COI Report – Part VII
Page 324 of 425
941. Accordingly, the CERT should identify events that serve as a signor signal of an attack (e.g. failed logins, deletion of logs, communication to unusual IP addresses etc.) that could provide contextual information about an incident, and establish processes for recording, aggregating, and making sense of such data points. The crucial point is that individual events and pieces of evidence must be meticulously recorded, and aggregated in a single place, so that responders are easily able to look at the cumulative mass of evidence to determine if an attack is taking place. This can best be accomplished by the establishment of a single, consolidated ASOC.
41.5 An Advanced Security Operation Centre or Cyber Defence
Centre should be established to improve the ability to detect and
respond to intrusions
942. The traditional prevention-dominant approach to cybersecurity, which focuses on defending the perimeter, has failed to prevent intrusions. The reality is that no network is impenetrable. Prevention is crucial – organisations cannot lose sight of it as the primary goal. However, anew proactive approach to security is needed to enhance capabilities to detect threats that will inevitably slip through the perimeter defences.
41.5.1
Importance of a proactive defence strategy
943. It is therefore critical to move to a detection-oriented strategy to defend against cyber attacks. It is not possible to control when a security incident happens, whereas it is possible to control one’s response to the incident. The strategy must be one of prioritising efforts that enhance visibility, allow early detection and enable a proactive response through monitoring, analytics and prompt detection. The best defence is a good offence – responding early and aggressively can deter attackers from penetrating further into the network and realising their ultimate objectives. Vivek gave the example of a bank that had been breached and successfully responded aggressively
|
