Framework Category

Adverse Event Analysis

Adverse Event Analysis focuses on understanding and assessing abnormal activities by analyzing events against a baseline of expected behavior.

It involves correlating data from multiple sources, evaluating impact and scope, integrating threat intelligence, and determining when events qualify as incidents based on defined thresholds.

Implementation Questions

DE.AE-02

Potentially adverse events are analyzed to better understand associated activities

Does your organization use SIEM or similar tools to continuously monitor log events for malicious and suspicious activity?

Continuous monitoring of log events is essential for detecting security incidents in real-time. A Security Information and Event Management (SIEM) solution aggregates logs from various systems, correlates events, and alerts security teams to potential threats based on predefined rules or anomaly detection. This enables organizations to identify and respond to security incidents before they escalate into major breaches.

Does your organization integrate current cyber threat intelligence feeds into your log analysis and monitoring tools?

Integrating threat intelligence into log analysis tools enhances detection capabilities by providing context about known malicious indicators, attack patterns, and threat actor behaviors. This allows security teams to prioritize alerts based on real-world threat data and identify sophisticated attacks that might otherwise go undetected.

Does your organization conduct regular manual reviews of log events for systems that cannot be adequately monitored through automated means?

Some technologies or systems may generate logs that are difficult to parse or interpret automatically, requiring human review to identify anomalies or security incidents. Examples include specialized equipment, legacy systems, or applications with unique logging formats that automated SIEM tools cannot effectively process.

Does your organization utilize log analysis tools to generate actionable reports from log data?

Log analysis tools help organizations identify security incidents, system anomalies, and compliance issues by processing large volumes of log data into meaningful reports. These tools can detect patterns indicating potential security breaches, performance issues, or unusual user behaviors that might otherwise go unnoticed in raw logs.

DE.AE-06

Information on adverse events is provided to authorized staff and tools

Does your organization utilize cybersecurity software that generates alerts which are monitored and actioned by your security operations center (SOC) or incident response team?

Active security monitoring is what's being assessed here: whether you run cybersecurity software that generates alerts which your SOC or incident response team monitors and acts on. Effective security monitoring requires both the technical capability to detect suspicious activities and the operational processes to review and respond to those alerts.

Do incident responders and authorized personnel have 24/7 access to log analysis findings?

Around-the-clock visibility is the issue: whether incident responders and other authorized staff can reach log analysis findings at any hour, every day.

Does your organization automatically generate and assign tickets in your ticketing system when specific security alerts are triggered?

Automatic ticket creation ensures that security alerts are promptly addressed by creating accountability through assignment and providing a trackable workflow. This practice helps prevent alerts from being overlooked during high-volume incidents and establishes a documented response history for each security event. The automation reduces response time and human error in the triage process.

Does your organization have a documented process for manually creating and assigning tickets in your ticketing system when technical staff discover potential security incidents or indicators of compromise?

Incident ticketing is the focus: whether you have a documented process for manually creating and assigning tickets when staff spot potential security incidents or indicators of compromise.

DE.AE-07

Cyber threat intelligence and other contextual information are integrated into the analysis

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron