DE – DETECT

This phase involves developing and implementing capabilities to identify and detect cybersecurity events in a timely manner. This includes establishing continuous monitoring processes, implementing IDS/IPS, and conducting regular security assessments and monitoring of systems and networks.

The SOC continuously monitors the organization’s network, systems, and applications using a variety of security tools, such as Endpoint Detection and Response (EDR), Application (layer 7) Firewalls, and Security Information and Event Management (SIEM). This monitoring helps identify suspicious activities, anomalies, or potential security breaches.

When an alert is triggered or a potential security incident is detected, a SOC 288 Analyst investigate and analyze the event to determine its severity, impact, and potential risks to Post 288. They investigate the incident, gather relevant data, and classify it based on the level of threat and priority.

Anomalies and Events (DE.AE):

Anomalous activity is detected and the potential impact of events is understood.

  • DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
  • DE.AE-2: Detected events are analyzed to understand attack targets and methods
  • DE.AE-3: Event data are collected and correlated from multiple sources and sensors
  • DE.AE-4: Impact of events is determined
  • DE.AE-5: Incident alert thresholds are established

Security Continuous Monitoring (DE.CM):

The information system and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures.

  • DE.CM-1: The network is monitored to detect potential cybersecurity events
  • DE.CM-2: The physical environment is monitored to detect potential cybersecurity events
  • DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events
  • DE.CM-4: Malicious code is detected
  • DE.CM-5: Unauthorized mobile code is detected
  • DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events
  • DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed
  • DE.CM-8: Vulnerability scans are performed

Detection Processes (DE.DP):

Detection processes and procedures are maintained and tested to ensure awareness of anomalous events.

  • DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability
  • DE.DP-2: Detection activities comply with all applicable requirements
  • DE.DP-3: Detection processes are tested
  • DE.DP-4: Event detection information is communicated
  • DE.DP-5: Detection processes are continuously improved