Cyber-Security-Monitoring-Guide

More documents

Recommendations

Info

Cyber Security Monitoring and Logging Guide12Carry out reconnaissance• Identify target• Look for vulnerabilitiesAttack target• Exploit vulnerabilities• Defeat remaining controlsCountermeasures• Monitoring (and logging)• Situational awareness• Collaboration• Solid architectural system design• Standard controls• Penetration testing3Achieve objective• Disruption of systems• Extraction (eg of money, IPR orconfidential data)• Manipulation (eg adding, changing ordeleting key information• Cyber security incident response• Business continuity and disasterrecovery plans• Cyber security insuranceFigure 4: Typical phases in a cyber security attackWhen dealing with a sophisticated cyber security attack, it is important to address all stages carried out by an attacker, bethey cybercriminals, extremists or state-sponsored agents. However, many organisations do little or nothing before phase 2(or even phase 3) of an attack, often because they do not have the awareness, resources or technical skills to tackle issuesduring the reconnaissance stage.!A great deal of monitoring and logging activity is not undertaken until phase 2 oreven phase 3 of an attack. Furthermore, phase 2 is often broken down into multiplesub-stages that can take place over minutes, hours or months.Key value from monitoring at this stage is to detect potential security incidents asearly as possible and before phase 3.Addressing the first phase is critically important and involves a number of preventative measures, scenario developmentand rehearsal; and the need for extensive collaboration. It is also one of the main focuses of cyber security monitoring andlogging, which is explored in the remainder of the Guide.Monitoring indicators of compromise (which can identify potential cyber securityincidents) are covered in Part 5 Cyber security monitoring process.12
Cyber Security Monitoring and Logging GuideMain cyber security monitoring and logging challengesLog files and alerts generated by IT systems often provide a vital audit trail to identify the cause of cyber securitybreaches and can also be used to proactively detect security incidents or suspicious activity that could lead to a cybersecurity incident.“You can’t just add things to current security monitoring and logging solutions, you need to bakethem into the development or implementation processes”However, respondents to the Project Survey reported that there were many cyber security monitoring and loggingchallenges facing them (most of which can be addressed using this Guide), as shown in the chart below.What level of challenge does your organisation face in being able to:Have the right tools, systems or knowledge to investigate cybersecurity incidents?Identify critical interdependencies between systems, networks andinformation flows?Define ‘normal’ system and network behaviour?Set clear goals for your cyber security monitoring andlogging capability?Work out how threats to your critical assets can best be monitored?Analyse cyber security threats and associated vulnerabilities?Identify the benefits of cyber security monitoring and logging?Deal with legal difficulties across borders?Define what your critical assets are, where they are and who isresponsible for them?Gain a good understanding of network infrastructure, includingcyber ‘touch points’?Take a risk-based approach to your cyber securitymonitoring and logging?Deploy other complimentary technical controls (eg patching andmalware protection)?2.6 2.7 2.8 2.9 3.03.1 3.2 3.3 3.4 3.5Cyber security monitoring and logging maturityThere was a big variation in the level of maturity respondents to the Project Survey believed that their organisationshave for different cyber security monitoring and logging activities.What level of maturity does your organisation have for the following cyber security monitoring andlogging activities?Very low Low Medium High Very highLogging all necessary cyber security related events 9% 12% 30% 21% 23%Collating and analysing logs 12% 18% 30% 17% 21%Using threat intelligence 14% 9% 35% 21% 15%Identifying suspected (or actual) cyber security incidents 8% 14% 32% 20% 21%Responding to cyber security incidents 6% 12% 38% 20% 21%Respondents showed greater maturity in cyber security monitoring and logging than in the identification andanalysis of unusual events – which is the focus of this project.13
Page 1: Cyber SecurityMonitoring and Loggin
Page 4 and 5: Cyber Security Monitoring and Loggi
Page 60: The quadrants in this diagram outli

Cyber-Security-Monitoring-Guide

Create successful ePaper yourself

Delete template?

Save as template?