At the NCSC we’ve been exploring the challenges faced by security monitoring teams to see if there’s any advice we can offer that might help. For many of the more established teams, one question stands out; how to remain effective in detecting cyber attacks within a changing threat environment?
This blog explores a series of questions, each designed to encourage continual improvement within security monitoring teams, ensuring their work remains effective in face of an ever-changing environment.
Are you still trying to protect the right assets?
Nothing stays the same indefinitely. So it makes sense to regularly ask yourself whether you are trying to protect the right assets.
This is not as strange as it may seem. The lifetime of a security monitoring project can often be measured in years. In that timeframe it’s entirely possible that the ‘right’ assets to monitor will have changed, some may even had ceased to exist and new ones replaced them. Given that it’s very difficult to monitor all of your IT estate, it’s important for security monitoring teams to regularly come together with data and infrastructure owners to review their focus.
If this isn’t possible, you should put in place processes that ensure security monitoring teams are kept in the loop with changes to your infrastructure and strategic business goals. The classic example here is that, during business merger discussions, a certain dataset might become particularly valuable to attackers.
Do you know your attackers?
The Tactics, Techniques and Procedures (TTPs) used by cyber attackers are constantly evolving. It’s critical that you prioritise and continually assess your potential attackers TTPs to ensure you have the correct monitoring coverage in place. Reviewing threat intelligence reporting will help inform your assessment.
Again, a continual attacker review process involving your wider business and security teams will help you successfully prioritise the development of your security monitoring objectives.
How do you translate attacker knowledge into detection techniques?
Security monitoring analysts create monitoring techniques (sometimes referred to as monitoring rules, searches and analytics) in order to identify attacks. Analysts need inspiration in order to create these techniques and good quality threat intelligence reports can help.
Threat intelligence reports can help inform your risk assessments and give you an indication of the likely TTPs and behaviours of your attackers and therefore inspire your security analysts to develop the correct detection techniques.
Given that your attackers’ TTPs will constantly evolve, consider a continuous development cycle for your detection techniques and ensure analysts have access to the latest threat intelligence reports.
How does your organisational structure encourage continual improvement?
Who is responsible for developing the logic behind your security monitoring rules, searches or analytics? There are various approaches to organisational structure, but your analysts are at the monitoring coalface, and therefore closer to understanding the attackers facing your organisation than a separate development team.
Consider empowering your analysts to develop your detection techniques and dedicate part of the working week to this activity through team hackathons or development days.
I hope this blog has given you a few ideas to explore within your security monitoring teams. If you have any feedback, we welcome your comments below.
Cyber Security Operations