Principle: C1 Security Monitoring
The organisation monitors the security status of the networks and systems supporting its essential functions in order to detect potential security problems and to track the ongoing effectiveness of protective security measures.
This means implementing an effective monitoring strategy so that actual or attempted security breaches are discovered and that there are appropriate processes in place to respond. Any monitoring solution should evolve with the department’s business and technology changes, as well as with changes in the threat it faces.
Policy
The following requirements are placed on government departments:
- Government Organisations shall meet the CAF requirements of the relevant Government Profile under this principle.
Guidance
- Good logging practices provide the ability to understand, trace and react to system and security events. Within the NCSC’s 10 steps, Logging and monitoring will assist your organisation in defining a logging strategy. It promotes the identification of logging objectives which are tailored to the threat profile of your environment. These objectives will inform how logs are used to generate insights into your security posture and can be used to detect and respond to incidents.
- Once a logging strategy has been identified, Logging for security purposes provides granular information on selecting specific log types, building log storage architecture and defining a log retention process. Within the NCSC Device Security guidance, Logging and protective monitoring contains methods for device logging on multiple Operating Systems, including mobile devices.
- Your logging infrastructure should be utilised to be able to detect abnormal activity on your network. Within the NCSC secure design principles, Make compromise detection easier discusses how monitoring specific data sources such as communication flows, network load, storage and compute performance can help detect specific types of attack. Designing simple communications between components will assist you in detecting when components attempt to communicate in ways which are not part of your design.
- Digital services that are attractive to cyber criminals for the purposes of fraud should implement transactional monitoring techniques from the outset to detect suspicious activity.
- Collected logs should be compared against indicators of compromise (IOCs) from threat intelligence sources to detect known threats. Threat intelligence can be collected from open discussion forums, trusted relationships, paid-for contracts with threat intelligence companies or even generated internally. The Digital, Data and Technology Profession’s Cyber Threat Intelligence in Government guide provides an end-to-end walkthrough of how government organisations should plan, build and manage their cyber threat intelligence capabilities. It will assist your organisation in defining a threat intelligence strategy, but also provides granular guidance on undertaking steps through the threat intelligence lifecycle.
Available tools
- The Cyber Security Information Sharing Partnership CiSP is a joint industry and government digital service to allow UK organisations to share cyber threat information in a secure and confidential environment.
Enhanced profile guidance
- In order to perform a protective monitoring function, your organisation may establish a Security Operations Centre (SOC). This can involve full-time staff who work with threat intelligence to identify, investigate and triage security events as well as managers who understand your organisation, can assess the significance of security events and integrate seamlessly with the incident management function. Building a Security Operations Centre helps to set out the steps for designing a SOC Operating Model which is centred around your requirements, so that it is proportionate, Protective Monitoring for UK government ICT Systems (GPG 13) feasible and continually evolving. It then sets out threat modelling, detection and alerting approaches which can then be integrated with your incident management and threat intelligence functions.
Further information
- Protective Monitoring for UK government ICT Systems (GPG 13) is archived guidance from the NCSC’s predecessor, Communications-Electronics Security Group (CESG). It should not be used for designing or operating a system, however it is referenced here in the instance that your organisation maintains a legacy contract which includes GPG 13 as a core security requirement.
Further guidance and information can be found on the NCSC’s CAF Guidance webpage.