Back to Cybersecurity Basics – Part 7: Security Monitoring
Cyber attacks come in all shapes and sizes. From internal threat actors to state-sponsored attacks on government, security is now seen as one of the biggest threats to business. In fact, in the recently released World Economic Global Risks Report, cyber attacks were in the top 5 risks to global stability alongside natural disasters, extreme weather, data fraud and failure to address climate change, so you can see it’s a pretty big deal!
Sadly, as we saw with last year’s WannaCry outbreak, no longer are cyber attacks only causing a financial burden to consumers and businesses but there is now a very real threat to life. Whilst there were no reports of any deaths being directly linked to WannaCry, the cancelling of operations and hospital appointments should serve as a warning at the very least.
Due to the explosion in the number of attacks and the potential severity of them, organisations must not only focus on preventing attacks at the gateway but also constantly monitor the network for stealthy attacks that have managed to creep through their defences.
The average time a threat lays dormant on the network, watching and waiting to launch, is now over 200 days which means the race is on to find and disable these before they become an issue. This is something that as an industry we need to work to reduce. Work is underway to do this and as we see more organisations move from a reactive approach to cybersecurity to threat hunting, this number should decrease.
Network Security Monitoring is the collection, analysis and escalation of potential intrusion warnings or network traffic anomalies. Of course, this becomes more difficult the larger the organisation is because of the number of logs that need to be analysed and the amount of malware that is entering the network.
Cisco’s Enterprise strategy group conducted research into how Cybersecurity professionals view security monitoring and this was one of their toughest challenges.
Seventy-two percent of companies we interviewed said network security monitoring is more difficult today than it was two years ago. Some of this can be attributed to an increase in malware volume – 34 percent said that – and 28 percent pointed to an overall increase in network traffic.
Cisco Enterprise Strategy Group
There are of course other challenges for security professionals including, gaining comprehensive visibility, communication and process issues between cybersecurity and network operations, and collecting the right data at the right time.
It’s not enough to simply jump in blindly and start monitoring the network for threats. You need to firstly ensure that you have developed a monitoring strategy that is right for your business, addressing the biggest risks to the organisation. Previous incidents can be used to define what your priorities should be.
When developing your monitoring strategy there are several things to consider.
Monitor as much as possible.
When building your monitoring strategy it’s important to make sure that even if you have specific priorities you ensure that you are monitoring as many necessary systems and networks as possible. This can be more challenging than it seems, especially in a larger network.
Gaining comprehensive visibility was mentioned as a specific challenge, with 31 percent of organisations indicating they had one or several network blind spots. While they monitor network traffic, there are areas of the network or particular workloads that they can’t see or don’t see very well. That makes it hard to get an end-to-end view of network security.
Cisco Enterprise Strategy Group
Monitor Network Traffic
As mentioned in the quote above, monitoring of network traffic should also be considered to identify suspicious activity such as unusually large data transfers and who, when and where network traffic is coming from or going to. Any unusual activity should generate alerts to relevant parties and these logs/alerts should be investigated to understand the cause and used to build cases.
Monitor User Behaviour
As well as monitoring Network Traffic, user behaviour should also be monitored. This should be used to uncover deliberate malicious and accidental misuse of data and systems. Working to a state of least privilege will help, however, user monitoring should still be used in conjunction as privileged users can still have their account details compromised by hackers or reach a ‘tipping point’ where they decide to use their privileged position to steal data or sabotage systems.
Central Management
Another consideration to make when developing a monitoring strategy is how will your analysts analyse the security logs? It will be beneficial for you to set-up a centralised point to analyse the data. Due to the number of logs involved, having the capability to centrally manage this information will streamline security operations meaning that more time will be spent on uncovering and responding to potential security risks.
Continuous Improvement
Once you have your monitoring strategy in place, it’s important to remember to continually improve your monitoring capability. Learn from past security incidents and fine tune your capability to only pull data from priority systems. Caution should always be taken when pulling data from too many unnecessary sources because this increases the chance that real security incidents will be missed.
Its something that we at ITB have been talking about for a long time, it’s not if but when your network will be compromised. This is becoming truer as time moves on, so developing a monitoring strategy and being proactive rather than reactive in the face of threats is becoming imperative.