NCSC Controls User Guide - Investigations
Investigations can further assist in gathering vital information about security events. They can also provide basic information about an environment and the processes and activities within it. CAF investigations can be part of a change control process to identify potential configuration changes, determine whether they are appropriate, and assess the implications for your security posture. Investigations can also leverage defined user lists and examine any suspicious or potentially malicious activities surrounding accounts within the environment. Custom investigations can be configured to supplement those included within this module.
Log Requirements
The CCF: Vulnerability Detected Inv and other investigations related to potential malicious activity cover all log sources in your environment, but specifically require logs from network security systems such as anti-malware systems, security enforcing devices, and vulnerability detection systems.
After investigations are configured correctly, IT and security operations can use them to analyze possible security events and evaluate and continuously improve your overall compliance and cyber security program. Further, various changes within data storage, security, and production environments must follow change control procedures to maintain business continuity and ensure that appropriate security protocols are not negatively impacted.
Sample Knowledge Base Content
Investigation Name | Investigation ID |
---|---|
CCF: Compromises Detected Inv | 690 |
CCF: Config/Policy Change Inv | 675 |
CCF: Malware Detected Inv | 677 |
CCF: Patch Activity Inv | 678 |
CCF: Signature Activity Inv | 681 |
CCF: Social Media Inv | 695 |
CCF: Suspicious Users Inv | 685 |
CCF: Use of Non-Encrypted Protocols Inv | 686 |
CCF: Vulnerability Detected Inv | 684 |
Recommended Actions
Use investigations to pull additional details from log sources related to events of interest, monitor potential malicious activity, assist in reducing the mean time to detection (MTTD), and learn about vulnerabilities or exposure points within the environment. IT Security Operations and Management can leverage these investigations as a learning mechanism and a means to gather vulnerability data to implement controls and reduce the risk to exposure.
On the change control side, the goal is to support IT and security operations to ensure adherence to change control procedures. Assessing patch and signature management helps ensure appropriate security protocols are updated to foster business continuity and begin to establish a stronger security posture as an organization.