Monitoring Activities
Description
Networks, systems, and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.
⚠️ Risk Impact
Logs without active monitoring = compliance theatre. The breach discovered 9 months later was visible in logs nobody read. Active analysis is the only way logs produce security value.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Deploy SIEM or log analytics. Define detection rules. Triage alerts daily. Document review cadence + responsible parties.
💀 Real-World Attack Scenario
Capital One 2019: the SSRF + AWS metadata exploit that leaked 106M records was visible in CloudTrail for 100+ days. Discovery was only via attacker GitHub posts. Logs existed; nobody reviewed. Total: $270M.
💰 Cost of Non-Compliance
Capital One: $270M. Avg dwell time without active review: 277 days; with active review: 23 days.
📋 Audit Questions
- 1.What SIEM is in use?
- 2.Alert triage cadence?
- 3.Last week's alert queue?
- 4.Post-incident loop to detection rule improvement?
🎯 MITRE ATT&CK Mapping
⚡ Common Pitfalls
- ⛔SIEM deployed but no on-call rotation
- ⛔Vendor default detection rules — produce noise
- ⛔No post-incident detection rule improvement
📈 Business Value
Active log review is the bridge from 'we collect logs' to 'we have security'.
⏱️ Effort Estimate
60-120 hours SIEM + detection rules
EchelonGraph correlates events across cloud + workload + identity layers
🔗 Cross-Framework References
Automate ISO 27001 A.8.16 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →