NIST CSF Series #16: Detect – Detection Processes

CSF Framework - Detect: Detection Processes

Function:   Detect (DE)
Category:  Detection Processes (DP)

“Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.” 

DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability.

In developing detection capabilities, the assessment team and their roles and responsibilities need to be defined.    This should include appropriate training and testing for the team members to assure they are able to perform the assigned roles.

Audit Considerations

Auditors may obtain a copy of processes and procedures for monitoring anomalous events and determine if the processes and procedures assign key responsibilities to individuals and/or positions.

Applicable CIS Critical Controls:

CIS Control 19 –  Incident Response and Management

Assigning jobs titles and duties for handing detected incidents as well as defining management personnel who support processes by acting in key decision-making roles, are critical pieces of detection and incident response. 

DE.DP-2:  Detection activities comply with all applicable requirements.

Detection processes are sometimes defined in federal, state, and local laws and regulations.  It is important that detection capabilities align with any pertinent and defined requirements to satisfy compliance requirements.

Audit Considerations

Auditors may examine laws and regulations that the organization falls under and determine if the organization is performing audits/testing that ensure their detection activities comply with these requirements.

DE.DP-3:  Detection processes are tested.

To confirm effectiveness of detection processes, the organization should perform routine incident response tests and test detection controls to ensure they are operating as intended.  This could include using the EICAR test malware to verify anti-malware effectiveness as well as doing table-top exercises for incident response.   Testing results should be documented and failures in the process or tool should be addressed immediately.

Audit Considerations

Auditors may obtain a copy of the organization’s schedule for incident response testing, the results of such testing, and documented process and procedures requiring tests of controls such as anti-malware and intrusion detection systems.

Applicable CIS Critical Controls:

CIS Control 19 –  Incident Response and Management

Conducting periodic incident scenario sessions for personnel associated with the incident handling team ensures they understand current threats and vulnerabilities as well as their responsibilities in supporting an incident response.

CIS Control 20 –  Penetration Tests and Red Team Exercises

Conducting penetration tests or red team exercises allows for “real world” tests against detection and response capabilities.   Testing organizational readiness to identify and stop attacks or respond quickly and effectively are critical parts of a security program.

DE.DP-4:  Event detection information is communicated to appropriate parties.

Communicating detected security events to appropriate personnel so that the effective action can be taken to remediate or mitigate the threat is essential.  Multiple channels of communication should be established, if possible.  If e-mail systems are compromised, using that medium to communicate detected security events is problematic.

Additionally, detection events need to be reported to the appropriate parties either through incident reports or part of a regularly scheduled meeting where this information is included as a regular agenda item.

Audit Considerations

Auditors may look through meeting minutes where anomalous activity is reported or obtain copies of documented response to incidents.

Malware defenses must be able to operate in this dynamic environment that, today, goes beyond traditional file-based detection and mitigation capabilities.  Centralized infrastructure that provides real time alerting and ability to push updates is an essential component. 

DE.DP-5:  Detection processes are continuously improved.

With threats evolving constantly, detection process must also continuously improve to be effective.   This can be included as part of an overall security plan to review and update detection capabilities and processes.   The “current” and “target” profiles may be an appropriate place to detail areas of continuous improvement related to detection.

Post-incident meetings, also called “lesson learned” sessions are an important step in incident response and one that is often overlooked.   Reviewing the response to an incident uncovers areas where improvements can be made.   Turning these “lessons learned” sessions into actionable tasks to improve detection and response capabilities should be a standard practice.

Audit Considerations

Auditors may look for incident response documents and determine if there has been follow-up and analysis of failed or missing controls.  They will look to see if action items were taken to detect and/or prevent similar incidents in the future.