Agrās brīdināšanas sensori

Organization should use tools that support both manual and automated searches, including criteria-based searches. The tool should be able to automatically collate data from different sources to more easily determine whether an incident is genuine, as well as its scope and nature.

These operations and processes can be implemented with SIEM (Security information and event management). SIEM solutions use analytics tools, technology and algorithms (e.g., newer SIEM solutions employ applied machine learning) to help detect unknown threats and abnormalities in the security-relevant data. Also SIEM solutions allow organizations to modify already existing (which usually come pre-configured) and add criteria-based alerts to match known threats. These things will help detect threats earlier.

Often, security tools provide a way to set alert policies when something potentially dangerous happens in an organization's environment. For example, Microsoft 365 has built-in alert policies to alert you to abuse of administrator privileges, malware, potential internal and external risks, and data security risks.

The organization must identify security-related events in data systems and the environments in which they operate. To respond to changes related to these events, alarm policies must be created.

Alarm policies need to be actively monitored and modified based on experience.

Examples of traffic filtering and monitoring systems are firewalls, routers, intrusion detection or prevention systems (IDS / IPS) and network devices / servers / applications with similar functionalities.

To ensure the functionality of filtering and monitoring:

• An owner has been appointed for the systems, who takes care of the proper operation of the system throughout the life cycle of the data processing environment
• It is the responsibility of the system owner to add, change, and delete settings for systems that filter or control traffic
• Documentation of the network and associated filtering and control systems is maintained throughout its lifecycle as an integral part of the change and settings management process
• The settings and desired operation of the systems are checked periodically during the operation and maintenance of the data processing environment and in the event of exceptional situations

Organization's data systems and network must be monitored to detect abnormal use. When anomalities are detected, the organization must take the necessary measures to assess the possibility of security incident.

The monitoring should utilize tools that enable real-time or regular monitoring, taking into account the organization's requirements. Monitoring practices should be able to manage large amounts of data, adapt to changing threat environment, and send alerts immediately when necessary.

Inclusion of the following sources in the monitoring system should be considered:

• outbound and inbound network and data system traffic

  li>

• access to critical data systems, servers, network devices and the monitoring system itself
• critical system and network configuration files
• logs from security tools (e.g. antivirus, IDS, IPS, network filters, firewalls)

Organization must also establish procedures for identifying and correcting "false positive" results, including tuning monitoring software for more accurate anomaly detection.