With the continuing evolution of cyber threats, it is only a matter of time before an organisation will suffer a major breach or there is an incident of national significance. This necessitates monitoring to detect possible incidents and mechanisms to respond and recover from breaches. This chapter provides an overview of structures to aid in threat detection and incident recovery. Security Operation Centres (SOCs), Computer Security Incident Response Teams (CSIRTs), and Security Intelligence Centres (SICs) will be covered, and the differences, benefits and limitations will be discussed. Guidance for the implementation of these security capabilities within organisations will be provided.
TopThe Need For Monitoring And Incident Response
Within the ever changing security environment, it is very important to adhere to constant monitoring. Not only is the security environment continuously changing, but new challenges arise daily in terms of new vulnerabilities and new attack types. Security attacks are now more likely to be targeted, purposeful and organised, posing a much more directed threat for an organisation. As a result of the increased level of connectivity between systems, sensitive data is faced with security, integrity and credibility issues (Gandotra, Singhal & Bedi, 2009).
In the view of the changing threat landscape, it is imperative that more attention be paid to system monitoring (Gandotra, Singhal & Bedi, 2009). In order to manage these aspects, all organisational systems should be monitored to such an extent that any incidents can be managed and appropriately responded to on a timeous basis. Thus, threat mitigation within an organisation needs to be planned and executed in an ordered way in order to enhance opportunities and reduce threats to the sensitive data within the organisation. As part of a holistic cyber security strategy, authorities will deploy security controls in supporting the improvement of their entity’s cyber security posture. The SysAdmin, Audit, Network, Security institute (SANS) groups these controls into technical security controls, administrative security controls and physical security controls (Northcutt, 2009), while the National Institute of Standards and Technology (NIST, 2014) uses a grouping of Know, Prevent, Detect, Respond and Recover security controls.
In order to keep concepts simple, SANS taxonomy of technical, administrative and physical security controls is used. A technical security control could be anything from a firewall or an Intrusion Prevention System (IPS), to end-point protection in the form of anti-virus or anti-malware software. These technical controls need to be monitored to ensure that they work as intended, and to detect possible attacks and anomalies as they happen. Monitoring is expressed as a requirement by various authoritative documents (laws, acts, treaties and regulations) and normative documents (standards, frameworks, policies and best practices). Monitoring is typically done from a SOC or a SIC, and the primary technology used is the Security Incident and Event Monitoring (SIEM) tool (Zimmerman, 2014).
The process is simplified to comprise four steps, as shown in Figure 1 (MITRE, 2016).
Figure 1. Threat mitigation and management