← Patterns / SP-025

Advanced Monitoring and Detection

OpenSecurityArchitecture (OSA) distills the know-how of the security architecture community and provides readily usable patterns for your application. This is a free framework, developed and owned by the community.

Release: 08.02 Authors: Vinylwasp Updated: 2025-07-05

Your browser does not support SVG. Download the diagram.

Click on controls in the diagram to view details. Download SVG

When to Use

You should apply this pattern if you believe you organisation may be likely target of a sophisticated blended attack charateristic of Advanced Persistent Threats.

When NOT to Use

You should not attempt to implement all elements of this pattern unless your organisation has high operational maturity with respect to change and configuration management. Key detective controls in this pattern are dependent on accurate configuration management data.

Typical Challenges

This pattern leverages many common controls, however it requires a considerable increase in operational maturity to reach each of the target control objectives outlined in the CSIS Critical Controls for Effective Cyber Defense.

Threat Resistance

This pattern can assist in limiting the spread and impact of an advanced breach through early detection and response.

Assumptions

This pattern assumes that primary defensive layers have failed, and a malicious attacker has entered the environment and established an initial foothold.

Mapped Controls (33)

AC: 5AT: 1AU: 4CA: 1CM: 5CP: 1IR: 3RA: 4SA: 4SC: 1SI: 4
  • AC-02 Account Management
  • AC-04 Information Flow Enforcement
  • AC-17 Remote Access
  • AC-18 Wireless Access Restrictions
  • AC-20 Use Of External Information Systems
  • AT-01 Security Awareness And Training Policy And Procedures
  • AU-01 Audit And Accountability Policy And Procedures
  • AU-02 Auditable Events
  • AU-06 Audit Monitoring, Analysis, And Reporting
  • AU-09 Protection Of Audit Information
  • CA-02 Security Assessments
  • CM-01 Configuration Management Policy And Procedures
  • CM-02 Baseline Configuration
  • CM-03 Configuration Change Control
  • CM-05 Access Restrictions For Change
  • CM-06 Configuration Settings
  • CP-10 Information System Recovery And Reconstitution
  • IR-01 Incident Response Policy And Procedures
  • IR-03 Incident Response Testing And Exercises
  • IR-05 Incident Monitoring
  • RA-01 Risk Assessment Policy And Procedures
  • RA-02 Security Categorization
  • RA-03 Risk Assessment
  • RA-05 Vulnerability Scanning
  • SA-03 Life Cycle Support
  • SA-06 Software Usage Restrictions
  • SA-07 User Installed Software
  • SA-08 Security Engineering Principles
  • SC-07 Boundary Protection
  • SI-03 Malicious Code Protection
  • SI-04 Information System Monitoring Tools And Techniques
  • SI-06 Security Functionality Verification
  • SI-07 Software And Information Integrity