Threat Monitoring and Detection

‘Investigating unreliable alerts wastes two-thirds of staff time while actual breaches go undetected an average of 146 days. You must be on constant lookout for security threats lurking in your network traffic – managed detection and response gives you actionable insight when it counts.’ Gartner's 2018 Intrusion Detection and Prevention Systems Magic Quadrant

Borderpoint is a continuous protective threat monitoring and detection capability designed and implemented by CSA to identify and detect cyber threats in real time so that customers can be notified of new potential vulnerabilities and attacks and advised on appropriate remedies.

The Borderpoint service is delivered by experienced Cyber Analysts who monitor the Security Information and Event Monitoring (SIEM) system located at the CSA Security Intelligence and Operations Centre (SIOC). The SIEM system is an analytical tool designed to monitor activity across a client’s network and to flag suspicious activity for further investigation by Cyber Analysts.

The SIOC monitors activity and cross references that activity against the CSA Threat Intelligence Database and a bespoke security rule set which trigger alerts when activity is identified as potentially suspicious. Rules are continually added to create those triggers based on on-going research and intelligence. Different rules can be added / removed for specific clients if required.

The on-boarding process involves a Borderpoint agent being installed on each end point device to be monitored, the Borderpoint agent sends the log files in real time to the SIEM system for analysis. The Borderpoint agent can be installed on any PC, Mac or Server regardless of location (Onsite, Offsite or in the Cloud). The Borderpoint agent is light weight and will not downgrade the performance of the device it is installed on.

Borderpoint monitors end points inside and outside of the office network, some SIEM services only monitor devices inside the network so when a laptop leaves a site Borderpoint still has it covered whereas other SIEM services do not.

An individual activity may not trigger an alert, but we may identify a sequence of activities as suspicious. CSA analysts are constantly updating the SIEM rules after analysis of the latest threat intelligence to counter the latest threats.

Analysts monitoring alerts are often trying to identify false positives where a triggered alert can be either stood down as a false alarm or escalated as a verified threat to the customer. The CSA SIOC team use technology, experience and up to date threat intelligence to sift through the mass of available data to identify only real threats which would be impossible for a normal IT team to achieve. The main benefit to the customer of the CSA Borderpoint service is that the IT team can focus on dealing with real threats or breaches rather than trying and often failing to identify threats in the first place. Gartner backs this up by stating that actual breaches go undetected for an average of 146 days.

Triggered alerts are classified on a scale from P1 to P4 based on the level of threat severity, where P1 is the highest level of threat and P4 the lowest. Customer notifications are either immediate in the case of a severe threat or added to the monthly report in the case of a minor threat / observation. Analysts can advise customers, or their named IT support contact, on how to neutralise or mitigate identified threats and can help with incident reports and forensic investigations.

Log files captured as part of the Borderpoint service are stored by CSA for 90 days. This means that if a hacker has deleted the log files during an attack (often the case) they can still be accessed by CSA and given to the customer. The customer will therefore know the extent of the attack and be able to check all the areas compromised to make sure the hacker hasn’t left anything behind.

Borderpoint monitors end points inside and outside of the office network, some SIEM services only monitor devices inside the network so when a laptop leaves a site BP still has it covered  whereas other SIEM services do not.

Monitoring is one of the 10 steps to cyber security as published by the National Cyber Security Centre (NCSC).

“System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential in order to effectively respond to attacks. In addition, monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements.”