Step #8: Monitoring

This section from within the NCSC's '10 Steps To Cyber Security' concerns Monitoring.

Summary

System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential in order to effectively respond to attacks. In addition, monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements.

What is the Risk?

Monitoring provides the means to assess how systems are being used and whether they are being attacked. Without the ability to monitor your systems you may not be able to:

  • Detect attacks:  Either originating from outside the organisation or attacks as a result of deliberate or accidental user activity. Attacks may be directly targeted against technical infrastructure or against the services being run. Attacks can also seek to take advantage of legitimate business services, for example by using stolen credentials to defraud payment services.
  • React to attacks: An effective response to an attack depends upon first being aware than an attack has happened or is taking place. A swift response is essential to stop the attack, and to respond and minimise the impact or damage caused.
  • Account for activity: You should have a complete understanding of how systems, services and information are being used by users. Failure to monitor systems and their use could lead to attacks going unnoticed and/or non-compliance with legal or regulatory requirements.

How Can the Risk be Managed?

Establish a monitoring strategy and supporting policies: Develop and implement a monitoring strategy based on business need and an assessment of risk. The strategy should include both technical and transactional monitoring as appropriate. The incident management plan as well as knowledge of previous security incidents should inform the approach.

Monitor all systems: Ensure that all networks, systems and services are included in the monitoring strategy. This may include the use of the use of network, host based and wireless Intrusion Detection Systems (IDS). These solutions should provide both signature-based capabilities to detect known attacks, and heuristic capabilities to detect unusual system behaviour.

Monitor network traffic: Inbound and outbound traffic traversing network boundaries should be monitored to identify unusual activity or trends that could indicate attacks. Unusual network traffic (such as connections from unexpected IP ranges overseas) or large data transfers should automatically generate security alerts with prompt investigation.

Monitor user activity: The monitoring capability should have the ability to identify the unauthorised or accidental misuse of systems or data. Critically, it should be able to tie specific users to suspicious activity. Take care to ensure that all user monitoring complies with all legal or regulatory constraints.

Fine-tune monitoring systems: Ensure that monitoring systems are tuned appropriately to only collect events and generate alerts that are relevant to your needs. Inappropriate collection of monitoring information and generation of alerts can mask the detection of real attacks as well as be costly in terms of data storage and investigatory resources required.

Establish a centralised collection and analysis capability: Develop and deploy a centralised capability that can collect and analyse information and alerts from across the organisation. Much of this should be automated due to the volume of data involved, enabling analysts to concentrate on anomalies or high priority alerts. Ensure that the solution architecture does not itself provide an opportunity for attackers to bypass normal network security and access controls.

Provide resilient and synchronised timing: Ensure that the monitoring and analysis of audit logs is supported by a centralised and synchronised timing source that is used across the entire organisation to support incident response and investigation.

Align the incident management policies: Ensure that policies and processes are in place to appropriately manage and respond to incidents detected by monitoring solutions.

Conduct a 'lessons learned' review: Ensure that processes are in place to test monitoring capabilities, learn from security incidents and improve the efficiency of the monitoring capability.

Learn More

What Next?

IS Know How Pointer:

You may also be interested to read the next phase of the 10 Steps;

Disclaimer:

The above resources and content "Contains public sector information licensed under the Open Government Licence v1.0." unless stated with the text "IS Know How Pointer:" which is where ISKH would like to input a call to action to it's visitor's and clients.

ISKH is in no way affiliated with, or working on behalf of the National Cyber Security Centre (NCSC). ISKH is quite simply reproducing their 10 Steps to Cyber Security information, to be able to put it in front of our Third Sector target audience(s) as much as possible.

Additionally, this should further support the NCSC's drive to show that Cyber Security, has a positive impact on a business or organisations Cyber / Data Security Positioning.

Any externally linked NCSC content in the ISKH website, including PDF documents or video media, is offered for information purposes only, as is.

Contact Us

Phone
02921-679-021 (Sales ONLY)
Address
Britannia House, Caerphilly Business Park, Van Road, Caerphilly, Wales, UK. CF83 3GG
Legal Reg Info
Information Security Know How Ltd. is a Limited Company, Registered in England & Wales.

Company No: 09648503
VAT No: GB 232 2137 53

ISKH Site Newsletter

Sharpen your Third Sector Data & Cyber Security Mitigation Knowledge, by Subscribing to Our 'Mitigation Bits & Bytes'. Sharing a Myriad of Sector and Security Focused News, Infrequent Updates about IS Know How's Managed Cyber Security Service(s) Offers, Surveys, Research, Discussions and more...

Third Sector Organisation Personnel?

captcha 




By selecting 'Yes, Sign Me Up!' above, You Consent that we may Collect, Store and Process your Personal Data in accordance with Our Privacy Policy, Cookies Policy & Website Terms & Conditions.
All Newsletter Emails include an Unsubscribe / Modify Subscription link, where you may Opt-Out or Amend your Preferences at any time. You can also do the same from the 'My Account' menu, if you Register for a full FREE IS Know How Account.

Proud Members Of:

IS Know How is a Proud Member of Cyber Exchange

Our CEO & Founder, Robert Stones is also a ‘Member of the Fraud Advisory Panel’ See more information about them here: About the Fraud Advisory Panel

Payments By:

Powered by Stripe Logo
Stripe Subscription Accepted Payment Cards

Subscribe to the IS Know How 'Mitigation Bits & Bytes' Newsletter.

ISKHIcon100x100Instantly begin your Third Sector Data & Cyber Security Mitigation Journey Today!ISKHIcon100x100

Sharpen your Third Sector Data & Cyber Security Mitigation Knowledge, by Subscribing to Our 'Mitigation Bits & Bytes'. Sharing a Myriad of Sector and Security Focused News, Infrequent Updates about IS Know How's Managed Cyber Security Service(s) Offers, Surveys, Research, Discussions and more...

Third Sector Organisation Personnel?

captcha 




By selecting 'Yes, Sign Me Up!' above, You Consent that we may Collect, Store and Process your Personal Data in accordance with Our Privacy Policy, Cookies Policy & Website Terms & Conditions.
All Newsletter Emails include an Unsubscribe / Modify Subscription link, where you may Opt-Out or Amend your Preferences at any time. You can also do the same from the 'My Account' menu, if you Register for a full FREE IS Know How Account.