Detection

Centrally select and install malware detection and repair programs and update them regularly for preventive or regular scanning of computers and media.

Programs should check at least the following:

• files received over the network or storage media are scanned for malware before use
• email attachments and downloaded files are scanned for malware before use
• websites are scanned for malware

The development of system logs must keep pace with the development of the system and enable, for example, the necessary resolution of incidents. In connection with the data system list, we describe for which systems we are responsible for the implementation of the logging. For these systems, we document:

• which data is saved on the log
• how long log data is retained

The organization has defined a process for addressing identified technical vulnerabilities.

Some vulnerabilities can be fixed directly, but vulnerabilities that have a significant impact should also be documented as security incidents. Once a vulnerability with significant impacts has been identified:

• risks related to the vulnerability and the necessary actions are identified (e.g. patching the system or other management tasks)
• necessary actions are scheduled
• all actions taken are documented

Organization must describe the baseline of normal behaviour for the use of network and data systems, which is used as a starting point for identifying anomalies.

When defining the baseline, the following must be taken into account:

• monitoring the use of data systems during both normal and peak times
• usual times of use, places of use and frequency of use for each user and user group

Monitoring systems must be configured against the baseline to identify anomalous behavior such as:

• unplanned termination of systems or processes
• traffic related to malware or malicious IP addresses or domains
• known attack characteristics (e.g. denial of service or buffer overflow)
• unusual system use (e.g. keystroke logging)
• bottlenecks and overloads (e.g. network queues, latency levels)
• unauthorized access (actual or attempted) to systems or data
• unauthorized scanning of data systems and networks
• successful and failed attempts to access protected resources (e.g. DNS servers, web portals and file systems)
• unusual user and system behavior

The organization must be aware of the logs that accrue from the use of different data systems, whether generating the logs is the responsibility of the organization or the system provider. Logs record user actions as well as anomalies, errors, and security incidents.

The adequacy of log should be reviewed regularly. If necessary, log should be usable to determine the root causes for system incidents.

Often, security tools provide a way to set alert policies when something potentially dangerous happens in an organization's environment. For example, Microsoft 365 has built-in alert policies to alert you to abuse of administrator privileges, malware, potential internal and external risks, and data security risks.

The organization must identify security-related events in data systems and the environments in which they operate. To respond to changes related to these events, alarm policies must be created.

Alarm policies need to be actively monitored and modified based on experience.

Security systems (e.g. firewall, malware protection) often have the ability to record a log of events. At regular intervals, make sure that a comprehensive log is accumulated and try to identify suspicious activity. The log is also useful in investigating disturbances or violations.

Data reporting providers need to have a system to check the completeness, correctness and to identify omissions and other errors in trade report data. The report needs to be re-requested if there are any errors in the data.

The organisation must devote sufficient resources for monitoring user activity, anomalies in the ICT-environment, and cyber attacks.

By monitoring organisation should recognize anomalies and incidents from the baseline operations.

System logs often contain a wealth of information, much of which is irrelevant to security monitoring. In order to identify events relevant to security monitoring, consideration should be given to automatically copying appropriate message types to another log or to using appropriate utilities or audit tools to review and resolve files.