Does your organization have a system in place to monitor and detect unusual or suspicious activities from cloud services, ISPs, and other third-party service providers?
Explanation
Monitoring third-party service provider activities is crucial for detecting potential security incidents, data breaches, or unauthorized access that might originate from these trusted connections. Unusual patterns in cloud service usage, unexpected traffic from ISPs, or abnormal behavior from other service providers could indicate compromise or misuse of credentials, services, or infrastructure.
Evidence of compliance could include screenshots of monitoring dashboards, logs showing alerts for unusual activities, documentation of baseline normal behavior for each service provider, incident response records related to service provider anomalies, or reports from security information and event management (SIEM) systems that specifically track third-party service activities.
Implementation Example
Monitor activity from cloud-based services, internet service providers, and other service providers for deviations from expected behavior
ID: DE.CM-06.284
Context
- Function
- DE: DETECT
- Category
- DE.CM: Continuous Monitoring
- Sub-Category
- External service provider activities and services are monitored to find potentially adverse events
Related questions
- Does your organization have a system in place to monitor DNS, BGP, and other critical network services for suspicious or malicious activities?
- Does your organization implement network monitoring controls to detect and alert on unauthorized endpoint connections to both wired and wireless networks?
- Does your organization have a process to regularly monitor facilities for unauthorized or rogue wireless networks?
- Does your organization regularly compare actual network traffic flows against established baselines to detect and investigate deviations?
- Does your organization continuously monitor network communications to detect changes in security postures as part of a zero trust architecture?
- Does your organization monitor physical access control logs for unusual patterns and failed access attempts?

