Organisations wanting greater visibility of what's happening on their network and to protect themselves often install an Intrusion Detection Systems (IDS) or Intrusion Protection Systems (IPS). An IDS or IPS will monitor the network for suspicious or malicious acts by anyone on the inside, making it easier to spot malicious or harmful activity.

The NCSC has also produced a guide for organisations to develop their own monitoring and logging procedures for potential network compromise. More information about this and advice on which logs to generate, what to monitor and indicators of compromise can be found on the NCSC website.

While monitoring who is on the inside can be beneficial to any organisation, especially larger ones, how do you check who is trying to get into your network?

If you wanted to protect your business premises from intruders and vandals you could securely lock your doors and windows, employ a guard, install CCTV and put warning signs up.

All of these come at a cost and this cost is weighed against the potential harm that could be suffered. Undoubtedly secure locks on doors and windows is the first step and putting up signs is the cheapest – it’s a balancing act risk vs cost.

In the cyber world how do you secure your gateway to the world and the internet?

Installing a firewall is the equivalent of locking the doors and windows, what else can you do. One answer is to have the equivalent of Guards or CCTV, to help you monitor what’s attacking you and almost all commercial Firewalls have logging capability included.

Typically a Firewall will log all the traffic hitting the Firewall. Sorting through these logs to understand the threats from suspicious activity would be time consuming and not easily understood without context.

The type of suspicious activity that would be useful to know about is the network traffic blocked by the Firewall or believed to be unwanted. This will include activity where a suspect is attempting to scan for vulnerable ports or making repeated attempts to gain access to an organisation’s system using known attack methods.

One solution that can do this and is available free to all organisations is Police CyberAlarm.  

Police CyberAlarm acts as CCTV camera monitoring and recording the suspicious traffic that hits your firewall; who tried to get in, how many times they tried and exactly which doors (or Firewall ports) they attacked?

This data is used to create regular reports for Police CyberAlarm member organisations on the potential malicious activity seen by their Firewall or internet gateway. Members can then use this reported intelligence to update their defences to better protect themselves from cyber threats by updating blacklists and other security measures to include new IP addresses and other relevant information.

Also, by sharing this suspicious data with Police, for analysis at local and national level, this data can be used help to identify trends, emerging threats and warn other Police CyberAlarm members of emerging and potential threats.

The data collected only includes metadata (logs) from internet facing gateways and devices such as external Firewalls and does not contain the content of the traffic. Police CyberAlarm is designed to protect member’s personal data, trade secrets and intellectual property.

What else can organisations do to protect themselves?

Another free service available for organisations is the new Early Warning service, from the National Cyber Security Centre (NCSC). It is open to all UK organisations who hold a static IP address or domain name.

It is designed to help organisations defend against cyber-attacks by providing timely notifications about possible incidents and security issues.

The free service automatically filters through millions of events trusted threat intelligence sources to offer specialised alerts for organisations so they can investigate malicious activity and take the necessary steps to protect themselves.


Organisations receive alerts such as:

Incident Notifications – Activity that suggests an active compromise of your system.
For example: A host on your network has most likely been infected with a strain of malware.

Network Abuse Events – Indicators a network asset is associated with malicious activity.
For example: A client on your network has been detected scanning the internet.

Vulnerability and Open Port Alerts – Vulnerable services or applications exposed.

Both of these free services are available to organisation free of charge. In combination they can provide added security to any network and help law enforcement in identifying and pursuing cyber criminals.

To visit Police CyberAlarm website click here

To visit the NCSC website regarding their early warning service click here

See something not quite right? Email: