For a long time, SIEM solutions and Security Monitoring were synonyms in the world of Security Operations. Today it is understood that there are limitations to this thought process and there is a real need for security teams to focus on other areas as well to have trust in the monitoring that is being carried out.
Monitoring Beyond ComplianceTraditional
Even today, many organizations establish a SOC primarily to cater to the needs of compliance. If this is only what we need to achieve, then having a SIEM solution and building some basic building blocks for SOC monitoring will suffice. However, as the saying goes, “As you sow so shall you reap,” and the benefits of achieving anything substantial will be very limited. In this compliance first approach, the primary focus is on obtaining alert notifications and sending them to the right teams for their investigation. It also involves obtaining reports to support the teams for basic analysis and maintaining those reports for justifying future audits. In addition, with this approach, devices are identified for monitoring and use cases are built based on these integrated log sources.
To achieve a true security objective, the focus should be on going beyond compliance where it is absolutely important to have clear risk based use case modeling done and implemented based on business risks. Since the focus is on monitoring these business risks, it is important to look at the log source integration based on the risks and the needs of the use cases. The focus should also be to clearly shift from having all of the alerts received and instead having a good mechanism to quickly triage the alerts, investigate them, and work on only the qualified incidents. This shift in focus will also mean a shift from the regular KPI of time to notify alert or send reports. The new KPI would instead focus on the number of potential incidents investigated.
A Monitoring Paradigm Shift: The Inside Out Challenge and Big Data Traditional
The earlier trend of finding holes in the perimeter to attack guarded targets led monitoring to watch for what is happening at the perimeter and any publicly exposed devices and applications. Most of the attacks originated from outside and hence the idea of watching the gates made a lot of sense. It also made economic sense to look at just the exposed targets rather than trying to monitor everything in the organization’s infrastructure. In other words, watching the outside made sense; however, today there is a huge paradigm shift where attacks happen from the inside and it is only the weapon that is delivered from outside. This is what I call the “Inside Out challenge.” In a sense, the inside has become what was previously outside and every attacker is now working on both delivering the weapon and attacking from the inside.
To address this inside out challenge it is not easy if we are looking at the traditional models of using the SIEM and integrating all of the possible devices. The infrastructure, both in terms of hardware and software licensing costs, makes it prohibitive for everyone to use. To have the highly skilled staff to use the infrastructure and deliver the output is not going to be easy to find in the market. The cost of retaining such a resource is a completely different story. One way to look at solving this is by using good platforms built on Big Data Analytics. Instead of receiving everything in real time, which has its own challenges, it is worth doing analysis every day on historical data, picking the anomalies, and then investigating them. When the statistics say APT need to stay in the network for a long time before they cause considerable damage, big data analytics can help predict the existence of threats much earlier. Apart from having a big data analytics platform, it is necessary to have a way to convert the successful methods used by skilled resources to identify anomalies into good models that can then be repeatedly used. This method of creating models is essential for the success of the program.
Breach Investigation – A More Effective Security Audit Traditional
The traditional information security management systems audit focuses a lot on controls and the enforcement of the same. They also come with frequent audit programs such as internal audits and external audits to ensure the controls are in place and working.
However, the need of the hour is beyond these audits and running a Breach Investigation Audit can help. Like every other audit, it is necessary to have a program to regularly check for the possibility of an exposure to a breach in the organization and to also identify if something is happening or has happened. The program needs to be orchestrated regularly by specialists and should complement an organization’s established monitoring program. It will probably not be too long before regulations are established to ensure such audits are happening in an organization.
With the huge challenges being faced by organizations in regards to Cyber Security, I believe the above mentioned aspects are some of the New Essentials for Security Monitoring.