16.13: Alert on Account Login Behavior Deviation

Alert when users deviate from normal login behavior, such as time-of-day, workstation location, and duration.

Asset Type	Security Function	Implementation Groups
Users	Detect	3

Dependencies

• Sub-control 1.4: Maintain Detailed Asset Inventory

• Sub-control 1.5: Maintain Asset Inventory Information

• Sub-control 2.1: Maintain Inventory of Authorized Software

• Sub-control 2.5: Integrate Software and Hardware Asset Inventories

Inputs

1. The list of endpoints

2. The list of authorized software

Operations

1. Enumerate user behavioral monitoring software systems

2. Enumerate endpoints

3. For each identified behavioral monitoring system

   1. Enumerate endpoints covered by this behavioral monitoring system

   2. Examine the system’s configuration, noting appropriate and inappropriate configurations along the way, to ensure that it is configured to alert for at least the following deviation points:

      1. Time of day

      2. Workstation location

      3. Duration

4. Enumerate all endpoints covered by at least one behavioral monitoring system

5. Complement covered endpoints with the list of all endpoints to enumerate the list of endpoints not covered by at least one behavioral monitoring system

6. Enumerate all appropriately configured behavioral monitoring systems

7. Enumerate all inappropriately configured behavioral monitoring systems

Measures

• M1 = List of user behavioral monitoring software systems

• M2 = List of endpoints

• M3 = List of endpoints covered by at least one behavioral monitoring system

• M4 = List of endpoints not covered by at least one behavioral monitoring system

• M5 = List of appropriately configured behavioral monitoring systems

• M6 = List of inappropriately configured behavioral monitoring systems

• M7 = Count of user behavioral monitoring software systems (count of M1)

• M8 = Count of endpoints (count of M2)

• M9 = Count of endpoints covered by at least one behavioral monitoring system (count of M3)

• M10 = Count of endpoints not covered by at least one behavioral monitoring system (count of M4)

• M11 = Count of appropriately configured behavioral monitoring systems (count of M5)

• M12 = Count of inappropriately configured behavioral monitoring systems (count of M6)

Metrics

Endpoint Coverage

Metric	The ratio of endpoints covered by at least one behavioral monitoring system to the total number of endpoints
Calculation	M9 / M8

Behavioral Monitoring System Coverage

Metric	The ratio of appropriately configured behavioral monitoring systems to the total number of behavioral monitoring systems
Calculation	M11 / M7