📖 What is Detective Control?
A Detective Control is a security measure designed to identify and alert the organization when a security event or policy violation has occurred. Common examples include intrusion detection systems (IDS), log monitoring, and security audits.
"Detective controls do not stop the attack; they only tell you that an attack is happening or has already happened. They are the 'alarm system' of security."
📚 Certification: Certified Information Security Manager (CISM)
🔑 What are the Key Concepts of Detective Control?
- ▸ Post-Event Identification: These controls operate after a threat has bypassed preventive measures, focusing on discovering the breach or policy violation as quickly as possible.
- ▸ Alerting and Notification: The primary objective is to generate an alert or report, enabling the incident response team to initiate corrective actions immediately.
- ▸ Defense in Depth Integration: Detective controls provide critical visibility, ensuring that if preventive controls fail, the organization is not blind to the ongoing attack.
- ▸ Audit and Reconciliation: Periodic reviews, such as financial reconciliations or system log audits, serve as detective controls to find anomalies that real-time tools might miss.
- ▸ Monitoring Effectiveness: In CISM, the value of detective controls is often measured by the Mean Time to Detect (MTTD) to minimize potential business impact.
🎯 How does Detective Control appear on the CISM Exam?
You may be asked to identify the most appropriate control for a scenario where a company needs to discover unauthorized changes to critical system configuration files after they occur.
A scenario might describe a security failure where an attacker remained in the network for months undetected; you must identify the lack of detective controls as the primary weakness.
Expect questions requiring you to distinguish between an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS) based on whether the goal is alerting or blocking.
❓ Frequently Asked Questions
Why implement detective controls if they cannot stop an active attack?
Preventive controls are never 100% effective. Detective controls provide the necessary visibility to identify breaches, limit the duration of the attack, and provide forensic evidence to improve future prevention.
How do detective controls differ from corrective controls in the CISM framework?
Detective controls identify that a problem exists (the alarm), while corrective controls are the specific actions taken to fix the problem and restore the system to a secure state.