SEC09-02 Logging and Analyzing Security Incidents

Pre-incident forensics capabilities must be in place to support security incident investigation. Attacks and abnormal behaviors must be logged and analyzed. Security controls must be deployed at key network nodes, such as the border between the internal and external networks and the nodes housing ELB load balancers, to detect, restrict, or block cyber attacks. Technical measures must be taken to continuously monitor and analyze collected security logs to identify and analyze cyber attacks, especially emerging cyber attacks, and abnormal behaviors.

• Risk level

  High

• Key strategies
  • Build pre-incident forensics capabilities to support security incident investigation. Log and analyze attacks and abnormal behaviors. Security controls must be deployed at key network nodes to detect, restrict, or block cyber attacks. Technical measures must be taken to continuously monitor and analyze collected security logs to identify and analyze cyber attacks, especially emerging cyber attacks, and abnormal behaviors.
  • Analyze attack chains and trace attack sources based on security events. This includes all attack paths, initial access, execution, persistence, privilege escalation, defense evasion, credential access, information discovery, lateral movement, data collection, command control, data theft, and impact and damage.
  • Build online, nearline, and offline anomaly behavior analysis models based on a platform that integrates stream and batch processing. These models can work on identity, network, application, data, O&M, and host defense layers. The ad hoc real-time analysis of security events can also be implemented, with results automatically aggregated into interactive dashboards and customizable reports.
• Related cloud services and tools
  • SecMaster