cc7-2 High priority Security / System Operations

Anomalies and security events are detected and monitored

Controls that are never tested and logs that are never reviewed provide no protection. This criterion requires that systems are actively monitored for anomalies, that security events are surfaced to a team that can act on them, and that monitoring covers both the infrastructure and the application layer.

12h estimated effort

monitoring logging anomaly-detection siem

Complete first: cc4-1

Implementation steps

1

Centralize logs from all in-scope systems

Aggregate logs from cloud infrastructure, application servers, authentication systems, and key business services into a central log management platform. Ensure logs include: authentication events, privilege escalation, configuration changes, data access for sensitive records, and application errors. Logs should be retained for at least 12 months.

datadog aws-cloudwatch splunk logdna logtail
2

Configure alerts for security-relevant anomalies

Define alert rules for events that require investigation: multiple failed login attempts, successful login from an unexpected country, privilege escalation, configuration changes to security controls, large data exports, and new admin account creation. Alerts should route to a monitored channel with clear ownership.

datadog aws-cloudwatch pagerduty opsgenie
3

Enable cloud-native threat detection

Enable your cloud provider's native security monitoring service. AWS GuardDuty, GCP Security Command Center, and Azure Defender analyze account activity and network traffic to detect threats like compromised credentials, crypto mining, port scanning, and unusual API call patterns. These services require minimal setup and provide significant detection coverage.

aws-guardduty aws-cloudtrail gcp-security-command-center azure-defender