Let’s face it. Getting your monitoring capabilities to a level where you can confidently detect and respond to cyber threats is no small task.
If your organisation is aligning with the NCSC’s Cyber Assessment Framework (CAF), you’re probably familiar with C1.a – Monitoring Coverage.
(That’s ‘objective c’, ‘principle 1’ and ‘contributing outcome a’ for those who really know your stuff).
This contributing outcome is all about ensuring that your organisation has robust, comprehensive and reliable monitoring in place to detect potential security incidents.
For many organisations, monitoring is one of the trickiest areas to get right. Whether it’s because of limited resources, fragmented tools or an incomplete understanding of what needs to be monitored, it’s easy to fall short.
But that’s where Managed Extended Detection and Response (XDR) services can make all the difference.
I’m going to break down what it means to achieve monitoring coverage under C1.a, why it matters and how a managed XDR service like CloudGuard’s can help you move from ‘not achieved’ to the gold standard of ‘achieved.’
By the end, you’ll have a clear understanding of what steps to take and why investing in Managed XDR could be the game-changer your organisation needs.
What does C1.a – Monitoring Coverage mean?
The CAF defines C1.a as the need for monitoring coverage that is comprehensive enough to reliably detect security incidents affecting your essential functions.
This means putting systems and processes in place to collect, analyse and act on data from across your organisation.
But what exactly does that look like?
You can learn more how CAF is structured here.
Now, let’s look at the three status levels or the ‘Indicators of Good Practice’ (IGPs) in a bit more detail.
Not achieved
If your organisation is in the ‘not achieved’ category for C1.a, you’ve got some work to do.
Here’s what this looks like:
- No data collection: Security and operational data about your essential functions aren’t being collected at all. Without data, there’s no way to detect threats or understand what’s happening in your environment.
- No IoC detection: Indicators of Compromise (IoCs)—such as malicious command and control signatures—aren’t being identified. This leaves you unable to detect threats that could already be active within your network.
- No user monitoring: There’s no ability to audit user activities or detect suspicious behaviour related to your essential functions.
- No network traffic monitoring: You’re not capturing traffic at your network boundary, even at a basic level (e.g., IP connections).
In short, you’re operating without visibility, which makes it impossible to respond to potential security incidents effectively.
Partially achieved
Moving to ‘partially achieved’ status means you’ve made some progress, but you’re not quite where you need to be.
Here’s what this looks like:
- Partial data collection: You’re collecting some security and operational data but the coverage is inconsistent or incomplete.
- Basic IoC detection: You can detect IoCs but the process may not be reliable or comprehensive.
- Limited user monitoring: You’re monitoring user activity but only for a narrow set of behaviours or policy violations.
- Basic network traffic monitoring: You’ve started monitoring traffic at your network boundary but the coverage isn’t extensive.
At this stage, you’ve got the foundation in place, but you need to expand and deepen your capabilities to reach full compliance with C1.a.
Achieved
To reach ‘achieved’ status, your organisation needs to have robust and proactive monitoring in place.
Here’s what that looks like:
- Informed monitoring: Your monitoring is guided by a clear understanding of your networks, common attack methods, and the specific threats that could disrupt your essential functions.
- Detailed data collection: You’re gathering data that’s granular enough to reliably detect incidents and policy violations.
- Comprehensive IoC detection: Detecting IoCs is straightforward, reliable, and effective.
- Extensive user monitoring: You’re monitoring user activity comprehensively, with clear policies and tools to identify undesirable behaviours.
- Complete coverage: Your monitoring includes host-based monitoring, network gateways, and integration of new systems as they come online.
This is where you want to be—your monitoring capabilities are proactive, resilient, and capable of responding to evolving threats.
Why does monitoring coverage matter?
Reaching the ‘achieved’ level for C1.a isn’t just about ticking a box. It’s about ensuring that your organisation can detect and respond to threats before they escalate into full-blown incidents.
Without adequate monitoring, threats can go unnoticed for weeks, months or even years. This puts your essential functions at risk.
Good monitoring also supports other aspects of your cybersecurity strategy.
For example, it provides the visibility you need to conduct thorough investigations, improve your response processes, and continuously enhance your security posture.
How Managed XDR can take you from ‘not achieved’ to ‘achieved’
So, how can a Managed XDR service help?
I’m going to break it down step by step.
1. Comprehensive data collection
One of the biggest barriers to achieving C1.a is the lack of comprehensive data collection.
Managed XDR services solve this problem by aggregating data from a wide range of sources, including endpoints, network traffic, cloud platforms and user activity.
With Managed XDR, you’re not just collecting data. You’re centralising it in a way that makes it easier to analyse and act on.
This gives you the foundation you need to detect threats reliably.
2. Advanced IoC detection
Managed XDR platforms come equipped with advanced tools for detecting Indicators of Compromise (IoC).
Using AI, machine learning and up-to-date threat intelligence, these services can identify malicious activities like command and control traffic, ransomware or phishing attempts.
This aligns perfectly with the CAF’s requirements for ‘achieved’ status, where IoC detection is both reliable and proactive.
3. Robust user activity monitoring
User activity monitoring is critical for detecting insider threats, policy violations and other risks.
Managed XDR services often include behavioural analytics that can flag unusual or suspicious user actions.
This helps you move beyond basic monitoring to a more comprehensive approach, covering an agreed list of undesirable behaviours and potential policy breaches.
4. Network traffic visibility
Monitoring network traffic is another area where Managed XDR shines.
These services can capture and analyse traffic crossing your network boundary, as well as activity within your network.
For ‘achieved’ status, you need both host-based monitoring and gateway-level visibility.
Managed XDR provides this level of coverage, ensuring that you’re not missing any critical data points.
5. Proactive integration and scalability
Achieving ‘achieved’ status requires you to consider new systems and data sources as part of your monitoring strategy.
Managed XDR services are inherently scalable, allowing you to integrate new technologies and adapt to changing requirements.
This ensures that your monitoring remains comprehensive and effective over time, even as your organisation evolves.
Beyond the technology
While Managed XDR can give you the tools you need, it’s important to remember that reaching ‘achieved’ status for C1.a isn’t just about technology.
Here are a few additional considerations:
- Make sure your monitoring strategy aligns with your organisation’s overall risk management approach.
- Customise the XDR solution to focus on your essential functions and business priorities.
- Ensure your team is equipped to interpret alerts, respond effectively and maximise the value of the XDR platform.
Final thoughts
Reaching ‘achieved’ status for C1.a is about more than just compliance. It’s about building a monitoring strategy that protects your organisation’s most critical functions.
A Managed XDR service like CloudGuard PROTECT can play a key role in helping you get there. It can do this by addressing gaps in your data collection, IoC detection, user activity monitoring and network traffic visibility.
The journey from ‘not achieved’ to ‘achieved’ isn’t always easy, but with the right tools, support and mindset, it’s absolutely within your reach.
If you’re ready to take the next step, a Managed XDR service could be the partner you need to make it happen.
Remember, cybersecurity is a continuous process. Not a one-off project. By investing in the right capabilities today, you’re setting your organisation up for long-term success and resilience.
