTURING AND MONITORING SECURITY DATA
Monitoring data can come from many sources, in particular endpoints and the network. This data
should be communicated securely to monitoring and analytics systems.
Greenfield endpoints should be able to report a variety of parameters and should support
configuration of which parameters are reported and at which frequency. This configuration and
reporting should be done securely. Performance is also important, so the amount of data
reported needs to be the minimum needed and may be increased during an incident. Some data
may be stored on the endpoint, or transmitted to a