Does your organization regularly compare actual network traffic flows against established baselines to detect and investigate deviations?
Explanation
Network traffic baseline comparison is a critical security practice that helps identify unusual patterns that may indicate compromise or misuse. By establishing normal traffic patterns (baselines) and continuously monitoring for deviations, organizations can detect potential security incidents such as data exfiltration, command and control traffic, or lateral movement by attackers.
Evidence of this control could include network traffic analysis reports, screenshots of monitoring dashboards showing baseline comparisons, documented procedures for baseline establishment and deviation investigation, or alert logs showing when traffic anomalies were detected and investigated.
Implementation Example
Compare actual network flows against baselines to detect deviations
ID: DE.CM-01.274
Context
- Function
- DE: DETECT
- Category
- DE.CM: Continuous Monitoring
- Sub-Category
- Networks and network services are monitored to find potentially adverse events
Related questions
- Does your organization have a system in place to monitor DNS, BGP, and other critical network services for suspicious or malicious activities?
- Does your organization implement network monitoring controls to detect and alert on unauthorized endpoint connections to both wired and wireless networks?
- Does your organization have a process to regularly monitor facilities for unauthorized or rogue wireless networks?
- Does your organization continuously monitor network communications to detect changes in security postures as part of a zero trust architecture?
- Does your organization monitor physical access control logs for unusual patterns and failed access attempts?
- Does your organization regularly review and monitor physical access records to track visitor and personnel entry to facilities?

