Tactical Advice

A Cheat Sheet on Security Monitoring in the Enterprise

Take these steps to ensure that monitoring is effective and meeting business needs.
A Cheat Sheet on Security Monitoring in the Enterprise

Let’s face facts. Monitoring is one of the most boring tasks facing IT professionals, and security monitoring is about the least interesting component of a chore that many are trying to avoid. However, this mundane work is critical to the success of an organization’s information security program. It is the bread and butter for keeping tabs on a computing environment and provides the early warning capability needed to protect the network against attacks.

Building and maintaining a security monitoring program does not have to be a thankless or burdensome task. There are some simple steps to ensure that monitoring efforts are both effective and serve the needs of an organization.

Basic Components of a Monitoring Program

Whether you’re starting a new program from the ground up or trying to revitalize an existing effort, consider the three R’s of security monitoring: rationale, requirements and responsibilities. Effective programs pay attention to each of these areas.

First, you should have a clearly defined rationale for the investment of time and money you are proposing. Without a well-stated purpose, others might accuse your program of implementing “security for security’s sake.” There are three main reasons that organizations invest in monitoring:

  • To protect against external and internal security threats: A well-run security monitoring program will provide an early warning when an attack is under way and also alert you to potentially successful attacks.
  • To comply with legal and regulatory requirements: In many industries, laws or regulations require some degree of security monitoring. Organizations that process credit card transactions are quite familiar with this need, as dictated by Requirement 10 of the Payment Card Industry Data Security Standard: “Track and monitor all access to network resources and cardholder data.”
  • To integrate with existing enterprise monitoring efforts: Many organizations have (or are in the process of developing) robust monitoring programs designed to keep tabs on IT across the enterprise. Security monitoring can play an important role in warning about events unrelated to security.

Once you’ve determined why you’re conducting security monitoring, carefully assess the requirements for your security monitoring program based upon that rationale. For example, if you’re seeking to proactively detect and react to threats, you may need to create a 24x7 response program capable of reacting to breaches in the middle of the night. If you’re building a compliance-driven program, specific laws and regulations might dictate the type of monitoring you must engage in. When building requirements, consider the following questions:

  • What elements of the infrastructure should be monitored?
  • What types of security events should the monitoring program detect?
  • What is the acceptable response time for a detected security event?
  • What is the response procedure for different types of alerts?
  • What are the measures of success for the monitoring program?
  • Are there any elements of the program that lend themselves to outsourcing?

Finally, it is important to have clear statements of responsibility for the security monitoring program. Many different groups within a company are commonly engaged in these efforts, including some or all of the following:

  • Information security staff
  • Network engineers
  • System administrators
  • Desktop support technicians
  • Operations staff
  • Help desk personnel
  • Management

If you are unable to clearly articulate the responsibilities of each group and communicate them to staff, it is highly unlikely that your program will function effectively. For example, the operations staff might perform the initial triage of security alerts, contacting other technicians for level 2 support as needed.

Monitoring Scope

When you’re ready to start building your program, you’ll need to take the high-level requirements identified earlier and translate them to specific technical needs. These needs will lead to the specific elements of your computing environment that must be included in the scope of your security monitoring.

Nearly every security monitoring program begins by including security-specific infrastructure elements. This includes your malware management system, firewalls, intrusion prevention systems and other security devices. These components are dedicated to providing security services in the IT environment and contribute rich streams of information to security monitors.

You’ll likely want to expand your program beyond devices dedicated to security and also include other elements of your IT environment. One of the most common places to expand the scope is further into networking equipment. Routers and switches can often provide important information to security investigators, including network flow information that can help identify unusual traffic streams and reconstruct the flows of data in the aftermath of a security breach.

Servers and workstations also contain important log information that can identify attempted and successful security breaches. They can also be one of the only sources of information useful in detecting an insider attack waged by someone with the permission to bypass the security controls that normally isolate systems from external attackers. It’s important to carefully select the data you want to capture and collect from these systems as they are capable of quickly generating copious amounts of data that may overwhelm your monitoring efforts.

Maintaining the Program

Building an effective program is only the first step toward security monitoring, which requires ongoing care and feeding if it is to continue providing value to an organization. Simply capturing data is not helpful if nobody is monitoring it and taking action when suspicious activity occurs.

One of the most important ways to maintain an effective program is to automate as much of the monitoring as possible. Security Information and Event Management (SIEM) systems and other centralized logging tools play an important role in this automation by allowing organizations to centrally define alerts and responses for common security events. As you continue to monitor your network, pay attention to both the real security events and false alarms that require analyst attention. For those that recur regularly, try to automate the workflow to reduce the ongoing burden of monitoring.

By clearly defining the rationale, requirements and responsibilities for your security monitoring program, you can make valuable contributions to the security of your enterprise for years to come.

Sign up for our e-newsletter

About the Author

Mike Chapple

Mike Chapple is an IT professional and assistant professor of computer applications at the University of Notre Dame. He is a frequent contributor to BizTech magazine, SearchSecurity and About.com as well as the author of over a dozen books including the CISSP Study Guide, Information Security Illuminated and SQL Server 2008 for Dummies.

Security

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
Tools to Maintain Mobile Sec... |
Far-flung devices pose serious challenges, but a variety of technologies can help protect...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...
XP-iration Date: Today Is th... |
It’s officially lights out for Windows XP as an operating system. Here’s how the world is...