The organisation monitors the security status of the networks and systems supporting its essential functions in order to detect potential security problems and to track the ongoing effectiveness of protective security measures.
This means implementing an effective monitoring strategy so that actual or attempted security breaches are discovered and that there are appropriate processes in place to respond. Any monitoring solution should evolve with the department’s business and technology changes, as well as with changes in the threat it faces.
The following requirements are placed on government departments:
Good logging practices provide the ability to understand, trace and react to system and security events. Within the NCSC’s 10 steps, Logging and monitoring will assist your organisation in defining a logging strategy. It promotes the identification of logging objectives which are tailored to the threat profile of your environment. These objectives will inform how logs are used to generate insights into your security posture and can be used to detect and respond to incidents.
Once a logging strategy has been identified, Logging for security purposes provides granular information on selecting specific log types, building log storage architecture and defining a log retention process. Within the NCSC Device Security guidance, Logging and protective monitoring contains methods for device logging on multiple Operating Systems, including mobile devices.
Your logging infrastructure should be utilised to be able to detect abnormal activity on your network. Within the NCSC secure design principles, Make compromise detection easier discusses how monitoring specific data sources such as communication flows, network load, storage and compute performance can help detect specific types of attack. Designing simple communications between components will assist you in detecting when components attempt to communicate in ways which are not part of your design.
Digital services that are attractive to cyber criminals for the purposes of fraud should implement transactional monitoring techniques from the outset to detect suspicious activity.
Collected logs should be compared against indicators of compromise (IOCs) from threat intelligence sources to detect known threats. Threat intelligence can be collected from open discussion forums, trusted relationships, paid-for contracts with threat intelligence companies or even generated internally. The Digital, Data and Technology Profession’s Cyber Threat Intelligence in Government guide provides an end-to-end walkthrough of how government organisations should plan, build and manage their cyber threat intelligence capabilities. It will assist your organisation in defining a threat intelligence strategy, but also provides granular guidance on undertaking steps through the threat intelligence lifecycle.
Further guidance and information can be found on the NCSC’s CAF Guidance webpage.
OFFICIAL