V-259869

Discussion

Evidence of malicious code is used to identify potentially compromised information systems or information system components. Unusual/unauthorized activities or conditions related to outbound communications traffic include, for example, internal traffic that indicates the presence of malicious code within organizational information systems or propagating among system components, the unauthorized exporting of information, or signaling to external information systems. Anomalies within organizational information systems include, for example, large file transfers, long-time persistent connections, unusual protocols and ports in use, and attempted communications with suspected malicious external addresses. This function may be deployed within the cloud service environment, the meet-me point, cloud access point, or supporting Core Data Center (CDC).

Check Content

If this is a Software as a Service (SaaS), this is not applicable.

Inspect the firewall and/or or intrusion detection and prevention system (IDPS) access control lists (ACLs) and filtering rules that filter traffic on any outbound interface from the IaaS and systems. 

Verify these rules are configured for continuous monitoring. 

Verify the ACLs and security rules include rules and ACLs that detect and filter unusual or unauthorized activities or conditions such as large file transfers, persistent connections, unusual protocols and ports in use, communication with unauthorized entities, or other unusually high traffic from particular segments or devices.

If the IaaS/PaaS does not continuously monitor outbound communications to other enclaves and systems for unusual or unauthorized activities or conditions, this is a finding.