chapter eight

8 Continuous threat detection

This chapter covers

Implementation of a continuous monitoring system
Using open-source solutions for continuous threat detection
The six steps in the ISCM process
Introduction to the alert threshold lifecycle assessment systems
Defining a strategy for continuous monitoring

The ability to detect and respond to threats in real time is a critical component of cybersecurity. Continuous threat detection is a proactive measure for safeguarding an organization’s data and assets against cyber threats. From phishing attacks to ransomware threats, the cyber landscape is under continuous threat. These threats can have severe implications if not found and addressed promptly.

This chapter discusses the details of continuous threat detection, offering a guide on how to implement monitoring systems. We will explore the use of open-source tools like Wazuh (https://www.wazuh.com) to enhance detection capabilities, ensuring that even the most subtle anomalies are identified and addressed. By understanding and applying the right metrics, cybersecurity professionals can better evaluate the effectiveness of their threat detection systems and make better, more informed decisions to bolster their defenses.

8.1 Implementing continuous threat monitoring systems

8.1.1 Define strategy

8.1.2 Respond to findings

8.2 Opensource alternative to continuous threat detection

8.2.1 Establish Architecture

8.2.2 Implement and Collect

8.2.3 Analyze and Report

8.3 Continuous monitoring metrics

8.3.1 Continuous monitoring metrics exercise

8.4 Understanding ATLAS

8.4.1 Methodology of ATLAS

8.4.2 Review and update

8.4.3 ATLAS Benefits

8.5 Determining valid threat detections

8.5.1 FRR, FAR, and EER metrics

8.5.2 FRR, FAR, and ERR exercise

8.6 Adverse event analysis

8.6.1 Adverse event analysis metrics

8.6.2 Adverse event analysis metrics exercise

8.7 Summary