Continuing our goal of providing a high-level overview of the things you should be doing to be more Cybersecure, this is part 3 of 5. You now have started to take some decisions on how to protect your key assets, but in some ways, you are still blind. This is where the third function of NIST, “Detect” comes into play. You can find part 1 “Identify” here, and part 2 “Protect” here.
In this section, we will explore the three main aspects of the detect function: Monitor, Understand and Verify.
Monitor: having all the great tools in place is a great start, but if do not monitor their status, how do you know they are working (effectively or at all!)? The best examples here is using only the Autoupdate feature on Windows or Mac, does it work well? Most times… If you have 50 devices, is there a chance one of them might get stuck and require a human intervention to complete? Yes! Should you rely on your end users to keep track and take the required actions? No!
- Monitor basic: All your tools should provide you regular reports of the status of your environment (patches are applied, anti-malware is up to date and enabled, firewalls are blocking attacks, backups are completed in time and copied offsite…)
- Monitor advanced: All the information from your tools is centrally aggregated and correlated. Now you can easily “take the pulse” of your environment without having to review 10 different consoles and reports and you can also detect larger patterns of attacks: someone probing lightly each of your branch offices one by one with different attacks to learn about your defences (each attack on its own may not trigger an alarm, but all the attacks together represents a pattern that may require an intervention). Another common attack pattern is a privilege accounts being used remotely from another country that is sending large amounts of data outside your organization.
Understand: As we eluded above, Monitor gives you information, now you need to Understand what is happening to evaluate the impact and take actions. The obvious is detecting an attack an enacting your Cyber Security Response Plan (more on that soon), but the reality for most organizations is more mundane. Examples are: patches falling behind because users are not rebooting, backups taking too long to complete and impacting daytime system performance, specific users showing repeated risky behaviours (going to risky websites, clicking on phishing emails) that prompts a requirement for additional training.
Verify: Last, but probably the most important. What’s the point of doing all this if it is not effective and how do you know it is effective if you do not verify?
- Verify basic:
- Patch reports to validate your systems are up to date and that critical patches get deployed quickly
- Anti malware reports to show it is deployed everywhere, up to date and enabled
- Backup reports to show backups are completed and copied offsite
- Test restores to show that the backups are valid (what’s the value of a good backup if you cannot restore it?)
- Phish training for users (to help them develop their “questioning” muscle before they click on links and attachments)
- Oversight (once in a while, someone/you should look over your teams shoulder and make sure they are reading the reports and taking actions)
- Verify advanced:
- Penetration testing by an outside organization (I put this one as advanced, but everyone should do this occasionally and you should never test your own systems since you [should] have already protected every aspect you could think of)
We hope this helps you continue your Cybersecure journey. All documents and information are only made available for informational purposes, you should work with a professional to adapt them to your business.
Stay tuned for the next of the Five Functions: Respond.