Security monitoring is vital to the health of today’s “always on” organizations. Without effective monitoring, you’re just flying blind and giving threats a hall pass. But, where do you start? What if you don’t have the budget to build a monitoring capability the size of a death star, much less an army of storm troopers to staff its operations?
2. The 451 Group
A global syndicated research, data, advisory,
certification, and professional services firm
providing thought leadership and direct
business value to the emergent digital
infrastructure industry.
My story about doing IDS monitoring and not having the faintest clue what it was…
What is monitoring all about? Why do we do it… what is it meant to achieve? Is the purspose just to bore sysadmins to death?
Most importantly, it’s important to define what the objective of monitoring is. Without a goal you can’t score… too many organizations will rush out to buy a SIEM type product and then get all their logs nicely correlated but still have little to no idea what they’re supposed to do with it all.
So lets break it down – from a business aspect decide what is important – what are the assets of most concern.
Is it your sales data in salesforceIs it your secret recipe- Quote about selling more beer. - once you have that information, you are very well placed to know where to deploy monitoring controls and exactly what you’re looking out for.
This is where a lot of companies may turn around and say they don’t have the budget needed to deploy expensive and extensive tools and products.That may be true, but there are plenty of things you can do that can give you decent monitoring with nothing more than a chewing gum wrapper, a pair of tweezers and creativity. First of there is generally auditing / monitoring capabilities built into most products. If you know what your assets are you can probe those logs.
Story of our password vault which was envelopes and signed / taped to give a poor-mans tamper evidence seal.
Honey pot, trap etc. Creating dummy users in sales force. Putting dummy secret documents on the network.
Engaging your userpopulation… If you see something say something. A lot of things have been spotted by humans… e.g. the app is slow in responding, the servers are rebooting themselves etc.
Start by disabling all logs… then turn on one by one things that you are interested in or think you’ll need. Use common attack method knowledge to filter out the noise. Regularly review what you are doing and ask why you’re doing it?
Get familiar with your logs and what they look like – get your business familiar with how things should look…
Once you’ve found an event of interest what are you going to do next?This is where you need to have a process in place to report to the relevant people in a consistent manner – Consistency is king. Share information widely so the whole organization can benefit from it… maybe there’s something finance can do, or the guy who looks after the mail server can do to help stop these things happening again.
Then it needs to be responded to… this delves a little into incident response – but someone has to respond and if you have a good process in place that is agreed upon in advance, it helps stop rash decisions being made in the heat of the moment. What you do need to have though is a way by which you can monitor and validate that a response has had the desired effect and fixed the underlying issue while at the same time not introduced anything else undesirable.
Log files are the evidence locker of what’s really going on in your network, so it’s vital that organizations continuously monitor and analyze this data because you can’t control what you can’t see!
Log data is generated throughout the IT infrastructure -- web server logs, operating system logs, application logs, firewall logs, and more. Without the proper tools and processes in place, IT professionals can quickly become buried by the sheer volume. And, the critical information residing in those logs may never come to light.
IT pros face more and more pressure to detect and mitigate threats in real-time or near real-time. Unfortunately, a common scenario among organizations of all sizes and industries is the large amount of data that has to be collected, sorted, and analyzed in order to derive actionable security intelligence and truly assess the organization’s security posture.
Today’s security management can be overwhelming. The fact is IT pros need an easier way to address an ever-evolving threat landscape without neglecting the multitude of other daily IT responsibilities. Automated log collection from anywhere data is generated within the IT infrastructure—network devices, security devices, applications, databases, virtual machines, cloud, and more; device log consolidation; centralized location to store device logs24/7 security monitoring for suspicious or malicious activitiesReal-time, in-memory event correlation to instantly view a security breach; Correlating logs across disparate devices, providing a big picture view of network activity;nearly 700 built-in correlation rules for visibility right out of the boxBuilt-in active responses to instantly and automatically take action to remediate a threat, such as blocking an IP, killing a process, or logging off a userAdvanced, easy-to-use, search interface with drag-and-drop simplicity, datavisualization, and drill-down details for fast and effective forensic analysisOver 300 pre-packaged, “audit-proven” security and compliance templates including PCI, HIPAA, SOX, GLBA and many more; Out of the box rules and reporting for virtually all of the major regulatory industriesUSB-Defender® technology protects sensitive data with real-time monitoring, device detection, notification, and the ability to block usage