NIST Cybersecurity Framework: Detect Security Controls
Find and analyze possible cybersecurity attacks and compromises.
Adverse Event Analysis
A baseline of network operations and expected data flows is established and managed
You cannot detect anomalies without knowing what normal looks like. A documented baseline of expecte...
Potentially adverse events are analyzed to better understand associated activities
An alert is a hypothesis, not a conclusion. Adverse event analysis is the process of investigating t...
Information is correlated from multiple sources
Sophisticated attacks rarely trigger a single high-confidence alert. They generate low-confidence si...
The estimated impact and scope of adverse events are understood
When an adverse event is confirmed, the first analytical question is not 'how did this happen' but '...
Alert thresholds are established
Detection without calibration produces one of two failure modes: alert fatigue from too many low-con...
Information on adverse events is provided to authorized staff and tools
Detection is only valuable if the findings reach the people and systems positioned to act on them. A...
Cyber threat intelligence and other contextual information are integrated into the analysis
Internal telemetry tells you what is happening in your environment; threat intelligence tells you wh...
Incidents are declared when adverse events meet the defined criteria
The transition from 'adverse event under investigation' to 'declared incident' is a decision point w...
Continuous Monitoring
Networks and network services are monitored to detect adverse events
Detection is what separates a contained incident from a breach you discover months later. Monitoring...
The physical environment is monitored to detect potential cybersecurity events
Physical access is one of the most overlooked attack vectors in cybersecurity. An attacker who can w...
Personnel activity and technology usage are monitored to detect potentially adverse events
Insider threats, whether from malicious employees or compromised accounts, are responsible for a sig...
Malicious code is detected
Malware, ransomware, and other malicious code remain the most common cause of significant security i...
Unauthorized network connections are detected
Attackers rarely announce themselves. They establish footholds through unexpected outbound connectio...
External service provider activities and services are monitored to detect potentially adverse events
Your attack surface extends to every SaaS tool, cloud provider, and vendor with access to your data ...
Monitoring for unauthorized personnel, connections, devices, and software is performed
Attackers and accidental insiders introduce risk through channels that look invisible if you are onl...
Vulnerability scans are performed
Unpatched and misconfigured systems are the most common entry points attackers exploit. Vulnerabilit...
Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events
Monitoring is the nervous system of your security posture: without it, attacks can persist for month...