A Guide to Simplifying Compliance with

NIST SP 800-53 and 800-82

1
Table of Contents

Introduction to NIST Special Publication 800-53 3

and 800-82

AC- Access Control Family 4

AU- Audit and Accountability Family 6

CA- Security Assessment and Authorization Family 9

CM- Configuration Management Family 10

CP- Contingency Planning Family 14

IA- Identification and Authentication Family 15

IR- Incident Response Family 16

PL- Planning Family 18

RA- Risk Assessment Family 19

SC- System and Communications Protection Family 20

SI- System and Information Integrity Family 23

2
Introduction to NIST Special Publication 800-53
and 800-82

NIST Special Publication (SP) 800-53r4 provides a catalog of security used in selecting which controls to implement in an ICS environment. The
controls for federal information systems and organizations and a ICS Overlay recommends which controls should be used in ICS networks,
process for selecting controls to protect operations and organizations. and also provides supplemental guidance for how to tailor the SP 800-53
Organizations that are subject to the Federal Information Security security controls for an ICS network.
Management Act are required to use the security controls but are
expected to select only those controls which are appropriate for their risk The table below presents NIST SP’s security controls applicable to ICS
environment. networks. Items marked with an asterisk are those selected by the SP
800-82 ICS Overlay as baseline controls for ICS networks.
Many of the security controls presented in NIST SP 800-53 are generic
IT system controls and do not apply to ICS networks. NIST SP 800-82r2
addresses this shortcoming and provides an “Overlay” designed to be

3
Access Control Family

Control No. Control Name Priority How eyeInspect Helps

AC-1* Access Control P1 eyeInspect (formerly SilentDefense) identifies and documents which devices are
Policy and communicating with each other and which accounts are being used. This provides the
Procedures ability to verify that access control policies, such as a policy forbidding the use of default
credentials, are not being violated.

AC-2* Account P1 AC-2 includes 11 requirements for how an organization should manage user accounts.
Management Those requirements include monitoring of information system accounts and reviewing
accounts for compliance with account management requirements. eyeInspect logs
authentication which occurs over plaintext protocols, and also generates alerts for events
such as the use of default or blacklisted credentials.

AC-2 (12)* Account P1 eyeInspect includes widgets that can show account usage anomalies. For example,
Management| account logins can be graphed over time, allowing atypical time or number of day usage
Account Monitoring / to easily be noticed.
Atypical Usage

AC-7* Unsuccessful P2 Many ICS have availability requirements which do not allow the use of automatic account
Logon Attempts locking after invalid logon attempts. As a compensating control, the SP 800-82 Overlay
describes logging or recording all unsuccessful login attempts. eyeInspect automatically
logs login attempts that are done over cleartext protocols and enables users to analyze
them in tabular and graphical formats.

AC-17 (1)* Remote Access| P1 eyeInspect automatically monitors remote access attempts and logs all successful and
Automated unsuccessful login attempts.
Monitoring / Control

Access Control Family 4

Control No. Control Name Priority How eyeInspect Helps

AC-17 (2)* Remote Access| P1 eyeInspect can be used to verify that any remote access requirements involving the use
Protection of of encryption are being used for all remote access sessions.
Confidentiality /
Integrity Using
Encryption

AC-17 (3)* Remote Access | P1 The eyeInspect interactive network map provides an easy visual way to ensure that all
Managed Access remote access to ICS devices is only through approved access points.
Control Points

Access Control Family 5

Audit and Accountability Family

Control No. Control Name Priority How eyeInspect Helps

AU-2* Audit Events P1 eyeInspect supports many audit functions which are likely to be a part of an information
security program. For example, password changes, failed logons, failed access attempts,
and privileged account use are all items that AU-2 supplemental guidance suggests
auditing and which eyeInspect can be used to monitor.

AU-3* Content of Audit P1 eyeInspect logging and alerts include all items which the AU-3 says should be included
Records in audit records, including the type of event, when the event occurred, where the event
occurred, the source of the event, the outcome of the event, and the identity of the
account that caused the event.

AU-3 (1)* Content of Audit P1 When it is appropriate, eyeInspect provides additional information which may be useful to
Records | Additional analyze network communications and events, such as packet capture files which contain
Audit Information the event that is being recorded.

AU-3 (2)* Content of P1 The eyeInspect Command Center allows for centralized management of monitoring
Audit Records sensors, and makes all information required for analysis of events available from a
| Centralized location.
Management of
Planned Audit
Record Content

Audit and Accountability Family 6

Control No. Control Name Priority How eyeInspect Helps

AU-6* Audit Review, P1 eyeInspect facilitates the use of audit review by providing pre-configured reports which
Analysis, and can be run at repeatable times (i.e. weekly reporting).
Reporting

AU-6 (4) Audit Review, P1 The eyeInspect Command Center provides a centralized location where logs from
Analysis, and multiple physical locations or monitoring sensors may be reviewed. The eyeInspect
Reporting | Central Command Center provides interfaces for centralization of the analyzed information flow.
Review and
Analysis

AU-7* Audit Reduction P2 Information which eyeInspect logs and correlates and which can be used for audit
and Report purposes is available for review or analysis and after-the-fact investigations. Pre-
Generation configured reports can be produced on-demand or at repeatable times (i.e. weekly
reporting).

AU-7 (1)* Audit Reduction P2 eyeInspect has the capability of filtering relevant event logs based on fields of interest
and Report such as IP address or network of interest.
Generation
| Automatic
Processing

Audit and Accountability Family 7

Control No. Control Name Priority How eyeInspect Helps

AU-7 (2) Audit Reduction P2 eyeInspect allows for sorting and filtering of logs and events on all relevant properties
and Report and fields.
Generation |
Automatic Sort and
Search

AU-8* Time Stamps P1 All events logged by eyeInspect include time stamps in a consistent format. eyeInspect
also synchronizes its time clock with a specified authoritative time source, ensuring that
time stamps for logged events are consistent with other audit sources.

AU-8 (1)* Time Stamps | P1 All events logged by eyeInspect include time stamps in a consistent format. eyeInspect
Synchronization also synchronizes its time clock with a specified authoritative time source, ensuring that
with Authoritative time stamps for logged events are consistent with other audit sources.
Time Source

AU-11* Audit Record P3 eyeInspect logs and alerts can be retained for any required retention period, at user
Retention discretion.

Audit and Accountability Family 8

Security Assessment and Authorization Family

Control No. Control Name Priority How eyeInspect Helps

CA-1* Security P1 CA-1 requires organizations to develop a security assessment and authorization policy,
Assessment and along with procedures to facilitate the implementation of that policy. eyeInspect can be
Authorization used to meet or support several of the requirements in the Security Assessment and
Policies and Authorization family, as discussed below.
Procedures

CA-2* Security P2 CA-2 requires the development of a security assessment plan focused on assessing
Assessments whether security controls are successfully implemented and effective. eyeInspect can be
used to verify the compliance of many security controls, such as validating conformance
to password policy or supporting the creation and maintenance of an up-to-date asset
inventory.

CA-7* Continuous P2 By passively monitoring ICS networks, eyeInspect provides ongoing security monitoring
Monitoring in a continuous manner. eyeInspect also provides dashboards and reporting capabilities
that can be used to assist organizations in making timely and effective risk management
decisions. eyeInspect provides interfaces for integrating ICS continuous monitoring in the
organization’s global security processes

CA-9* Internal System P2 eyeInspect can be used to document connections between separate information
Connections systems. It is able to passively monitor what communication patterns occur on a network
and provide insights and verification to help ensure that only necessary and required
communication is occurring.

Security Assessment and Authorization Family 9

Configuration Management Family

Control No. Control Name Priority How eyeInspect Helps

CM-1* Configuration P1 CM-1 requires organizations to develop a configuration management policy, as well as
Management Policy procedures to facilitate the implementation of the policy. eyeInspect can be used to
and Procedures meet or support several of the requirements in the Configuration Management Family, as
discussed below.

CM-2* Baseline P1 By passively monitoring the network, eyeInspect is capable of verifying the hardware and
Configuration firmware version of devices, which can be used to help ensure that the configuration of
devices on the network match what the configuration management program says they
should be.

CM-2 (2)* Baseline P1 By passively monitoring the configuration of devices on the network, eyeInspect is able
Configuration to automatically log or alert when the configuration of devices changes. It provides
| Automation automated, real-time, and constant coverage, allowing organizations to know immediately
Support for if an unapproved or undocumented configuration change has occurred.
Accuracy /
Currency

CM-3* Configuration P1 By passively monitoring the configuration of devices on the network, eyeInspect is able
Change Control to automatically log or alert when the configuration of devices changes. It provides
automated, real-time, and constant coverage, allowing organizations to know immediately
if an unapproved or undocumented configuration change has occurred.

Configuration Management Family 10

Control No. Control Name Priority How eyeInspect Helps

CM-3 (1)* Configuration P1 By passively monitoring the configuration of devices on the network, eyeInspect is able
Change Control to automatically log or alert when the configuration of devices changes. It provides
| Automated automated, real-time, and constant coverage, allowing organizations to know immediately
Document / if an unapproved or undocumented configuration change has occurred.
Notification /
Prohibition of
Changes

CM-3 (5)* Configuration P1 By passively monitoring the configuration of devices on the network, eyeInspect is able
Change Control | to automatically log or alert when the configuration of devices changes. It provides
Automated Security automated, real-time, and constant coverage, allowing organizations to know immediately
Response if an unapproved or undocumented configuration change has occurred.

CM-7* Least Functionality P1 CM-7 requires organizations to allow only necessary ports, protocols, or services. By
passively monitoring the ICS network, eyeInspect provides verification that only approved
communications are present and, if communication outside of the approved pattern
occurs, alerts security or operational personnel of the deviation from the baseline.
eyeInspect analyzes network communications down to commands and values, thereby
enabling verification that only authorized devices execute critical commands using
legitimate parameters.

Configuration Management Family 11

Control No. Control Name Priority How eyeInspect Helps

CM-8* Information P1 With its real-time network map and asset inventory capabilities, eyeInspect allows
System Component an organization to have an asset and communications inventory that is known to be
Inventory accurate and up-to-date. The network map and assets database allow organizations to
see both when a new device is on the network or when devices are no longer visible on
the network.

CM-8 (1)* Information P1 Because of its automated ability to see new traffic and automatically update the network
System Component map and hosts database, eyeInspect provides an up-to-date asset inventory and
Inventory | Updates communication profile as soon as a new device is introduced to a network. This ensures
During Installations that the inventory is always up-to-date, complete, accurate, and readily available.
/ Removals

CM-8 (2)* Information P1 Because of its automated ability to see new traffic and automatically update the network
System Component map and hosts database, eyeInspect provides an up-to-date asset inventory and
Inventory | communication profile as soon as a new device is introduced to a network. This helps to
Automated ensure that the inventory is always up-to-date, complete, accurate, and readily available.
Maintenance

Configuration Management Family 12

Control No. Control Name Priority How eyeInspect Helps

CM-8 (3)* Information P1 eyeInspect can provide automated alerts as soon as a new device is seen on a network.
System Component
Inventory |
Automated
Unauthorized
Component
Detection

CM-8 (7) Information P1 The eyeInspect Command Center provides a centralized dashboard for viewing asset
System Component inventory of all networks monitored by eyeInspect sensors, even if those sensors are
Inventory | dispersed over a large geographical area. eyeInspect also integrates with third-party
Centralized asset inventory systems, allowing organizations to incorporate the knowledge gained by
Repository eyeInspect’s passive monitoring into their asset inventory system of choice. Many major
asset inventory solution vendors leverage eyeInspect to provide a unified view of IT and
OT assets and communications.

Configuration Management Family 13

Contingency Planning Family

Control No. Control Name Priority How eyeInspect Helps

CP-1* Contingency P1 CP-1 requires organizations to develop a contingency planning policy, as well as
Planning Policies procedures to facilitate the implementation of the policy. eyeInspect can be used to
and Procedures support the Contingency Planning requirements, as discussed below.

CP-2 (8)* Contingency Plan P1 eyeInspect assists in identifying critical assets and helping to ensure that organizations
| Identify Critical have a complete and up-to-date asset inventory with information about what functions
Assets the different assets perform.

Contingency Planning Family 14

Identification and Authentication Family

Control No. Control Name Priority How eyeInspect Helps

IA-1* Identification and P1 IA-1 requires organizations to develop an identification and authentication policy, as well
Authentication as procedures to facilitate the implementation of the policy. eyeInspect can be used
Policy and to meet or support several of the Identification and Authentication requirements, as
Procedures discussed below.

IA-5* Authenticator P1 Among other requirements, IA-5 requires that default passwords be changed. eyeInspect
Management can detect the use of default passwords and provide validation that there are no default
passwords used on a network.

IA-5 (1)* Authenticator P1 This control enhancement includes requirements for changing default authenticators
Management | for devices. eyeInspect can provide verification that these controls are in place, such
Password-Based as identifying the use of default passwords or if cleartext passwords are used on the
Authentication network.

Identification and Authentication Family 15

Incident Response Family

Control No. Control Name Priority How eyeInspect Helps

IR-1* Incident Response P1 IR-1 requires organizations to develop an incident response policy, as well as procedures
Policy and to facilitate the implementation of the policy. eyeInspect can be used to meet or support
Procedures several of the Incident Response requirements, as discussed below.

IR-4* Incident Handling P1 Incident handling plans should describe detection and analysis of incidents, as well as
plans for containing incidents. eyeInspect is useful not just for identifying if an incident
has occurred but is also a valuable tool for analyzing incidents and determining the scope
of any issues. Furthermore, by providing actionable intelligence about cyber threats and
operational malfunctions at the earliest stage, eyeInspect supports organizations in
helping to prevent incidents from happening or propagating.

IR-4 (1)* Incident Handling | P1 eyeInspect supports the automation of incident handling processes not only by
Automated Incident automatically identifying and categorizing incidents, but also by working seamlessly with
Handling Processes third-party systems such as SIEMs or next-generation firewalls.

IR-4 (4)* Incident Handling P1 With its 2- or 3-tiered architecture featuring decentralized sensors and a centralized
| Information Command Center architecture, eyeInspect allows for large organizations to have visibility
Correlation and correlation between incidents at different locations. Seamless integration with third-
party systems such as SIEMs or next-generation firewalls also allows organization-wide
correlation and unified IT/OT analysis.

Incident Response Family 16

Control No. Control Name Priority How eyeInspect Helps

IR-5* Incident Monitoring P1 This security control requires organizations to track and document security incidents.
eyeInspect provides the ability to analyze individual incidents, as well as to assign
incidents to cases, allowing the tracking and correlation of related events over time.

Incident Response Family 17

Planning Family

Control No. Control Name Priority How eyeInspect Helps

PL-1* Security Planning P1 PL-1 requires organizations to develop policies and procedures around the use of security
Policy and plans, as well as procedures to facilitate the implementation of the policy. eyeInspect can
Procedures be used to meet or support several of the Planning Family requirements, as discussed
below.

PL-7* Security Concept of P0 eyeInspect may be used to help ensure that a security Concept of Operations
Operations (CONOPS) includes security monitoring and focuses on cyber resilience. This supports
organizations in helping to ensure operational continuity, regardless of the potential
source of disruption.

PL-8* Information P1 eyeInspect supports the use of an information security architecture which is integrated
Security into and supports the enterprise architecture. Monitoring with eyeInspect provides
Architecture benefits across both the security and operations teams.

PL-9 Central P0 The eyeInspect 2- or 3-tiered architecture provides for centralized management of
Management security controls. Seamless integration with third-party systems such as SIEMs and asset
management solutions centralized management.

Planning Family 18
Risk Assessment Family

Control No. Control Name Priority How eyeInspect Helps

RA-1* Risk Assessment P1 RA-1 requires organizations to develop a risk assessment policy, as well as procedures
Policy and to facilitate the implementation of that policy. eyeInspect can be used to meet or support
Procedures several of the Risk Assessment requirements, as discussed below.

RA-5* Vulnerability P0 Due to the potential danger of active network scanning, NIST SP 800-82 describes using
Scanning passive network monitoring as an effective alternative to vulnerability scanning on
ICS networks. eyeInspect includes a regularly updated database of ICS vulnerabilities
that enables users to automatically identify vulnerable devices which are on their ICS
networks.

RA-5 (1)* Vulnerability P1 Information about new vulnerabilities affecting ICS devices are regularly added to the
Scanning | Update eyeInspect vulnerability database.
Tool Capability

Risk Assessment Family 19

System and Communications Protection Family

Control No. Control Name Priority How eyeInspect Helps

SC-1* System and P1 SC-1 requires organizations to develop a system and communications protection policy,
Communications as well as procedures to facilitate the implementation of that policy. eyeInspect can
Protection Policy be used to meet or support several of the system communications requirements, as
and Procedures discussed below.

SC-5 (3) Denial of Service P1 eyeInspect provides monitoring and detection of Denial of Service (DoS) attacks. The
Protection | eyeInspect Industrial Threat Library includes several behavioral threat indicators that are
Detection / indicative of a DoS attack, and additional DoS protections are provided by the Portscan
Monitoring and Man-in-the-Middle modules of eyeInspect.

SC-7* Boundary P1 eyeInspect can monitor communications at external boundaries as well as internal
Protection boundaries (i.e. ICS switches or routers). The ability of eyeInspect to provide visibility and
monitoring of internal communications down to the ICS device level is unparalleled in the
industry. This control also focuses on the use of network segmentation. eyeInspect has
been used by customers to help implement network segmentation projects because of
the visibility it provides into communications both within networks and across networks.
The eyeInspect Network Map Threat Scenarios also provide easy visualizations of
cross-network flows, which can be used to verify that all network traffic flowing between
separate networks uses approved access points.

System and Communications Protection Family 20

Control No. Control Name Priority How eyeInspect Helps

SC-7 (8)* Boundary P1 eyeInspect may be used to verify external traffic to a network or devices uses an
Protection | approved proxy server.
Route Traffic to
Authenticated
Proxy Servers

SC-7 (10) Boundary P1 There are multiple techniques that SP 800-53 suggests for preventing unauthorized
Protection | Prevent exfiltration of data. Among the techniques that eyeInspect supports are helping to ensure
Unauthorized strict adherence to protocol formats, monitoring for beaconing from compromised
Exfiltration systems, monitoring file transfers, and the use of traffic pattern profiles. eyeInspect
implements specific behavioral checks for techniques like DNS data exfiltration.

SC-7 (11) Boundary P1 eyeInspect alerts on unknown network traffic that does not match whitelisted
Protection | communication patterns.
Restrict Incoming
Communications
Traffic

System and Communications Protection Family 21

Control No. Control Name Priority How eyeInspect Helps

SC-7 (18)* Boundary P1 The NIST SP 800-82 ICS Overlay allows for a permit-all failure state if ICS availability
Protection | Fail requirements make that appropriate. With it’s completely passive architecture, eyeInspect
Secure allows organizations to monitor network communications, while helping to ensure the
cyber resiliency of their ICS.

SC-10* Network P2 The NIST SP 800-82 ICS supplemental controls allow for increased auditing when a
Disconnect security-focused network disconnect is not appropriate due to the nature of an ICS
environment. eyeInspect’s passive network monitoring provides that extra, ICS-focused
auditing of network communications.

SC-23* Session P1 eyeInspect monitors for, and alerts on, man-in-the-middle attacks and the use of
Authenticity blacklisted SSL certificates.

SC-44 Detonation P0 eyeInspect integrates with third-party file detonation services, such as Palo Alto Networks
Chambers WildFire, to provide the capability to examine and/or execute files that are transferred
across a network.

System and Communications Protection Family 22

System and Information Integrity Family

Control No. Control Name Priority How eyeInspect Helps

SI-1* System and P1 SI-1 requires organizations to develop a system and information integrity security policy,
Information as well as procedures to facilitate the implementation of that policy. eyeInspect can
Integrity Policy and be used to meet or support several of the system integrity requirements, as discussed
Procedures below.

SI-2* Flaw Remediation P1 eyeInspect automatically identifies devices that have known vulnerabilities or use
insecure protocols or services when they communicate on a network. By passively
fingerprinting the operating system, software, and firmware version of devices,
eyeInspect also is useful for verification of the patch levels of devices on the network.

SI-2 (2)* Flaw Remediation P1 eyeInspect passively and automatically identifies when devices have not been patched
| Automated Flaw or have a known vulnerability. It can also automatically forward patch and vulnerability
Remediation Status information to patch remediation management systems.

SI-3* Malicious Code P1 eyeInspect identifies and generates alerts when malicious network behavior such as
Protection malware propagation and exploits are seen on a monitored network.

System and Information Integrity Family 23

Control No. Control Name Priority How eyeInspect Helps

SI-3 (1)* Malicious Code P1 The eyeInspect 2- or 3-tiered architecture provides for centralized management of
Protection | Central sensors used to identify malicious network behavior.
Management

SI-3 (7) Malicious Code P1 eyeInspect includes patented nonsignature-based detection technology targeted at
Protection | identifying malicious network behavior, such as exploit of zero-day vulnerabilities and
Nonsignature- unknown malware.
Based Detection

SI-3 (10) Malicious Code P1 eyeInspect supports the analysis of malicious code by automatically saving a packet
Protection | capture of all network activity from the execution of malicious code over the network.
Malicious Code
Analysis

SI-4* Information System P1 eyeInspect monitors for attacks and indicators of potential attacks and threats, as well
Monitoring as unauthorized connections. The passive network monitoring eyeInspect provides is
also useful for identifying unauthorized use of or activity on an ICS. With its distributed
architecture, eyeInspect supports easy deployment for organization-wide monitoring.
eyeInspect has also been used for ad hoc monitoring of networks, such as in an incident
response situation. The NIST SP 800-82 ICS supplemental guidance requires ensuring
that system monitoring does not adversely impact the ICS. eyeInspect supports this with
its completely passive architecture.

System and Information Integrity Family 24

Control No. Control Name Priority How eyeInspect Helps

SI-4 (1) Information P1 eyeInspect is a centralized, system-wide intrusion detection system.

System Monitoring
| System-Wide
Intrusion Detection
System

SI-4 (2)* Information System P1 eyeInspect enables real-time analysis of network communications and provides
Monitoring | automated alerting and information on events that cause alerts. It also integrates with
Automated Tools third-party systems such as SIEMs or Security Automation and Orchestration systems.
for Real-Time
Analysis

SI-4 (3) Information System P1 eyeInspect integrates with third-party security tools, such as next-generation firewalls, to
Monitoring | provide automated responses.
Automated
Tool Integration

SI-4 (4)* Information P1 eyeInspect monitors network traffic, including inbound and outbound communications
System Monitoring across networks and intra-network communication between devices on the same
| Inbound and network.
Outbound
Communications
Traffic

System and Information Integrity Family 25

Control No. Control Name Priority How eyeInspect Helps

SI-4 (5)* Information System P1 eyeInspect automatically generates alerts applicable to both security and operations
Monitoring | teams for over 1,000 different event types. Each alert contains comprehensive
System-Generated information that allows the analysis of the event, as well as an indication of possible
Alerts cause and remediation.

SI-4 (7) Information P1 eyeInspect integrates with third-party security tools, such as next-generation firewalls, to
System Monitoring provide automated response to suspicious events.
| Automated
Response to
Suspicious Events

SI-4 (11) Information P1 eyeInspect provides monitoring and alerting of anomalous traffic on the network. This
System Monitoring includes not only unusual protocols or ports, but also the use of unusual function codes
| Analyze in OT protocols. eyeInspect leverages patented anomaly detection technology that has
Communications proven successful in the detection of known and unknown threats.
Traffic Anomalies

SI-4 (12) Information System P1 eyeInspect provides automated alerting when security events occur.
Monitoring |
Automated Alerts

System and Information Integrity Family 26

Control No. Control Name Priority How eyeInspect Helps

SI-4 (13) Information P1 eyeInspect automatically generates a baseline of communications and event patterns,
System Monitoring providing the ability to whitelist traffic based on the specific protocol function codes that
| Analyze Traffic / are seen. When anomalous traffic outside of the whitelisted communication patterns
Event Patterns occurs, eyeInspect will automatically generate alerts and save packet captures of the
anomalous traffic.

SI-4 (16) Information P1 eyeInspect enables correlation and analysis of information originating from multiple
System Monitoring distributed locations. Furthermore, by providing simple third-party integration, eyeInspect
| Correlate makes it easy to correlate monitoring information with other systems, such as a SIEM or
Monitoring next-generation firewall.
Information

SI-4 (17) Information P1 eyeInspect provides visual analysis and correlation capabilities of information originating
System Monitoring from multiple distributed locations, enabling continuous situational awareness.
| Integrated Furthermore, by providing simple third-party integration, eyeInspect makes it easy to
Situational correlate monitoring information with other systems, such as a SIEM.
Awareness

SI-4 (18) Information P1 eyeInspect monitors traffic and includes specific checks and techniques for detecting
System Monitoring covert data exfiltration methods.
| Analyze Traffic /
Covert Exfiltration

System and Information Integrity Family 27

Control No. Control Name Priority How eyeInspect Helps

SI-4 (24) Information P1 eyeInspect logs and analyzes a broad cross-section of information that is commonly
System Monitoring used for Indicators of Compromise, such as IP addresses communicating on the network
| Indicators of or DNS queries. This allows IOCs to be used not just to identify current threats and
Compromise potential incidents that may occur after the IOC is known, but also to find historical IOCs.

SI-6* Security Function P1 eyeInspect can be used to verify the correct functioning of many security controls,
Verification including those around patching levels and network communications.

Learn more at Forescout.com

© 2020 Forescout Technologies, Inc. All rights reserved. Forescout Technologies, Inc. is a Delaware
Forescout Technologies, Inc. Toll-Free (US) 1-866-377-8771 corporation. A list of our trademarks and patents can be found at https://www.forescout.com/company/
190 W Tasman Dr. Tel (Intl) +1-408-213-3191 legal/intellectual-property-patents-trademarks. Other brands, products, or service names may be
San Jose, CA 95134 USA Support +1-708-237-6591 trademarks or service marks of their respective owners. Version 08_20