CMMC Practice SI.5.223
Monitor individuals and system components on an ongoing basis for anomalous or suspicious behavior.
Bold Coast Security Guidance
User and Entity Behavior Analytics (UEBA) requires the creation of a baseline of user behavior using machine learning, analytics, and AI. These tools are now available to companies to monitor user logins, their normal "geography" and what activities they typically do during their day. Any deviation from this standard of behavior is quickly noted by the software and can alert the SOC for investigation. This could be as simple as a user logging in during an unusual hour, or from a new host or location, or more complex, such as the number of database queries generated or uploading a large file.
Like SI.5.222, these advanced capabilities often have a higher cost, but they are very good at detecting advanced persistent threats. Also like SI.5.222, include the requirements for a UEBA solution in your policy, and document your solution, any costs and the person responsible for monitoring the solution in your plan.
Finally, be sure to include the UEBA solution in any penetration testing to measure its effectiveness.
DRAFT NIST SP 800-171B
Monitoring is used to identify unusual or unauthorized activities or conditions related to individual users and system components, for example, unusual internal systems
communications traffic; unauthorized exporting of information; signaling to external
systems; large file transfers; long-time persistent connections; attempts to access
information from unexpected locations; unusual protocols and ports in use; and attempted communications with suspected malicious external addresses.
The correlation of physical audit record information and the audit records from systems may assist organizations in identifying examples of anomalous behavior. For example, the correlation of an individual’s identity for logical access to certain systems with the additional information that the individual was not present at the facility when the logical access occurred, is indicative of anomalous behavior. Indications of increased risk from individuals can be obtained from many sources including human resource records, intelligence agencies, law enforcement organizations, and other sources. The monitoring of specific individuals is closely coordinated with management, legal, security, privacy, and human resource officials
in organizations conducting such monitoring, and in certain circumstances requires the prior authorization by a specified senior organizational official.