Applied Collection Framework: A Risk-Driven Approach to Cybersecurity Monitoring | Muneeb Imran Shaikh

Muneeb Imran ShaikhSenior Information Security Consultant
Information Security | Cyber Threat Intelligence Specialist | Governance, Risk Management Specialist
Edited by: Andrew Leniart
This article was initially published by ISACA by the same author. The link for original publication is given below.

Cyber Security or Network Security monitoring is incumbent upon organizations through various regulations or laws prevalent in respective countries or regions. The purpose of Network Security monitoring is to establish and maintain a command and control center which monitors the security hygiene of the entire organizational IT infrastructure and act upon any anomalous observations.

Network Security Monitoring comprises of three distinct phases including Collection, Detection, and Analysis.

1. COLLECTION – Identification of Network Entities from which logs are collected.

2. DETECTION – Examination of detected events & logs. 

3. ANALYSIS – Interpretation and Investigation of Alerts by Human Analysts.

However, it is often the case that the security analysts are unable to fully understand the data on which they are supposed to perform their analysis and subsequently differentiate between anomalous behavior and normal behavior. 

This problem primarily stems from two major factors:

1. Lack of understanding threats to the organization.

2. Inappropriate planning of collection & detection phase.


I conducted a Webinar on the challenges that impair Security Operations teams and discussed how the lack of a structured approach in Collection & Detection planning can limit the efficacy of Cyber Security Operations

One of the common myths prevailing around security monitoring is that the more data you collect, the bigger your horizon is. However, the truth is that the overabundance of data (particularly inconsequential) is detrimental. It involves more operational costs either in terms of alert fatigue to the security analysts, IT resources required for processing the data and retention or restoration of the data to guard against any disaster. 

These problems can be effectively dealt with by incorporating the Applied Collection Framework (ACF). The high-level steps involved in Applied collection framework are highlighted below.

Inspired from Applied Network Security Monitoring, Chris Sanders & Jason Smith



In order to enable Security analysts in effective and efficient Network Security monitoring, it is critical to adopt a threat-centric approach. The threat-centric approach to Network security monitoring keeps the team abreast of potential methods of attack, motivations of threat actors and cybercriminals, and the actors or criminals targeting the Industry vertical and the specific region.

Adoption of a threat-centric approach begins with understanding the mission, objectives, and goals of the organization. It is then proceeded by identifying the assets which are critical in the attainment of the business mission. Once the mission and the associated assets are identified, we need to then identify and define the threats to those assets (tangible or intangible). It is critical that all this planning by Information Security personnel is done in close coordination with security leadership.


Risk Assessment should be proceeded by the phase of threat identification where associated risks are identified and assessed. Remember that these threats are associated with the confidentiality, integrity, and availability of the assets tied to the organization’s mission, goals, or objectives. It is therefore important that the risk scenarios associated with threats are identified, assessed and their risk levels are determined. 

Based on the risk levels determined, the organization decides to implement Network Security monitoring.


Once the risk is qualified, then you have to review the Network architecture and IT assets placement in the broader architecture. The purpose is to identify the path through which the data traverses across the network to carry out its objective, the personnel who have access to the IT assets. 

Going through this process, you will be able to develop a broader list of network or host-based sources from which you may need to collect the logs, traffic data, session data, etc.



I mentioned in the beginning, that the overabundance of data has an operational cost and can create further technical risks. This phase requires you to refine your coarse-grained data sources and identify the data source and specific logs, packet data, etc. which will provide you the most value in performing Network Security monitoring.

This phase involves assessing the needs related to storage, processing, and management of data gathered from disparate sources along with the collection frequency. It also involves consideration of Human resources required to maintain the IT assets and to perform Network Security Monitoring. 


The Applied Collection Framework allows adopting a risk-based approach towards your Network Security Monitoring by identifying threats, qualifying risks, and performing a cost/benefit analysis. It enables the security leadership to justify their collection needs and investments by tying them to the business mission and threats to the business mission.

Remember that Network Security Monitoring is a cyclical process in which you need to assess existing collection sources again to enhance the effectiveness and efficiency of Network Security Monitoring. 

References: Applied Network Security Monitoring – by Chris Sanders and Jason Smith  

Muneeb Imran ShaikhSenior Information Security Consultant
Information Security | Cyber Threat Intelligence Specialist | Governance, Risk Management Specialist

Comments (1)

Dear Shaik , thanks for the article. I would like to add the following for your kind consideration.
The 1st step is understanding the business services provided by the organisation and relationship to IT applications.
The 2nd step is to do the risk assessment. There are 3 activities which includes identifying threats relevant to the business that is threat agents, their motivation, capabilities and channels to reach the IT assets. 2nd activity is identifying the vulnerabilities within IT ecosystem that is applications, infrastructure. By analysing the threats and vulnerabilities, one can determine the likelihood. 3rd activity is the assessment of potential impact if the threat successfully exploits the vulnerability. One can refer to the business impact analysis.
Then to mitigate the risk, one will deploy preventive  , detective and recovery controls.
At this point one will decide which are sources to collect events from .

Then continue to implement the detective controls and monitor them.


Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.

Get access with a 7-day free trial.
You Belong in the World's Smartest IT Community