Detective Security Controls

Organizations implement technical, administrative, and physical controls to maintain an adequate level of security posture. The nature of these controls can be preventive, detective, corrective, and compensatory controls. In one of our previous posts, we have discussed how preventive controls are highly effective and inexpensive. As the name suggests, preventive controls seek to prevent various types of cyberattacks from occurring. If preventive controls fail, detective controls help an organization in the identification of security incidents. Subsequent to this, corrective controls help in the recovery process after a security incident has occurred. In this article, we took a detailed look at detective security controls and their examples.

If you learned that adversaries got hold of the data you are protecting, may it be customer, proprietary, or other sensitive information, you should contact LIFARS immediately. When dealing with data breaches, time is of the essence and the initial 24 hours after the discovery are critical. LIFARS handles data breaches with military precision and ensures that the root cause is found, eliminated, and detailed forensics are performed to discover all compromised information.

What are Detective Security Controls?

Detective controls include security measures implemented by an organization to detect unauthorized activity or a security incident at large and send alerts to the concerned individuals. Detective security controls function not only when such an activity is in progress, but also after it has occurred. Examples of detective security controls can include activation of door alarms when a door is opened without authorization (physical control), implementing an intrusion detection system (DS) (technical control), and finding excess access rights during an internal audit (administrative control).

Many organizations have set up a dedicated security operations center (SOC). A SOC team often has dedicated team members for continuous monitoring of the organization’s IT infrastructure. It is a well-accepted fact that it is impractical to expect a security team to go through logs manually on a regular basis. To overcome this, organizations opt for purchasing a solution like Security Information and Event Management (SIEM). SIEM helps security teams by analyzing log data in real-time for swift detection of security incidents. Modern-day SIEM solutions rely on advanced analytical capabilities and machine learning algorithms, along with threat intelligence feeds and contextual information about threats and vulnerabilities.

Examples of Detective Controls

• Physical security controls: There are multiple physical security controls around IT assets within an organization that are detective in nature. For example, CCTV surveillance, motion detection, door alarms, and fire/smoke alarms. Often, these measures are considered as a part of conventional building security, but they are integral to the protection of IT assets. Incorporating them into information security practices help an organization in adopting a layered approach.
• Intrusion detection systems (IDS): IDS is generally implemented in line with an intrusion prevention system (IPS). An intrusion detection system continuously monitors computer systems for policy violation and malicious activity. As soon as it detects either of them, it can alert the system administrator. Advanced IDS may allow an organization to record information about security incidents and help security teams in retrieving information such as IP address and MAC address of the attack source.
• Anti-virus/anti-malware tool: An anti-virus tool is generally installed on every system in an organizational network. As a matter of standard practice, this tool provides regular scanning along with real-time alerts and updates. While traditional tools heavily rely on virus signatures, ideal anti-virus tools use behavior detection to discover viruses, worms, ransomware, trojan horses, and other malicious files regularly. A dedicated policy may support the organization-wide implementation of an anti-virus tool.
• Logging and monitoring using tools such as SIEM: Computer systems, networks, and applications generate a massive volume of log data every day. The volume of this log data keeps on increasing as an organization grows in size and number. On the other hand, the attackers are continuously launching sophisticated attacks which may go undetected by single-point security devices. For security teams, it becomes a tedious task to filter through logs from each device manually. As we discussed earlier, a SIEM solution comes to their rescue by detecting incidents in real-time and provide support for mitigation measures without any delay.

Ending Notes

If you are a cybersecurity professional, you already know multiple instances where organizations were not able to detect a data breach in months. Detective controls play a crucial role when attackers bypass your organization’s defenses and preventive controls have failed. Efficient detective controls will equip your security team with adequate resources to detect security incidents with negligible delays and initiate incident response process. Did you know that LIFARS can help with remote incident response by deploying our highly skilled response team to your local enterprise environment? Request FREE consultation from LIFARS here.