All information systems within jurisdiction of the business.
Understand network architecture and data flow.
Understand all third party applications and cloud services.
Policy on overseas travel
Periods of high activity
Network - e.g. Back up schedules can look like ransomware signature
Must have knowledge of the organisation to be able to understand context and triage/report effectively
Aim for 365/24 monitoring
Interface with IT operations for remediation
Aware of changes, interfaces with CAB to avoid false positives and continual review of baseline
NIDS and HIDS to be used together (NIDS monitoring internal networking interface).