Organization must describe the baseline of normal behaviour for the use of network and data systems, which is used as a starting point for identifying anomalies.
When defining the baseline, the following must be taken into account:
Monitoring systems must be configured against the baseline to identify anomalous behavior such as:
Anomalies must be reported to the relevant parties in order to develop the following activities:
Organization's data systems and network must be monitored to detect abnormal use. When anomalities are detected, the organization must take the necessary measures to assess the possibility of security incident.
The monitoring should utilize tools that enable real-time or regular monitoring, taking into account the organization's requirements. Monitoring practices should be able to manage large amounts of data, adapt to changing threat environment, and send alerts immediately when necessary.
Inclusion of the following sources in the monitoring system should be considered:
Organization must also establish procedures for identifying and correcting "false positive" results, including tuning monitoring software for more accurate anomaly detection.