AuditRubric
de-cm-7 high Detect / Continuous Monitoring

Monitoring for unauthorized personnel, connections, devices, and software is performed

Attackers and accidental insiders introduce risk through channels that look invisible if you are only watching known assets: a rogue device plugged into a switch, an employee installing unsanctioned software, a service account connecting from an unusual location. Proactively monitoring for things that should not exist gives you detection coverage that reactive alerting alone cannot provide.

Estimated effort: 4h
unauthorized-accessrogue-devicesshadow-itmonitoring
Complete first: id-am-1 , id-am-2

Implementation steps

  1. 1

    Monitor for new and unrecognized devices on the network

    Use network access control or device discovery tooling to detect when an unknown device connects to your network. Alert on any device that does not match your asset inventory, particularly on wired connections in secure areas.

    cisco-isearuba-clearpassmicrosoft-defenderqualys
  2. 2

    Detect unauthorized software installations

    Use your endpoint management platform or EDR to alert when software is installed that is not on your approved application list. Pay special attention to remote access tools, file sharing utilities, and cryptocurrency miners.

    crowdstrikejamfmicrosoft-intunekandji
  3. 3

    Alert on unauthorized user account or connection activity

    Monitor your identity provider for logins from accounts that should be disabled, service accounts authenticating interactively, or connections from geographic locations where you have no employees.

    oktamicrosoft-entra-idaws-guarddutydatadog
  4. 4

    Run periodic shadow IT discovery

    Quarterly, run a discovery scan to surface SaaS applications and cloud resources that are not in your approved inventory. Shadow IT is a persistent source of unmonitored access and data exposure.

    netskopemicrosoft-defender-for-cloud-appszscaler

Evidence required

Rogue device detection configuration

Evidence that unknown device detection is active on your network.

  • · NAC policy configuration showing unknown device alert or quarantine
  • · Network discovery tool alert rule for new MAC addresses
  • · MDM enrollment enforcement policy

Unauthorized software detection

Configuration or alert history showing unauthorized application installs are flagged.

  • · EDR policy blocking or alerting on unapproved software
  • · Jamf or Intune compliance policy for allowed applications
  • · Alert history showing software installation detection

Shadow IT or unauthorized access discovery report

Output from a shadow IT discovery scan or unauthorized access review performed in the past 90 days.

  • · CASB shadow IT discovery report
  • · Identity provider report of disabled accounts or flagged logins
  • · Cloud asset inventory comparison showing unregistered resources

Related controls

de-cm-1 high

Networks and network services are monitored to detect adverse events

Continuous Monitoring
de-cm-5 high

Unauthorized network connections are detected

Continuous Monitoring
de-cm-9 critical

Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

Continuous Monitoring
de-cm-2 medium

The physical environment is monitored to detect potential cybersecurity events

Continuous Monitoring