The NIST CSF Detect Function

The NIST CSF Detect Function: Possible cybersecurity attacks and compromises are found and analyzed.
Source: NIST CSF 2.0

The goals of the Detect Function of the NIST Cybersecurity Framework (CSF) are:

• Constant supervision and observation of the network.
• Enhanced anomaly detection.

The NIST CSF Detect Function gives guidelines for organizations to promptly identify cybersecurity events and abnormalities in their networks and systems. This Function highlights how crucial it is to have real-time monitoring, recording, and alerting systems in place in order to spot and analyze possible security issues or breaches.

Network traffic analysis, intrusion detection systems (IDSs), and SIEM solutions are just a few examples of the many tools and methods that help with detection. By utilizing the guidelines found in the Detect Function, your organization can improve its capacity to identify and address cybersecurity challenges, reducing the possible impact on business operations and data integrity.

The Detect Function has two Categories:

Each Category has multiple Subcategories.

1. Continuous Monitoring (DE.CM)

Continuous Monitoring (DE.CM) is a critical Category that focuses on the ongoing surveillance of systems, networks, and data to detect cybersecurity incidents and abnormalities.

It entails the ongoing gathering, examination, and correlation of security-related data from a variety of sources, such as user activity, system logs, and network traffic.

DE.CM highlights the significance of utilizing automated tools and technology to improve the organization's cybersecurity posture and to expedite monitoring operations.

The Subcategories of DE.CM are:

• DE.CM-01: Networks and network services are monitored to find potentially adverse events.

These actionable steps can help you comply with this Subcategory:

• Monitor network traffic and activity to spot unusual behavior.
• Obtain real-time insights into your IT environments through network and device monitoring, which enables you to spot malware infections, illegal access attempts, and other security events.
• Deploy strong monitoring tools, such as IDSs, network traffic analysis (NTA) solutions, and log management systems, to gather and analyze pertinent data.
• Set explicit thresholds and monitoring criteria to differentiate between normal and abnormal network activities. Solution capabilities such as smart threshold and UEBA can help you reduce false positive rates and meantime to detect.

ManageEngine Log360 is a unified SIEM solution with exceptional log management capabilities. Log360 allows you to gain insights into your security incidents by monitoring and collecting extensive audit data from servers, firewalls, applications, and endpoints.

• DE.CM-02: The physical environment is monitored to find potentially adverse events.

This Subcategory helps ensure the safety of your organization's physical environment.

These actionable steps can help you comply with this Subcategory:

• Implement surveillance and detection systems such as cameras, sensors, and alarms to observe critical areas within your facility.
• Monitor the physical environment to identify unauthorized access attempts, environmental hazards, or physical breaches that could compromise security.
• Install environmental monitoring systems, such as temperature and humidity sensors, to detect conditions that might threaten the integrity of IT equipment, like overheating or water leaks.
• Conduct regular audits and reviews of surveillance data to ensure that monitoring systems are functioning correctly.
• Integrate physical monitoring with cybersecurity measures to enable a holistic approach to security.
• Train staff to respond effectively to alerts generated by physical monitoring systems.

• DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events.

This Subcategory emphasizes the importance of monitoring user behavior and technology interactions within an organization.

• Track and analyze activities of employees, such as login attempts, file accesses, and the use of sensitive systems, to detect any suspicious behavior.
• Implement tools such as SIEM solutions, user and entity behavior analytics (UEBA), and intrusion detection systems (IDSs) to gather and analyze relevant data in real time.
• Correlate various activities across the network and flag any patterns that deviate from the norm.

Log360's advanced attack detection capabilities allow your team to correlate suspicious events throughout your network with the event log correlation engine, identify insider threats through machine learning enabled UEBA, and more.

• DE.CM-06: External service provider activities and services are monitored to find potentially adverse events.

Service providers, such as contractors, vendors, and cloud service providers, need to be monitored to spot any security lapses that might compromise your cybersecurity.

These actionable steps can help you comply with this Subcategory:

• Identify any unusual or suspect activity from your external service providers that may point to data breaches, illegal access, or other security concerns with a proactive monitoring method.
• Adhere to contractual obligations, SLAs, and data protection and cybersecurity regulations.
• Deploy strong controls and security measures, such as encryption, data loss prevention (DLP) programs, and access restrictions, to improve your overall cybersecurity resilience and minimize the risk posed by external service providers.

Log360's advanced threat detection capabilities allow your team to collect and analyze logs from various sources in your environment, including third-party software, external services, end-user devices, and get insights in the form of graphs and intuitive reports that help spot security threats.

• DE.CM-09:Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.

Following this Subcategory helps you gain information about new threats and attack trends and identifies places in need of improved security measures.

These actionable steps can help you comply with this Subcategory:

• Continually monitor computer hardware, software, runtime environments, and the data that goes along with them.
• Track system configurations, program versions, and patch levelsto ensure computer hardware and software are up to date and secure against known vulnerabilities.
• Track any unauthorized modifications or strange activity in runtime environments, including virtual machines and containers.
• Deploy logging and monitoring systems to efficiently record security events and abnormalities.

Log360's advanced threat detection capabilities help your team gain insights into your security incidents by monitoring and collecting extensive audit data from servers, firewalls, runtime environments, applications, and endpoints.

2. Adverse Event Analysis (DE.AE)

The NIST CSF Detect Function includes the Adverse Event Analysis (DE.AE) Category, which is responsible for spotting and evaluating suspicious activity and adverse occurrences that could point to a cybersecurity problem.

In order to find abnormalities, indications of compromise (IOCs), and possible security breaches, it entails the ongoing monitoring and analysis of security logs, network traffic, and system activity.

DE.AE uses a variety of methods, including anomaly detection, correlation of security events, and log analysis, to find behavioral anomalies that might be indicators of a security issue. Early threat identification, incident response, and strengthening your organization's overall cybersecurity posture are all made possible by DE.AE.

The Subcategories of DE.AE are:

• DE.AE-02: Potentially adverse events are analyzed to better understand associated activities.

This Subcategory highlights the significance of examining potentially unfavorable situations.

These actionable steps can help you comply with this Subcategory:

• Establish policies and procedures for the timely and efficient analysis of unfavorable situations.
• Utilize log analysis tools, threat intelligence feeds, and SIEM systems to correlate and contextualize security events.
• Detect patterns, trends, and IOCs to spot persistent or new cybersecurity risks.
• Document and record the results of adverse event analysis. This makes cooperation and communication between various stakeholders inside your organization easier.

Log360's advanced threat detection capabilities help your team collect and analyze event logs from the endpoints, servers, network devices, and firewalls in your environment to spot security threats. Analyze and correlate logs with visual dashboards to discover security incidents, attacks, and suspicious or malicious user behavior.

• DE.AE-03: Information is correlated from multiple sources.

By cross-referencing data from many sources, including system logs, network logs, security alerts, and threat intelligence feeds, your enterprise can get a profound understanding of possible risks and spot trends or deviations that can point to malevolent actions.

These actionable steps can help you comply with this Subcategory:

• Differentiate between typical behavior and anomalous activity using effective correlation rules that make use of information from across the network.
• Implement threat detection platforms or sophisticated SIEM systems that can ingest, correlate, and analyze massive amounts of heterogeneous data in realtime.

Log360's advanced threat detection features assist your team in gathering and examining event logs from the endpoints, servers, network devices, and firewalls in your environment. Log360 allows your team to analyze and correlate with visual dashboards in order to identify security issues, attacks, and potentially harmful or suspicious user activity.

• DE.AE-04: The estimated impact and scope of adverse events are understood.

This Subcategory emphasizes the importance of understanding the potential consequences of cybersecurity incidents, including their impact on business operations, data integrity, and overall organizational security posture.

These actionable steps can help you comply with this Subcategory:

• Estimate the scope of an adverse event, such as a data breach or ransomware attack, by including factors such as the systems, data, and users affected.
• Assess potential financial losses, legal liabilities, regulatory implications, and reputational damage.
• Formulate a targeted incident response strategy using the gained insights, ensuring that critical assets are protected and recovery efforts are streamlined.

• DE.AE-06: Information on adverse events is provided to authorized staff and tools.

These actionable steps can help you comply with this Subcategory:

• Notify parties involved inthe incidents and provide vital information in order to enable efficient identification, analysis, and action.
• Disclose information about incidents to authorized staff members—such as cybersecurity analysts, incident responders, and pertinent stakeholders.
• Set up authorized tools, such as threat intelligence platforms, incident response orchestration tools, and SIEM solutions, to receive and process information about incidents instantly.

Log360 entails extensive SOAR capabilities that allow your team to gain meaningful security context from collected log data, to identify security events quickly, and streamline incident management by integrating with external ticketing tools. This automated ticketing process can alert authorized and respective staff members and reduce your team's meantime to respond.

• DE.AE-07: Cyber threat intelligence and other contextual information are integrated into the analysis.

This Subcategory stresses the importance of incorporating contextual data and cyber threat intelligence (CTI) into the analytical process to improve your organization's capacity to identify and neutralize threats.

This actionable step can help you comply with this Subcategory:

• Obtain insights about new threats, adversary strategies, and IOCs that are pertinent to your environment by using CTI. Information sharing and analysis centers (ISACs), commercial threat feeds, open-source intelligence (OSINT), and internal sources, including historical data and security incident reports, are some examples of CTI sources.

Log360's advanced threat intelligence capabilities leverage STIX/TAXII format threat feeds to discover malicious IPs, domains, and URLs through threat intelligence. Log360’s threat intelligence platform is enriched continually with contextual threat feeds and gives full visibility into security threats to your business. With the solution’s advanced threat analytics, you can gain insights into threat sources, including malicious IPs, domains, and URLs, that are trying to establish connections to your network, the types of threats, like phishingor malware attacks, and the recommended course of remediation. Log360 associates a reputation score for each malicious source to help makethreat triage more efficient.

• DE.AE-08: Incidents are declared when adverse events meet the defined incident criteria.

This actionable step can help you comply with this Subcategory:

• Set clear and precise standards that take into consideration elements, including the event's effect, severity, and possible risk to your company, while declaring incidents. The declaration of an incident acts as a catalyst to start the proper reaction, which includes containment, investigation, and mitigating measures. Declaring an incident also makes it easier to coordinate and communicate with the appropriate parties, including management, internal teams, and outside organizations like law enforcement or regulatory bodies.

Log360 entails advanced SOAR capabilities that enable your team to accelerate threat mitigation through real-time alert notifications and automated incident response workflows. Log360 automates responses to threats at every stage with prebuilt workflows and automatic ticket assignment that alerts incident response teams to take action. Log360's real-time alerting system will notify you instantly when any security threat is detected in the organization network. It includes over 1,000 predefined alert criteria that address a wide range of cybersecurity use cases. With Log360, you can build workflows to disable compromised user accounts, add inbound and outbound firewall rules, terminate processes running on affected devices, and more.