Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

8/18/2016
11:00 AM
Jason Sachowski
Jason Sachowski
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Strategies For Enhancing Targeted Security Monitoring

These examples will help you improve early incident detection results.

Crime scenes -- in both the physical and digital sense -- exist where investigators must work quickly to gather and process evidence before it is no longer available or has been modified. In both cases, investigators set up a large perimeter around the crime scene and work to narrow it down by establishing credible, evidence-based conclusions.

In the digital realm, the most common collection of security incident and event information occurs in sources where large volumes of data can be gathered in support of investigations.  However, this large volume of data can easily lead to "analysis paralysis," making it more difficult to find the proverbial needle in the haystack.

Here are five ways to enhance your security monitoring capabilities to detect potential threats in a more effective and timely manner.

1. Define (un)acceptable activity
Organizations must define what they consider to be both acceptable and unacceptable activity within the scope of their business environment through the creation of specific policies and standards documents. To facilitate monitoring and alerting for these activities, organizations need to explicitly define the activities that are considered acceptable and unacceptable.

Generally, acceptable activity includes any that is within the defined boundaries as stated in the organizations governance documentation; such as a Business Code of Conduct. On the other hand, unacceptable activity would include any activity that is not within the confines of what the organization has defined as acceptable (e.g. policies violations, breach of confidentiality).

2. Follow criticality-based deployments
Collecting large volumes of security information and events can become overwhelming when it comes time to perform an investigation. While the idea of “casting the net wide” ensures that a broad scope of evidence will be readily available, targeted capabilities ensure that high-value and high-risk assets (e.g. employees, systems, networks) are being pro-actively monitored.

Determining the criticality of assets requires organizations to validate the security properties encompassing each asset; including, for example, confidentiality, integrity, availability, authorization, authentication and non-repudiation. Through the completion of a formal risk assessment and threat modeling exercise, organizations can then prioritize their targeted monitoring capabilities based on the criticality of their assets.

3. Utilize analytical techniques
Approaches to security monitoring depend on factors such as the type of security control used or the functionality provided in supporting technologies. But the foundation of security monitoring is based on the concept that unacceptable activity is visibly different from acceptable activity and can be detected as a result of this difference. 

Through the combination of different analytical techniques, such as anomaly detection or pattern matching, monitoring for both acceptable and unacceptable activity will improve proactive detection capabilities to identify security events before they intensify.

4. Go for the best technology for the job
Business requirements are the primary driver for the use of all security monitoring technology.  While this should be common knowledge, security monitoring is often overshadowed by exploiting the capabilities of a technology instead of focusing on what the business need for using the technology really is. 

At the end of the day, there are a wide range of technology solutions that offer varying levels of functionality specific to security monitoring. Aside from analytical techniques, when selecting a solution best-suited for your organization, it is important to consider factors such as:

  • Lower Total Cost of Ownership (TCO)
  • Increased customizations to fit business requirements
  • Minimal compromises on technology components
  • Compatibility with other technologies and interface exchanges

5. Conduct assurance exercises
The continued value-proposition of targeted security monitoring requires an organization to maintain its accuracy for identifying acceptable and unacceptable activity. Similar to how we conduct audits against our information systems, regular assessments must be done to ensure that detection mechanisms (e.g. analytical techniques, signatures) are applicable and that critical assets are still relevant.

While the frequency of these assurance exercises will be subjective to each organization, the approach must be consistent in that the administrative, physical, and technical aspects of security monitoring are measured equally. Following this methodology will ensure that the overall implementation of targeted security monitoring remains effective and efficient throughout its continued operation.

Before organizations implement any form of security monitoring, it is important that they understand the scope of what they need to monitor and how they will go about achieving their monitoring goals. Once established, using any combination of analytical techniques to monitor acceptable and unacceptable behaviour will improve detection capabilities to identify events and/or incidents before they intensify.

This article was sourced in part from the book by Jason Sachowski, titled “Implementing Digital Forensic Readiness: From Reactive To Proactive Process,” available now at the Elsevier Store and other international retailers.

More on this topic:

Jason is an Information Security professional with over 10 years of experience. He is currently the Director of Security Forensics & Civil Investigations within the Scotiabank group. Throughout his career at Scotiabank, he has been responsible for digital investigations, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.