This is the first in a series of articles that will introduce some of the foundational information security concepts that are integral to the work that we do at Cadency. This post is an introduction to security monitoring for a someone who is new to Information Security and will be as non-technical as is possible.
Security monitoring is the process of generating security events based on data gathered from your IT environment. That is really it: you gather data, apply some intelligence and generate an event if you have identified something of interest. That security event in turn drives an action and we will explore what actions can be taken in a future post.
The first step is to identify where you should gather this data from. The good news is that there is already a wealth of data available; it exists in the operating system, application and device logs of your current systems. Often these logs are being gathered by developers and system administrators but it is likely that they are not being kept in a central place.
Here we will distinguish our data source into two types:
System Data: Existing data being generated in operating system logs, application logs, network device and firewall logs. The syslog protocol is a great example of this. If you have any Linux hosts in your environment then both the OS and the applications will be logging to local syslog. This applies equally to a windows environment, the servers and clients generate event logs by default. And if you are running in a cloud service (such as AWS or the Google Cloud Platform) there is also an abundance of native logging that can be collected.
Sensor Data: Generated by sensors installed to monitor your environment - sensors are also known as ‘instruments’ or instrumenting your network. They can be placed in your network listening to traffic (e.g. network intrusion detection system) or running on your endpoints (e.g. host intrusion detection). Adding sensors will give you visibility into networks and systems to answer a specific question about what is occurring. If this aspect of security engineering is new to you, it’s a really interesting topic and deserving of a dedicated post which will follow this one.
After the data sources have been identified and collection has begun, you can process this incoming stream for security events. A security event is an occurrence of something of interest that requires an action. As a definition that can sound quite unspecific but the ‘something of interest’ is different for every company. There will be similarities in that there is a set of universally bad events, things that should never happen and all companies should be able to detect if they have occurred. Examples include: access to sensitive data; suspicious login attempts and privilege escalation; unauthorised changes to your environment and active malware ‘beacons’.
After you have your foundation then maturing your security monitoring capability depends on your operations, the type of environment you have and more specifically what is important to you. For example someone who is running a publicly available web shop will have a different focus than a closed Enterprise network. Or someone running a very fluid deployment model across multiple cloud providers will have different concerns than a traditional stack running in a physical data center.
Finally let’s address why you would want to have security monitoring. It gives you two key capabilities: the ability to detect threats in near real time and the ability to respond after a successful attack. Analysing your data for security events means you can be alerted if something ‘bad’ is happening and act accordingly. When you are first exposed to this it can seem like you have found the perfect solution to protecting yourself but the reality is detection is in no way perfect. You will never be able to get ahead of every new type of attack or a creative highly skilled attacker. This is where the second response capability becomes very powerful, by gathering and storing this security data you now have a historical record which can be searched if a problem is discovered. Security monitoring gives you visibility into the attack, you can see what systems have been impacted and essentially what the fallout out is.
The phrase “security is process” is frequently used within the Information security profession (often as an attempt to address the common perception that buying a particular security appliance will make you secure). Security monitoring is in a lot of ways that process. It doesn’t replace the basic foundations (such as patch cycles, server hardening, user authentication and general good hygiene), it is the next step to start raising the bar. Monitoring a process you mature with a feedback loop, learning from your data. You can progress from collecting basic security events to automating actions on those events (such as gathering more contextual data or ‘enrichment’ or even an automated response), to then using this data to proactively ‘hunt’.
Security monitoring is at the core of what Cadency was founded to do, it is something we believe in and our mission is to deliver a monitoring service that any company can use. If you want to know more then please get in touch via email or start a conversation on twitter. In the next few posts we will follow up on some of the topics we introduced here.
Originally published on the Cadency blog