Cyber-Security-Monitoring-Guide

More documents

Recommendations

Info

Cyber Security Monitoring and Logging GuideOne of the main ways in which good threat intelligence can add value to cybersecurity monitoring is by providing additional context to help the security analysteffectively triage and investigate events to accurately identify genuine positives andunderstand the true nature and extent of the business risk posed.Segregating threat data, news and intelligenceWorkshop participants agreed that it was important to distinguish the difference between threat data, news andintelligence, when carrying out cyber security monitoring, as shown in the table below.Threat information type Examples Related phaseThreat data• Suspect IP addressesFUSION• Known bad endpointsThreat newsThreat intelligence• General awareness (eg. knowing there is anew attack type)• Analysis of impact of above on a business• So what if it happens?ANALYSISANALYSIS“Buyer beware – that’s news, not intelligence”A good supplier can help you move beyond ‘passive detection monitoring’ to includedetermining how to obtain intelligence, rather than just news about events.Your organisation should therefore be asking itself:1. What is the intelligence being provided (and where did it come from)?2. What does it actually mean to our organisation?3. What should we do with this intelligence – how do we use it in our organisation?“Threat intelligence is only as good as the quality, relevance and completeness of the data provided”32
Cyber Security Monitoring and Logging GuideSources of cyber threat intelligenceWorkshop participants identified a range of potential sources of cyber security intelligence that can be used to supportcyber security monitoring, evaluating the likely criticality and cost of each source.The results of this analysis are presented in the table below (in descending order of criticality), together with usefulcomments, where appropriate.Ref Name of source Criticality Cost Comments1 Internal Essential Low2 CERT services Essential Low Examples include GovCertUK, USCERT, AUSCERT3 Vendors Essential Low4 Blacklists/whitelists Essential Medium Phishing5 Vulnerability feeds Essential Medium6 Business logic Essential High Internal information7 Domain/brand monitoring Essential Low8 Malware Important Low – high Sample DBs9 Free IOC Important Low10 Specialist media Important Low Social networks, blogs etc11 Outsourced honey pots Important Medium12 Social media Specialised Low - medium13 Commercial IOC Specialised Medium - high14 Government Specialised Low Feeds into certs, but also focus on public sector15 Industry groups Specialised Low Examples include PCI17 Criminal forums Specialised Medium Dark Web/TOR17 Academia Specialised Low18 Insourced honey pots Specialised HighSituational awareness can be improved by using a combination of threat intelligence,data fusion and big data analytics.33
Page 1: Cyber SecurityMonitoring and Loggin
Page 4 and 5: Cyber Security Monitoring and Loggi
Page 60: The quadrants in this diagram outli

Cyber-Security-Monitoring-Guide

Create successful ePaper yourself

Delete template?

Save as template?