Back to Blog
GRC5 min read

NIST CSF 2.0 Series: The Detect Function (Part 5)

The average breach goes undetected for months. Here's how to build detection capabilities that find threats before they cause damage.

This is Part 5 of our series on NIST CSF 2.0. Part 4 covered the Protect function and implementing security controls.

The Detect function focuses on finding security events and anomalies—ideally before they cause significant damage. Industry data consistently shows that dwell time (the gap between initial compromise and detection) is a critical factor in breach severity. Organizations that detect quickly contain damage; those that don't discover breaches until months later face far worse outcomes.

Why Detection Matters

Protection controls reduce risk but can't eliminate it. Attackers adapt. Zero-day vulnerabilities exist. Insiders bypass controls. Detection provides the visibility to catch what prevention misses.

Minimizing damage. Earlier detection means faster containment. Attackers who are discovered in hours cause less damage than those who operate for months.

Preventing lateral movement. Detection can catch attackers before they move from initial access to critical systems.

Meeting compliance requirements. Regulations like GDPR and HIPAA require timely detection and notification of breaches.

Enabling response. You can't respond to what you don't know about. Detection enables the Response function.

Key Detection Capabilities

Security Information and Event Management (SIEM)

SIEM platforms aggregate and analyze log data from across the environment:

What they do:

  • Collect logs from systems, applications, and security tools
  • Correlate events to identify patterns
  • Generate alerts on suspicious activity
  • Enable investigation and forensics

Common platforms: Splunk, Microsoft Sentinel, Sumo Logic, Elastic Security

Key considerations:

  • Log coverage—are you collecting the right data?
  • Alert tuning—too many false positives lead to alert fatigue
  • Retention—how long do you keep data for investigation?
  • Staffing—who reviews alerts and investigates?

Endpoint Detection and Response (EDR)

EDR tools monitor endpoint activity for signs of compromise:

What they do:

  • Real-time monitoring of endpoint behavior
  • Detection of malware and suspicious activity
  • Investigation capabilities for affected endpoints
  • Remote containment and response actions

Common platforms: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint, Carbon Black

Key considerations:

  • Coverage—are all endpoints protected?
  • Behavioral detection—signature-based detection misses novel threats
  • Response capabilities—can you remotely isolate compromised systems?

Network Detection and Response (NDR)

NDR solutions analyze network traffic for anomalies:

What they do:

  • Monitor network flows and packet data
  • Detect lateral movement and data exfiltration
  • Identify communication with malicious infrastructure
  • Provide visibility into encrypted traffic (in some cases)

Key considerations:

  • Coverage of network segments
  • East-west traffic visibility (not just perimeter)
  • Integration with other detection tools

User and Entity Behavior Analytics (UEBA)

UEBA uses machine learning to establish behavioral baselines and detect anomalies:

What they do:

  • Learn normal behavior patterns for users and systems
  • Detect deviations that might indicate compromise
  • Identify insider threats and compromised accounts
  • Risk-score entities based on behavior

Key considerations:

  • Baseline period and accuracy
  • False positive rates
  • Integration with identity and access management

Threat Intelligence

External threat data that informs detection:

What it provides:

  • Indicators of compromise (IOCs) from known attacks
  • Tactics, techniques, and procedures (TTPs) of threat actors
  • Early warning of emerging threats
  • Context for alert investigation

Sources: Commercial threat intelligence platforms, open-source feeds, industry ISACs

Building a Detection Program

Define What to Monitor

Not everything can be monitored with equal depth. Prioritize based on:

  • Critical assets identified in the Identify function
  • Common attack paths relevant to your environment
  • Regulatory and compliance requirements
  • Available resources and capabilities

Establish Baselines

Detection of anomalies requires understanding normal:

  • Network traffic patterns
  • User behavior patterns
  • System activity patterns
  • Authentication patterns

Baselines should be established before looking for deviations.

Tune for Signal, Not Noise

The biggest challenge in detection is alert fatigue. Too many false positives lead to:

  • Analysts ignoring alerts
  • Real threats getting lost
  • Burnout and turnover

Invest time in tuning detection rules to reduce noise while maintaining coverage.

Enable Investigation

Detection is only valuable if alerts can be investigated:

  • Preserve logs with adequate retention
  • Document investigation procedures
  • Train analysts on investigation techniques
  • Integrate detection tools for correlated visibility

Test Detection Capabilities

Validate that detection actually works:

  • Purple team exercises testing specific detection scenarios
  • Red team assessments simulating real attacks
  • Tabletop exercises for detection and response procedures

The Human Element

Technology enables detection, but humans make it effective:

Security analysts review alerts, investigate anomalies, and determine whether activity is malicious.

Threat hunters proactively search for signs of compromise that automated detection might miss.

Incident responders take action when threats are confirmed.

Automated detection without human follow-through provides limited value. Organizations need both technology and people.

Common Detection Failures

Log gaps. Critical systems not sending logs to SIEM. Attackers operate in blind spots.

Alert fatigue. So many false positives that analysts miss real threats.

Insufficient retention. Logs deleted before investigations complete.

No response process. Alerts generated but nobody responds.

Over-reliance on automation. Assuming tools catch everything. Novel attacks require human hunting.

Getting Started

For organizations building or improving detection capabilities:

  1. Ensure log coverage. Critical systems and security tools should feed into centralized logging.

  2. Implement endpoint detection. EDR provides essential visibility into endpoint activity.

  3. Tune relentlessly. Reduce false positives to make real alerts actionable.

  4. Staff appropriately. Someone needs to review and respond to alerts.

  5. Test regularly. Validate that detection actually catches threats.

Next in the Series

Part 6 covers the Respond function—taking action when security events are detected.

Need help building detection capabilities or evaluating your security monitoring? Our security assessments include detection gap analysis and recommendations. Let's talk.

Jonathan Carpenter
Jonathan Carpenter
Founder, Anchor Cyber Security
Share:

Want to discuss this topic?

Let's talk about how these insights apply to your organization.

Get in Touch