The guidance recognises that the controller may undertake a ‘short period’ of investigation in order to establish whether or not a breach has in fact occurred. During this period, the controller may not be regarded as ‘aware’. However, it is clear that this investigation should begin as soon as possible. If good quality incident detection technologies are in place, it should commence from the exact moment that the detection technologies deliver an alert.

Detecting Incidents

How can you detect potential incidents in real-time and what tools can you use? Organisations need tools that monitor all forms of logs in real-time and scan for all manner of vulnerabilities. By monitoring a network and incorporating threat intelligence feeds it is more manageable and faster to detect potential security incidents.

Depending on the criticality of the systems involved, monitoring can range from a system administrator looking through system event logs to having a small monitoring centre inside the organisation, even up to contracting a dedicated security operations centre for network monitoring. For example, Smarttech247 has a dedicated security operations centre using IBM QRadar SIEM for dedicated network monitoring for our customers. This also incorporates artificial intelligence in the form of IBM Watson for cybersecurity.
By using a dedicated security operation centre, organisations can leave the network monitoring and incident handling to dedicated security professionals. However, whatever method an organisation opts for, there has to be some form of network monitoring.  After detecting, it is important to carefully and correctly identify what kind of incident has occurred. As well as what subnet and hosts (as the case may be) have they occurred in. Has there been a loss of data and confidential information? Are the critical assets involved? How much impact has it had on the network?