Let’s face facts. Monitoring is one of the most boring tasks facing IT professionals, and security monitoring is about the least interesting component of a chore that many are trying to avoid. However, this mundane work is critical to the success of an organization’s information security program. It is the bread and butter for keeping tabs on a computing environment and provides the early warning capability needed to protect the network against attacks.
Building and maintaining a security monitoring program does not have to be a thankless or burdensome task. There are some simple steps to ensure that monitoring efforts are both effective and serve the needs of an organization.
Whether you’re starting a new program from the ground up or trying to revitalize an existing effort, consider the three R’s of security monitoring: rationale, requirements and responsibilities. Effective programs pay attention to each of these areas.
First, you should have a clearly defined rationale for the investment of time and money you are proposing. Without a well-stated purpose, others might accuse your program of implementing “security for security’s sake.” There are three main reasons that organizations invest in monitoring:
Once you’ve determined why you’re conducting security monitoring, carefully assess the requirements for your security monitoring program based upon that rationale. For example, if you’re seeking to proactively detect and react to threats, you may need to create a 24x7 response program capable of reacting to breaches in the middle of the night. If you’re building a compliance-driven program, specific laws and regulations might dictate the type of monitoring you must engage in. When building requirements, consider the following questions:
Finally, it is important to have clear statements of responsibility for the security monitoring program. Many different groups within a company are commonly engaged in these efforts, including some or all of the following:
If you are unable to clearly articulate the responsibilities of each group and communicate them to staff, it is highly unlikely that your program will function effectively. For example, the operations staff might perform the initial triage of security alerts, contacting other technicians for level 2 support as needed.
When you’re ready to start building your program, you’ll need to take the high-level requirements identified earlier and translate them to specific technical needs. These needs will lead to the specific elements of your computing environment that must be included in the scope of your security monitoring.
Nearly every security monitoring program begins by including security-specific infrastructure elements. This includes your malware management system, firewalls, intrusion prevention systems and other security devices. These components are dedicated to providing security services in the IT environment and contribute rich streams of information to security monitors.
You’ll likely want to expand your program beyond devices dedicated to security and also include other elements of your IT environment. One of the most common places to expand the scope is further into networking equipment. Routers and switches can often provide important information to security investigators, including network flow information that can help identify unusual traffic streams and reconstruct the flows of data in the aftermath of a security breach.
Servers and workstations also contain important log information that can identify attempted and successful security breaches. They can also be one of the only sources of information useful in detecting an insider attack waged by someone with the permission to bypass the security controls that normally isolate systems from external attackers. It’s important to carefully select the data you want to capture and collect from these systems as they are capable of quickly generating copious amounts of data that may overwhelm your monitoring efforts.
Building an effective program is only the first step toward security monitoring, which requires ongoing care and feeding if it is to continue providing value to an organization. Simply capturing data is not helpful if nobody is monitoring it and taking action when suspicious activity occurs.
One of the most important ways to maintain an effective program is to automate as much of the monitoring as possible. Security Information and Event Management (SIEM) systems and other centralized logging tools play an important role in this automation by allowing organizations to centrally define alerts and responses for common security events. As you continue to monitor your network, pay attention to both the real security events and false alarms that require analyst attention. For those that recur regularly, try to automate the workflow to reduce the ongoing burden of monitoring.
By clearly defining the rationale, requirements and responsibilities for your security monitoring program, you can make valuable contributions to the security of your enterprise for years to come.