A capability is established and maintained to aggregate, correlate, and analyse the outputs of cybersecurity monitoring activities and provide a near-real-time understanding of the cybersecurity state of the function
Context and Guidance: Aggregation of monitoring data typically involves the use of advanced monitoring tools, such as security information and event management (SIEM) systems, to aggregate system logs and network data to enable a more holistic analysis of the environment. While not a requirement for implementation of this practice, organisations may consider aggregation of monitoring data from across functions. Similar to aggregation within a function, sharing and analysis of monitoring data across functions within an organisation provides more comprehensive awareness of the organisation’s operational state and cybersecurity state. This may require implementation of methods to summarise or otherwise simplify the information presented to those reviewing aggregated audit logs (e.g., report reduction).
Related Practices • Progression: This practice is part of multiple practice progressions. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in the first progression include: SITUATION-3b, SITUATION-3f. • The practices in the second progression include: SITUATION-3c, SITUATION-3e, SITUATION-3f.