C1 Security Monitoring
Capabilities to ensure security defences remain effective and to detect cyber security events affecting, or with the potential to affect, essential services.
Principle
The organisation monitors the security status of the networks and systems supporting the delivery of essential services in order to detect potential security problems and to track the ongoing effectiveness of protective security measures.
C1.a Monitoring coverage
The data sources that you include in your monitoring allow for timely identification of security events which might affect the delivery of your essential service.
Not Achieved | Partially Achieved | Achieved |
At least one of the following statements is true | All of the following statements are true | All of the following statements are true |
You are not collecting data relating to the security and operation of your essential services.
You are not able to apply Indicators of Compromise to systems monitoring your essential services to confidently detect the presence or absence of those IoCs (e.g. because your logging data is not sufficiently detailed). You are not able to audit the activities of users in relation to your essential service. You are not able to capture any traffic crossing your network boundary (e.g. even IP connections). |
Network data is collected for some areas of the essential service.
You are able to look for most IoCs you receive, but may need to adjust logging coverage or data quality to deal with some IoCs. Some user monitoring is done, but not covering a comprehensive range of user activities that might affect them. You are able to monitor traffic crossing your network boundary (including IP address connections as a minimum). |
You understand, based on your knowledge of your networks and common cyber attack methods, what you need to monitor in order to detect potential security incidents that could affect your essential service. For example, presence of malware, malicious emails, policy violation by a user.
Your monitoring data provides sufficient detail to reliably detect security incidents that could affect your essential service. You have timely access to the data you need to use with IoCs. You are able to monitor user activity extensively in relation to essential services. You can detect policy violations and an agreed list of suspicious or undesirable behaviour. As well as your network boundary, your monitoring coverage includes internal and host-based monitoring. Your process for bringing new systems on line includes considerations for access to monitoring data sources. |
C1.b Securing logs
Logging data should be held securely and read access to it should be granted only to accounts with business need. No employee should ever need to modify or delete logging data within an agreed retention period, after which it should be deleted.
Not Achieved | Partially Achieved | Achieved |
At least one of the following is true | All of the following are true | All of the following are true |
It is possible for logging data to be edited or deleted.
There is no controlled list of who can view and query logging information. There is no monitoring of the access to logging data. There is no policy for accessing logging data. Logging is not synchronised, using an accurate time source. |
Only certain staff can view logging data for investigations.
Privileged users can view logging information. Some monitoring of access to logging data. Some logging datasets are synchronised. |
The integrity of logging data is protected or any modification is detected and attributed.
Logging data is segregated from the rest of the network, so disruption or corruption to network data does not affect the logging data. Any alterations to logging data (e.g. re-normalising for SIEM analysis) is done on copies, not the master. Logging datasets are synchronised, using a common time source, so separate datasets can be correlated in different ways. Access to logging data is limited to those with business need and no others. All actions involving all logging data (e.g. copying, deleting or modification, or even viewing) can be traced back to a unique user. Legitimate reasons for accessing logging data are given in use policies and users are trained on this. |
C1.c Generating alerts
Evidence of potential security incidents contained in your monitoring data is reliably identified and alerted upon.
Not Achieved | Partially Achieved | Achieved |
At least one of the following is true | All the following are true | All of the following are true |
You are not able to investigate alerts provided by 3rd parties e.g. an antivirus (AV) provider.
Your logging data is stove-piped, stored in different places and difficult to aggregate to investigate alerts. You are not able to use log data to resolve alerts to a network asset or system. You are not able to flag security alerts that relate to essential services. Logs are not reviewed regularly. |
You are able to investigate AV alerts.
Some logging datasets are stored centrally and can be used for some investigations. You are able to use log data to resolve alerts to a network asset or system. You are able to flag alerts that relate to your essential services. Logs are reviewed at regular intervals. |
You are able to investigate AV alerts.
You are able to aggregate separate datasets to investigate activity or alerts (e.g. by enriching logging data with other network data, or knowledge of the network more generally) and are able to make maximal use of a wide range of signatures and IoCs. You are able to resolve alerts to network assets, using knowledge of the network and systems. You are able to flag alerts that relate to essential services and use this information to support your incident management capability. Logs are reviewed almost continuously, in real time. You are able to test that alerts are generated reliably and that genuine security incidents are distinguishable from false alarms. |
C1.d Identifying security incidents
You contextualise alerts with knowledge of the threat and your systems, to identify those security incidents that require some form of response.
Not Achieved | Partially Achieved | Achieved |
At least one of the following is true | All of the following are true | All of the following are true |
Your organisation has no sources of threat intelligence.
You do not apply intelligence updates (e.g. AV signature updates, other threat signatures or IoCs) in a timely way, after receiving them. You do not receive signature updates for all protective technologies (such as AV and IDS) or other software in use. You do not evaluate the usefulness of your threat intelligence or share feedback with providers or other users. |
Your organisation uses some threat intelligence services, but you don’t choose providers specifically because of your business needs, or specific threats in your sector (e.g. sector-based infoshare, ICS software vendors, antivirus providers, specialist threat intel firms).
You apply some updates, signatures and IoCs in a timely way. You receive signature updates for all your protective technologies (e.g. AV, IDS). You are cognisant of how effective your threat intelligence is (e.g. by tracking how threat intelligence helps you identify security problems). |
You have selected threat intelligence feeds using risk-based and threat-informed decisions based on your business needs and sector (e.g. vendor reporting and patching, strong antivirus providers, sector and community-based infoshare).
You are able to apply new signatures and IoCs within a reasonable (risk-based) time of receiving them. You receive signature updates for all your protective technologies (e.g. AV, IDS). You can track the effectiveness of your intelligence feeds and actively share feedback on the usefulness of IoCs and any other indicators with the threat community (e.g. sector partners, threat intelligence providers, government agencies). |
C1.e Monitoring tools and skills
Monitoring staff skills, tools and roles, including any that are out-sourced, should reflect governance and reporting requirements, expected threats and the complexities of the network or system data they need to use. Monitoring staff have knowledge of the essential services they need to protect.
Not Achieved | Partially Achieved | Achieved |
At least one of the following is true | All of the following are true | All of the following are true |
There are no staff who perform a monitoring function.
Monitoring staff do not have the correct specialist skills. Monitoring staff are not capable of reporting against governance requirements Monitoring staff lack the skills to successfully perform any part of the defined workflow. Monitoring tools are only able to make use of a fraction of logging data being collected. Monitoring tools cannot be configured to make use of new logging streams, as they come online. Monitoring staff are not aware of some essential services the organisation provides and what assets (and hence logging data and security events) relate to those services. |
Monitoring staff have some investigative skills and a basic understanding of the data they need to work with.
Monitoring staff can report to other parts of the organisation (e.g. security directors, resilience managers). Monitoring staff are capable of following most of the required workflows. Your monitoring tools can make use of logging that would capture most common attack types. Your monitoring tools can work with most logging data, with some configuration. Monitoring staff are aware of some essential services and can manage alerts relating to them. |
You have monitoring staff, who are responsible for investigating and reporting monitoring alerts.
Monitoring staff have roles and skills that covers all parts of the monitoring/investigation workflow. Monitoring staff have workflows that address all governance reporting requirements, internal and external. Monitoring staff are empowered to look beyond fixed workflows to investigate and understand non-standard threats, by developing their own investigative techniques and making new use of data. With some configuration, your monitoring tools are able to make use of all logging data collected. Monitoring staff and tools are able to drive and shape new log data collection and can make wide use of it. Monitoring staff are aware of essential services and related assets and can identify and prioritise alerts or investigations that relate to them. |
C2 Proactive Security Event Discovery
Principle
The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the delivery of essential services, even when the activity evades standard signature based security prevent/detect solutions, or when it is not possible to use signature based detection, for some reason.
C2.a System abnormalities for attack detection
You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.
Not Achieved | Achieved |
At least one of the following is true | All of the following are true |
Your understanding of normal system behaviour is insufficient to be able to exploit the use of system abnormalities to detect malicious activity,
You have no established understanding of what abnormalities to look for that might signify malicious activities. |
You have a sufficient understanding of normal system activity (eg. which system components should and should not be communicating with each other) to ensure that searching for system abnormalities is a potentially effective way of detecting malicious activity.
You maintain descriptions of some system abnormalities that might signify malicious activity, informed by past attacks (on yours and others’ networks), threat intelligence and a general understanding of what an attack might look like. Your choice of system abnormalities to search for takes into account the nature of attacks likely to impact on the networks and information systems supporting the delivery of essential services. You regularly update the descriptions of the system abnormalities that you search for to reflect changes to your networks and information systems and current threat intelligence. |
C2.b Proactive attack discovery
You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.
Not Achieved | Achieved |
At least one of the following is true | All of the following are true |
You do not routinely search for system abnormalities indicative of malicious activity. | You routinely search for system abnormalities indicative of malicious activity with the potential to have an impact on networks and information systems supporting your essential service, and you generate alerts based on the results of such searches.
You have justified confidence in the effectiveness of your searches for system abnormalities. |
Source: NCSC