Known Detection Gaps
Purpose
This page documents known limitations in detection and monitoring capabilities within the Scheol Security Lab.
The objective is to:
- identify where visibility is missing or insufficient
- highlight risks that are not reliably detectable
- support prioritisation of monitoring improvements
- maintain a realistic view of detection maturity
This page reflects the actual detection capability, not the intended target state.
Detection Gap Definition
A detection gap exists when:
- a relevant risk scenario is not observable
- a control operates without producing usable signals
- logs or telemetry are missing, incomplete or not centralized
- detection exists but is not validated or unreliable
Detection gaps are expected in a transitional environment and must be:
- explicitly identified
- linked to risks and controls
- progressively reduced
Current Detection Context
At the current stage:
- logging is partially local (VPS, systems)
- some signals are available via CrowdSec and system logs
- no centralized SIEM is fully operational yet
- detection is limited and mostly reactive
This directly impacts the ability to detect:
- misconfiguration exploitation (R-001)
- application compromise (R-002)
- administrative misuse or compromise (R-003)
Identified Detection Gaps
DG-001 - No Centralized Log Collection
Description Logs are generated on multiple systems but are not centralized.
Impact
- No global visibility across Heaven and Hell
- Difficult correlation between events
- Delayed or missed detection of multi-step attacks
Related Risks
- R-001 - Reverse proxy misconfiguration exposing internal services
- R-002 - Web application compromise leading to data exposure
- R-003 - Compromise of credentials leading to administrative access
Status In Progress (Wazuh planned)
DG-002 - Limited Visibility on Reverse Proxy Behavior
Description Reverse proxy logs exist but are not actively monitored or analyzed.
Impact
- Misconfigurations or abnormal access patterns may go unnoticed
- Reduced ability to detect probing or exploitation attempts
Related Risks
- R-001 - Reverse proxy misconfiguration exposing internal services
- R-002 - Web application compromise leading to data exposure
Status In Progress
DG-003 - No Detection Validation for SSH / Admin Access
Description Brute-force or suspicious SSH activity may be logged, but detection effectiveness is not formally validated.
Impact
- Uncertainty on actual detection capability
- Possible false negatives (attacks not detected)
Related Risks
Status Planned (to be validated via verification scenarios)
DG-004 - Limited Visibility on Administrative Actions
Description Administrative actions are not centrally logged or traced.
Impact
- No clear audit trail for privileged operations
- Difficult investigation in case of compromise
Related Risks
Status Planned (bastion + centralized logging)
DG-005 - No Detection Use-Cases for Application Layer
Description No defined detection logic for abnormal behavior on exposed applications (e.g. Dolibarr).
Impact
- Application compromise may go undetected
- No alerting on suspicious usage patterns
Related Risks
Status Planned
Gap Prioritisation
Detection gaps are prioritised based on:
- risk criticality (R-001 to R-003)
- exposure level (public vs internal)
- impact on detection capability
- feasibility of implementation
Current priority:
- Centralized logging (DG-001)
- Administrative visibility (DG-004)
- Detection validation (DG-003)
- Application-level detection (DG-005)
Relationship with Other Sections
Detection gaps are directly linked to:
-
Risk Register → defines what should be detectable
-
Control Framework → defines expected monitoring controls
-
Verification Scenarios → used to validate detection capability
-
Residual Gaps → broader view of remaining security weaknesses
This page focuses specifically on detection capability, not overall control coverage.
Current Maturity
Detection capability is currently limited but understood.
Established
- basic logging on exposed systems
- partial visibility on SSH and web activity
- initial awareness of detection gaps
In Progress
- log centralization (Wazuh)
- definition of detection use-cases
- validation via verification scenarios
Planned / Next Phase
- centralized SIEM with correlation
- validated detection rules
- improved coverage of admin and application activity
- continuous detection gap tracking
Detection improvement is a key enabler for overall security maturity.