Cybersecurity event detection activities are adjusted based on identified risks and the organisation’s threat profile (THREAT-2e)
Context and Guidance: Event detection is largely dependent on the degree to which there is broad awareness of the potential range of events that can affect the organisation. One source that is useful for expanding the organisation’s event awareness is risks that have been identified and are being addressed in the organisation risk management process. (See RISK-2a.) Alerts should be developed to function as early warning indicators for each risk or threat. To adjust event detection activities based on the organisation’s threat profile, organisations should review the targeted assets, objectives, and attack methods that may be employed by threat actors and tune alerting accordingly. For example, if threat reporting indicates adversaries are targeting certain SCADA systems, existing alerts could be modified to trigger on anomalies that match aspects of that adversarial activity.
Related Practices • Dependency: Implementing this practice depends upon prior implementation of THREAT-2e. • Input From: Implementing RISK-2a provides input that may be useful for implementing this practice.