What is security monitoring and response?
Security monitoring and response is the process of detecting, analysing, and responding to potential cyber-attacks. Security teams investigate alerts, assess whether a threat is legitimate or not, understand the size of the threat and respond with corrective actions to contain and eradicate incidents. They aim to reduce the time to detect and the time to respond to reduce the impact of an attack and improve the resilience of an organisation against cyber threat.
The steps from 0 to hero
There are 10 building blocks, starting with the most fundamental, and building upon that to have a monitoring and response process that can detect and respond to threats in your environment in real-time.
This Pyramid shows these 10 building blocks:
Fundamentals:
- Asset Inventory – Have a database of all your assets, along with names and owners. This allows you to understand your environment and knowing who owns what will help you during incident response activities.
- Asset Visibility – Here you aim to get all your logs from your assets into a centralised location such as a SIEM tool. Not having centralised logging and monitoring can slow down investigation and response time. E.g. to find whether a compromised user accessed an asset or service, you must log into that platform to analyse logs. If you have a SIEM, this part of the investigation can be completed within minutes across all assets.
Reactive
- Detection Implementation – Implement detection rules to detect anomalous or suspicious activity within your environment.
- Environment Knowledge – To tune and triage alerts the analyst or team investigating the alert must be able to tell whether the alert is genuine or not. Having knowledge of the environment and how things work helps to quickly understand if the activity could be malicious.
Proactive
- Your Threats – This is the stage where you implement threat intelligence (TI) to understand what and who are threats against your sector and organisation. TI will help you understand your adversaries and their capabilities.
- Advanced Detection – Using the information from TI, your team can build advanced detection rules and continue improving your detection capabilities in a manner that is specific to your organisation; Intel-led usecase development.
- Hunting – Now that you have TI, you can use the intelligence to carry out Intel-led threat hunting within your SIEM to find threats that may already be hiding in your systems. This is an advanced skill and is usually carried out by senior members of the security team.
Real-time
- Real-time Tracking – With the right tools, such as EDR, you can track an attack campaign, a compromised user, and follow the trail as the attacker moves laterally within your organisation.
- Response – With the skills within your team and tools at their disposal which allow them to take actions, sometimes automated actions, you can respond in real-time to block attackers from carrying out actions, kick them out of your environment and stop them from being able to get back in.
Proactive
- Collaboration – Collaboration with trusted industry partners allows an organisation to be part of the bigger fight against cyber crime whilst also improving their own defences, by sharing intelligence and absorbing the intelligence from partner organisations. This allows the organisation to take strategic action to protect themselves before they can become a victim of a cyber attack.
DigiF9 can provide vCISO services to review your incident response tools and processes.
