chapter eight

8 Continuous threat detection

This chapter covers

Implementation of a continuous monitoring system
Using open-source solutions for continuous threat detection
The ISCM process
Alert threshold lifecycle assessment systems
Strategies for continuous monitoring

The ability to detect and respond to threats in real time is critical to cybersecurity. Continuous threat detection is a proactive measure for safeguarding an organization’s data and assets against cyber threats. Phishing attacks and ransomware continuously threaten the cyber landscape. If not detected and addressed promptly, these threats can have severe implications.

This chapter discusses the details of continuous threat detection and offers a guide on how to implement monitoring systems. We will explore using open-source tools like Wazuh (https://www.wazuh.com) to enhance detection capabilities, ensuring that even the most subtle anomalies are identified and addressed. By understanding and applying the right metrics, cybersecurity professionals can better evaluate the effectiveness of their threat detection systems and make better, more informed decisions to bolster their defenses.

8.1 Implementing continuous threat monitoring systems

8.1.1 Define strategy

8.1.2 Respond to findings

8.2 Opensource alternative to continuous threat detection

8.3 Continuous monitoring metrics

8.3.1 Continuous monitoring metrics exercise

8.4 Understanding ATLAS

8.4.1 Methodology of ATLAS

8.4.2 Review and update

8.4.3 ATLAS Benefits

8.5 Determining valid threat detections

8.5.1 FRR, FAR, and EER metrics

8.5.2 FRR, FAR, and ERR exercise

8.6 Adverse event analysis

8.6.1 Adverse event analysis metrics

8.6.2 Adverse event analysis metrics exercise

8.7 Alternatives to ATLAS and Wazuh

8.8 Summary