FIDP-10

Is intrusion monitoring performed internally or by a third-party service?

Explanation

This question is asking about your organization's approach to intrusion monitoring - specifically whether you handle this security function internally with your own staff and tools, outsource it to a third-party security provider, or use some combination of both. Intrusion monitoring refers to the continuous surveillance of your network and systems to detect unauthorized access attempts, suspicious activities, or security breaches. This includes technologies like Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) that analyze network traffic and system logs to identify potential security incidents. The question is important in a security assessment because: 1. It confirms whether you have intrusion monitoring in place at all (a basic security control) 2. It reveals your security operations maturity and resourcing model 3. It helps the assessor understand who is responsible for monitoring and responding to security events 4. It provides insight into your incident detection capabilities When answering, you should clearly state your approach (internal, external, or hybrid) and provide specific details about implementation. This includes mentioning the tools used, monitoring coverage (what systems/networks are monitored), staffing model (24x7 or business hours), and basic response procedures. Be honest about your current capabilities while highlighting the strengths of your chosen approach.

Guidance

In addition to stating your intrusion monitoring strategy, provide a brief summary of its implementation.

Example Responses

Example Response 1

Our intrusion monitoring is performed internally by our Security Operations Center (SOC) team We have implemented a layered approach using Palo Alto Networks firewalls with threat prevention capabilities at network boundaries, Crowdstrike EDR on all endpoints, and Splunk SIEM for log aggregation and correlation Our SOC team operates on a 24x7 basis with analysts monitoring alerts in real-time We have documented playbooks for common attack scenarios, and our SOC team conducts regular threat hunting exercises to proactively identify potential compromises All critical alerts are investigated within 30 minutes, and we maintain a 15-minute SLA for responding to confirmed incidents.

Example Response 2

We utilize a hybrid approach to intrusion monitoring We maintain an internal security team that handles day-to-day security operations during business hours (8am-6pm ET), including alert triage and initial incident response For after-hours coverage and specialized threat hunting, we contract with Mandiant's Managed Defense service Our technical implementation includes Cisco Firepower IPS at network boundaries, Microsoft Defender for Endpoint on all workstations and servers, and Microsoft Sentinel as our SIEM platform The Mandiant team has access to our Sentinel instance and provides 24x7 monitoring coverage when our internal team is offline This hybrid model gives us the benefit of dedicated internal resources who understand our environment, supplemented by specialized expertise and round-the-clock coverage from our third-party provider.

Example Response 3

We currently do not have a formal intrusion monitoring program in place Our IT team receives alerts from our firewall when known malicious IP addresses attempt to connect, but we do not have dedicated security personnel monitoring for intrusions We rely on standard antivirus software on endpoints and conduct manual system checks when issues are reported by users We recognize this is a gap in our security posture and are evaluating options to implement a more robust intrusion monitoring capability in the next fiscal year, including potentially engaging a Managed Security Service Provider (MSSP) for 24x7 monitoring services.

Context

Tab: Infrastructure
Category: Firewalls, IDS, IPS, and Networking