Guidance

CAF - Objective C

Created:  30 Apr 2018
Updated:  31 Oct 2018
Indicators of Good Practice for Objective C

C1. Security Monitoring

Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services.

Principle

The organisation monitors the security status of the networks and systems supporting the delivery of essential services in order to detect potential security problems and to track the ongoing effectiveness of protective security measures.

C1.a  Monitoring coverage

The data sources that you include in your monitoring allow for timely identification of security events which might affect the delivery of your essential service.

Not Achieved

Partially Achieved

Achieved

At least one of the following statements is true

 All the following statements are true

All the following statements are true

Data relating to the security and operation of your essential services is not collected.

You do not confidently detect the presence or absence of Indicators of Compromise (IoCs) on your essential services, such as know malicious command and control signatures (e.g. because applying the indicator is difficult or your logging data is not sufficiently detailed).

You are not able to audit the activities of users in relation to your essential service.

You do not capture any traffic crossing your network boundary including as a minimum IP connections.

Data relating to the security and operation of some areas of your essential services is collected.

You easily detect the presence or absence of IoCs on your essential services, such as know malicious command and control signatures.

Some user monitoring is done, but not covering a fully agreed list of suspicious or undesirable behaviour.

You monitor traffic crossing your network boundary (including IP address connections as a minimum).

Monitoring is based on an understanding of your networks, common cyber attack methods and what you need awareness of in order to detect potential security incidents that could affect your essential service. (e.g. presence of malware, malicious emails, user policy violations). 

Your monitoring data provides enough detail to reliably detect security incidents that could affect your essential service.

You easily detect the presence or absence of IoCs on your essential services, such as know malicious command and control signatures.

You have timely access to the data you need to use with IoCs. 

Extensive monitoring of user activity in relation to essential services enables you to detect policy violations and an agreed list of suspicious or undesirable behaviour.

You have extensive monitoring coverage that includes host-based monitoring and network gateways.

All new systems are considered as potential monitoring data sources to maintain a comprehensive monitoring capability.

 

C1.b Securing Logs

Logging data should be held securely and read access to it should be granted only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted.

Not Achieved

Partially Achieved

Achieved

At least one of the following statements is true

 All the following statements are true

All the following statements are true

It is possible for logging data to be easily edited or deleted by unauthorised users or malicious attackers.

There is no controlled list of who can view and query logging information.

There is no monitoring of the access to logging data.

There is no policy for accessing logging data.

Logging is not synchronised, using an accurate common time source.

 

 

Only authorised staff can view logging data for investigations.

Privileged users can view logging information.

There is some monitoring of access to logging data. (e.g. copying, deleting or modification, or even viewing.)

The integrity of logging data is protected, or any modification is detected and attributed.

The logging architecture has mechanisms, processes and procedures to ensure that it can protect itself from threats comparative to those it is trying to identify. This includes protecting the service itself, and the data within it.

Log data analysis and normalisation is only performed on copies of the data keeping the master copy unaltered.

Logging datasets are synchronised, using an accurate common time source, so separate datasets can be correlated in different ways.

Access to logging data is limited to those with business need and no others.

All actions involving all logging data (e.g. copying, deleting or modification, or even viewing) can be traced back to a unique user.

Legitimate reasons for accessing logging data are given in use policies.


C1.c   Generating alerts

Evidence of potential security incidents contained in your monitoring data is reliably identified and triggers alerts.

Not Achieved

Partially Achieved

Achieved

At least one of the following statements is true

 All the following statements are true

All the following statements are true

Alerts from third party security software is not investigated e.g. Anti-Virus (AV) providers.

Logs are distributed across devices with no easy way to access them other than manual login or physical action.

The resolution of alerts to a network asset or system is not performed.

Security alerts relating to essential services are not prioritised.

Logs are reviewed infrequently.

Alerts from third party security software are investigated, and action taken.

Some logging datasets can be easily queried with search tools to aid investigations.

The resolution of alerts to a network asset or system is performed regularly.

Security alerts relating to some essential services are prioritised.

Logs are reviewed at regular intervals.

Logging data is enriched with other network knowledge and data when investigating certain suspicious activity or alerts.

A wide range of signatures and indicators of compromise are used for investigations of suspicious activity and alerts.

Alerts can be easily resolved to network assets using knowledge of networks and systems.

Security alerts relating to all essential services are prioritised and this information is used to support incident management.

Logs are reviewed almost continuously, in real time.

Alerts are tested to ensure that they are generated reliably and that it is possible to distinguish genuine security incidents from false alarms.

 

 

C1.d Identifying security incidents

You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.

Not Achieved

Partially Achieved

Achieved

At least one of the following statements is true

 All the following statements are true

All the following statements are true

Your organisation has no sources of threat intelligence.

You do not apply updates in a timely way, after receiving them. (e.g. AV signature updates, other threat signatures or Indicators of Compromise (IoCs)).

You do not receive signature updates for all protective technologies such as AV and IDS or other software in use.

You do not evaluate the usefulness of your threat intelligence or share feedback with providers or other users.

Your organisation uses some threat intelligence services, but you don't choose providers specifically because of your business needs, or specific threats in your sector (e.g. sector-based infoshare, ICS software vendors, anti-virus providers, specialist threat intel firms).

You receive updates for all your signature based protective technologies (e.g. AV, IDS).

You apply some updates, signatures and IoCs in a timely way.

You know how effective your threat intelligence is (e.g. by tracking how threat intelligence helps you identify security problems).

You have selected threat intelligence feeds using risk-based and threat-informed decisions based on your business needs and sector (e.g. vendor reporting and patching, strong anti-virus providers, sector and community-based infoshare).

You apply all new signatures and IoCs within a reasonable (risk-based) time of receiving them.

You receive signature updates for all your protective technologies (e.g. AV, IDS).

You track the effectiveness of your intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (e.g. sector partners, threat intelligence providers, government agencies).

 

C1.e   Monitoring tools and skills

Monitoring staff skills, tools and roles, including any that are out-sourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential services they need to protect. 

Not Achieved

Partially Achieved

Achieved

At least one of the following statements is true

 All the following statements are true

All the following statements are true

There are no staff who perform a monitoring function.

Monitoring staff do not have the correct specialist skills.

Monitoring staff are not capable of reporting against governance requirements .Monitoring staff  lack the skills to successfully perform any part of the defined workflow.

Monitoring tools are only able to make use of a fraction of logging data being collected.

Monitoring tools cannot be configured to make use of new logging streams, as they come online.

Monitoring staff have a lack of awareness of the essential services the organisation provides, what assets relate to those services and hence the importance of the logging data and security events.

Monitoring staff have some investigative skills and a basic understanding of the data they need to work with.

Monitoring staff  can report to other parts of the organisation (e.g. security directors, resilience managers).

Monitoring staff are capable of following most of the required workflows.

Your monitoring tools can make use of logging that would capture most unsophisticated and untargeted attack types.

Your monitoring tools workwith most logging data, with some configuration.

Monitoring staff are aware of some essential services and can manage alerts relating to them.

You have monitoring staff, who are responsible for the analysis, investigation and reporting of monitoring alerts covering both security and performance.

Monitoring staff have defined roles and skills that cover all parts of the monitoring and investigation process.

Monitoring staff follow process and procedures that address all governance reporting requirements, internal and external.

Monitoring staff are empowered to look beyond the fixed process to investigate and understand non-standard threats, by developing their own investigative techniques and making new use of data.

Your monitoring tools make use of all logging data collected to pinpoint activity within an incident.

Monitoring staff and tools drive and shape new log data collection and can make wide use of it.

Monitoring staff are aware of essential services and related assets and can identify and prioritise alerts or investigations that relate to them.

C2   Proactive Security Event Discovery

Principle

The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the delivery of essential services, even when the activity evades standard signature based security prevent/detect solutions, or when it is not possible to use signature based detection, for some reason.

C2.a  System abnormalities for attack detection

You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.

Not Achieved

Achieved

At least one of the following statements is true

All the following statements are true

Normal system behaviour is insufficiently understood to be able to use system abnormalities to detect malicious activity.

You have no established understanding of what abnormalities to look for that might signify malicious activities.

 

 

Normal system behaviour is fully understood to such an extent that searching for system abnormalities is a potentially effective way of detecting malicious activity. (e.g. You fully understand which systems should and should not communicate and when.)

System abnormality descriptions from past attacks and threat intelligence, on yours and other networks, are used to signify malicious activity.

The system abnormalities you search for consider the nature of attacks likely to impact on the networks and information systems supporting the delivery of essential services.

The system abnormality descriptions you use are updated to reflect changes in your networks and information systems and current threat intelligence.

 

C2.b   Proactive attack discovery

You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.

Not Achieved

Achieved

At least one of the following statements is true

All the following statements are true

You do not routinely search for system abnormalities indicative of malicious activity.

You routinely search for system abnormalities indicative of malicious activity on the networks and information systems supporting your essential service, generating alerts based on the results of such searches.

 You have justified confidence in the effectiveness of your searches for system abnormalities indicative of malicious activity.

< previous                           next >

Topics

Was this guidance helpful?

We need your feedback to improve this content.

Yes No