Cyber Incident Detection

Recent news shows that the cost to businesses of cyberattacks such as data breaches are growing.  Incident detection time is one area which contributes to the ultimate cost of a breach to the impacted business. The longer a system breach remains undetected,  the longer an attacker has to cause damage, and the harder it becomes to investigate the event. According to IBM,  the average time taken to identify a breach was a full seven months in 2019.

As cyberattacks continue to grow in complexity, businesses require proactive strategies to combat them and minimise risk. The NIST cybersecurity framework was created to support businesses to protect their critical assets and “Detect” is the third function in this framework.

Cyber detection methods act similarly to physical detection methods such as smoke alarms and CO2 monitors in that they alert you to pending danger. They act as an early warning system highlighting any potential and active cyber threats in your environment.  The ultimate goal is to detect any cyber incident in a timely fashion and reduce its impact.

“The Detect function involves the development and implementation of appropriate activities to identify the occurrence of a cybersecurity event.” – NIST

Detect Key Considerations

There are three general areas for consideration under Detect in the NIST framework as follows:

  • Detecting Anomalies and Events – “Anomalous activity is detected in a timely manner, and the potential impact of events is understood.” This area includes the ability to recognise and subsequently detect anomalous activity. Establishing thresholds and alerts for system activity is critical here.
  • Continuous Security Monitoring – “The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.” This area involves monitoring of the network, physical environment, and personal and service provider activity for any anomalous activity including unauthorised access, actions, connections, devices and software.
  • Detection Processes – “Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.”This area includes defining appropriate roles and responsibilities to ensure accountability, testing detection processes and continuously improving them.

Practical Actions for Detection

Examples of immediate actions we recommend a business take to increase their detection capabilities include:

  • Reviewing any cloud-based systems to ensure that thresholds for activities such as spend, storage or use are configured and that these thresholds trigger an alert when exceeded. Cloud service providers offer products and solutions that allow you to monitor activity and receive alerts. For example Azure Monitor or AWS Cloudwatch

    Reviewing systems such as Microsoft Office 365 to ensure alerts are triggered when actions such as mail forwarding rules are changed, or passwords reset.  More information about the kind of activity you can monitor and how to set and manage alerts can be found here. Alert Policies can also be created to simplify this activity across a network.