Cybersecurity pillar · Module 4 of 6

Detection and response

Prevention is important, but assume you’ll be breached. What matters is: Can you detect it? How fast? And can you respond effectively?

← Back to Cybersecurity Fundamentals Training

Detecting bad things

You need visibility into what’s happening across your environment:

  • Logging. Record what happens. Who logged in? What files were accessed? What network connections were made? You can’t investigate what you didn’t record.
  • Monitoring. Watch for anomalies. Someone logging in at 3am from a new country? Mass file downloads? Unusual network traffic? Alert on the weird stuff.
  • SIEM (Security Information and Event Management). Collects logs from everywhere, correlates them, and alerts on patterns. The central nervous system of security operations.
  • EDR (Endpoint Detection and Response). Deep visibility into what’s happening on each device. Can spot and stop attacks that antivirus misses.

When something goes wrong: incident response

The response phases

  • Preparation: Plans, tools, trained people ready to go
  • Detection: Identifying that something bad is happening
  • Containment: Stop it from spreading
  • Eradication: Remove the threat completely
  • Recovery: Restore normal operations safely
  • Lessons learned: What do we do better next time?

Key principles

  • Have a plan before you need it
  • Know who does what (roles and responsibilities)
  • Preserve evidence (you might need it legally)
  • Communicate clearly (stakeholders need updates)
  • Document everything (for the post-mortem)
  • Practice! Tabletop exercises reveal gaps

⏱️ The time factor

The average time to detect a breach is 204 days (IBM). The average time to contain it is 73 days. Attackers have nearly a year to operate. Speed matters enormously. Organisations that detect and contain quickly suffer far less damage.

Free resources to go deeper