Cyber-Security-Monitoring-Guide

Cyber Security Monitoring and Logging GuideLinks to cyber security incident responseThe cyber security monitoring process is closely linked to cyber security incident response. As can be seen from the simplediagram in Figure 8 below, monitoring activities can highlight events that are then identified as actual (or potential) cybersecurity events following analysis by a suitably skilled analyst.FusionAnalysisEventAlertIncidentFigure 8: Link to cyber security incident responseSecurity event reports should be produced for cyber security incidents (particularlythose with a high priority), which should cover a range of important details, such as:• Activity date and time• External endpoints affected• Activity details (symptoms of the event)• Risk (details about a possible attack)As a result of an earlier research project carried out by Jerakano, CREST has produced a Guide that provides advice andguidance on how to establish an appropriate cyber security incident response capability, enabling you to assess your stateof readiness to:1. Prepare for a cyber security incident: performing a criticality assessment; carrying out threat analysis;addressing issues related to people, process, technology and information; and getting the fundamentals inplace.2. Respond to a cyber security incident: covering identification of a cyber security incident; investigationof the situation (including triage); taking appropriate action (eg. containing the incident and eradicating it’ssource); and recovering from a cyber security incident.3. Follow up a cyber security incident: considering your need to investigate the incident more thoroughly;report the incident to relevant stakeholders; carry out a post incident review; build on lessons learned; andupdate key information, controls and processes.Copies of all the deliverables from the CREST Cyber Security Incident Response projectcan be found on the CREST website at: http://www.crest-approved.org34