Defense & Operations
Detective Controls
Also known as: Detection controls, Monitoring controls
Definition
Security measures designed to identify and alert on malicious activity, policy violations, or anomalies after they occur in an environment.
Examples
- A SIEM rule that fires when a service account logs in interactively for the first time.
- EDR alerting on suspicious PowerShell execution chained from a Word document.
Related terms
Preventive Controls
Controls designed to stop a security event from occurring in the first place by removing the opportunity or capability to act.
Corrective Controls
Security measures that act after an incident to limit damage, eradicate threats, and restore systems to a known-good state.
Compensating Controls
Compensating Controls — definition coming soon.
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
EDR (Endpoint Detection and Response)
An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
Mean Time to Detect (MTTD)
Mean Time to Detect (MTTD) — definition coming soon.