 Hello and welcome to the session in which we would look at the US cybersecurity framework and specifically we're going to be looking at one of the five core functions and that is the detect function. Why? Because in the prior session we looked at the cybersecurity framework overall we looked at the identify function and the protect function now it's time to look at the detect function and this is the big picture we already completed the identified function and we covered the six categories and subcategories we looked at the protect function covered the six categories and many subcategories and the session we're going to be looking at the detect function which will cover three categories remember overall we have five core functions one two three four five and we have 23 categories and 108 subcategories and many references so we already covered this part we already covered this part now we're going to be covering the detect function before we proceed any further I have a public announcement about my company farhatlectures.com. Farhat accounting lectures is a supplemental educational tool that's going to help you with your CPA exam preparation as well as your accounting courses my CPA material is aligned with your CPA review course such as Becker, Roger, Wiley, Gleam, Miles my accounting courses are aligned with your accounting courses broken down by chapter and topics my resources consist of lectures multiple choice questions true false questions as well as exercises go ahead start your free trial today no obligation no credit card required but let's take a look at what are we looking for what's the overall idea for the detect function we are looking for anomalies we're looking for suspicious activities first we identified our asset that's fine the assets that we need to protect we installed protection now we now the individual that's trying to hack us is inside now we need to know how are we going to detect this what are we going to do well we're going to look for anomaly suspicious activities why because the earlier you can detect those activities the faster you can respond so timely discovery using the proper tool is important and this is what the detect function will emphasize simply put the detect is like an alarm system you are raising the alarm now someone is inside the system and you want to continuously monitor for indicators for compromise if someone is penetrating your system you want to be on the lookout you are hunting and being proactive this is what the detect function is so it has three categories anomalies and event security continuous monitoring and detection process starting with anomalies and events what are anomalies and events the objective of this category is to identify unusual activities or occurrences that might indicate a potential cyber security event you might indicate that someone is trying to invade your system place a virus place a malware so on and so forth it helped the organization to detect and analyze anomalies and events and their information system by monitoring the network user behavior and system logs how do you do that through subcategories one of the subcategories is creating establishing a baseline for network operation and expected data flows what does that mean let's take a look at this figure here and let's assume this is your website traffic notice your website traffic is approximately a little bit less than 12 000 10 000 suddenly your network traffic drop so this is an anomaly you want to know why if someone blocking users are you being hacked some of the some of the pages down what's going on so by looking at this it kind of alerted you why because you know what your website traffic should be now you find an anomaly are you monitoring this okay another subcategory will be detected event and analyzed to understand attacks and methods use user behavior or suspicious activity for example you know most users are logged in between 8 a.m. and I don't know 10 p.m. let's assume that's the case that that's that's the user behavior let's assume you're suddenly finding heavy activity from 3 a.m. to 5 a.m. unusual activity because that's not your user behavior this is a.m. well guess what are you looking at this are you analyzing those events or suspicious activities event data is aggregated and colorate colorated from multiple sources and sensors so you're not looking for example at web traffic you're looking at web traffic you are monitoring also the number of purchases it's being made on your website how many people are logging out and trying to log in several times you are looking at multiple sources you don't look at one event you'd look at several events all at the same time to make sense of them you want to immediately assess the impact of events is determined now what would happen you want to say okay my traffic went down what does that mean what could happen what's the impact what's the impact of the event on me and you want to have an incident alert threshold at at what point I declare emergency we are under attack let's go ahead and respond because the next step is responding so on the detect function is you have to determine this threshold because the next thing after detecting is responding another function of detect I'm sorry another category of the detect function is the security continuous monitoring and it's as it suggests continuously monitoring so this category emphasizes the importance of ongoing monitoring of organizational system and asset include hardware software information as well you want to monitor people continuous monitoring helps organization maintain an up-to-date understanding of their cybersecurity position and detect any vulnerabilities before they are exploited so you want to keep watching what's going on okay so one is you want to monitor your network for potential cybersecurity events you want to have a physical monitoring the physical environment is being monitored you want to maybe have a person security guard because why because if somebody is physically inside the building then they have access to physical data and once they have access to physical data it might give them access to logical data so personnel activity is monitored to detect any potential security event if an individual said should not be in that building or in that office why are they there you want to monitor this process malicious code is deducted keep scanning your system for any code also your mobile code is deducted you know if you have mobile services mobile apps you want to keep on monitoring those apps see if there's anything is embedded in that code also extra service provider activity is monitored remember one of the functions under identify is third-party supply chain supply chains are third-party extra service provider you also want to monitor those what's going on to detect any potential cybersecurity events so it's inside your company as well as that supply chain third-party third-party that have access or involved in your system you want to monitor for unauthorized personnel connection devices and software you want to monitor this continuously and those are all subcategories now how would you do that it all depends on your on the software you have the personnel you have so we don't go any specific specificity here all we're looking for is the overall security framework and also scan for any vulnerabilities for example i have a norting and i scan my system every 24 to 48 hours why because i want to see if there's anything that's inside the system you just keep scanning just that's all it's automated for example 3 a.m the system the whole system is scanned now the third function of detect at the third category of the function detect is detection processes what are we looking at here it's this category focuses on ensuring that the detection processes and procedures here looking at procedures are maintained and tested regularly you have to have some sort of a policy how to respond to incident this include incident respond plan communication protocol who are you gonna talk to are you gonna talk to the engineers the software uh cyber security the legal department and coordinate this with external organization if legally you are you are required to do so some subcategories here would include defining roles and responsibilities of this detection process who's responsible for what in case something happened detection activities comply with all applicable policies laws and regulation do you have those applicable laws and regulations especially in the health and the banking industry well defined and are we complying with those also event deduction information is communicated to appropriate parties when needed for example do i need to report this event to my legal department or i don't have to do i do i need to report this event to the state regulatory agency to the sec so on and so forth do i have detection processes that are tested and maintained and continuously improve on regular basis i have to one two and three do i keep updating those making sure attested maintain and continuously improve keeping up with laws and different threats this is the detect functions and those are the three categories and they have many subcategories now after i detect an event what do i do next i am going to respond and then the next session we would look at how do you response what are the various categories and subcategories under response what should you do now go to farhat lectures look at additional resources mcqs whether you are studying for your cpa cma exam or any other professional certification invest in yourself invest in your career good luck and stay safe