Cyber-Security-Monitoring-Guide

Cyber Security Monitoring and Logging GuideInvestigating cyber security eventsIn the early stages of investigating a cyber security incident, the precise nature of the incident may be unknown and initialanalysis will be required. When investigating a cyber security event, the approach taken can be either:• Intelligence driven, based on information gathered from: government agencies (eg. CPNI), monitoring of internalresources, open source information or data provided internally• Evidence-driven, based on information gathered from corporate infrastructure or applications (typically event logs).Investigators will often wish to:• Examine important alerts or suspicious events in logs or technical security monitoring systems (eg. IDS, IPS, DLP or SIEM)• Correlate them with network data (including data from cloud service providers)• Compare these against threat intelligence.When carrying out an investigation, each possible trigger event should be thoroughly investigated, including:• Date/time• Internet protocol (IP) address (internal or external)• Port (source or destination), domain and file (eg. exe, .dll)• System (hardware vendor, operating system, applications, purpose, location).Consequently, it is important that your cyber security monitoring and logging process enables you to provide all theinformation needed to carry out a fast and effective investigation.Investigations should often be carried out by expert third party cyber security specialists.Specialised, experienced and well qualified cyber security incident response expertscan help you to work out the specific actions you need to take in response to a cybersecurity incident in order to mitigate the risk, which may be a mixture of technicaland business measures.Without this step being in place, monitoring can cost you more money than isnecessary and deliver little security value.35