Monitoring is a key cybersecurity competency

Technology has accelerated the pace of almost everything we do.  The same is true for the speed of cyber attacks.  Technology has decreased the time it takes for a small, localized cybersecurity event to balloon into a serious security incident.  A single compromised password or one wrong click can ignite like wildfire to quickly engulf your organization.

The impact of such a cyber attack can be felt throughout the organization and extend to its customers or partners.   The repercussions, including reputational damage, have been severe.  Larger companies have seen stock prices drop while some smaller companies cease to exist after such incidents.

Modern cyberattacks

Some attacks slow business to a crawl while others are designed to corrupt decision-making by subverting data integrity.  In other cases, cybercriminals may take control of company resources to launch attacks against others.  The majority of attacks are designed to steal sensitive corporate or customer information or to divert or extort money from the company.

It is important to note that the modern cyberattack typically transpires over several phases.  An attacker may use phishing emails or malware to gain initial access.  Once access is gained, these criminals use it to reach further into organizational systems until they can accomplish their objectives.  This may require hopping from system to system.  For example, the cybercriminal may need to compromise a file server and a database to obtain customer records, and then they may compromise a web server to exfiltrate the data.  Response teams can still prevent the breach if they can stop the attacker before they gain access to each of the required resources.  This, of course, requires enterprise-wide security monitoring and threat intelligence.

Cybersecurity monitoring and threat intelligence

The core of cybersecurity monitoring and threat intelligence lies in the Security Information and Event Management (SIEM) system.  Computer systems store logs of the activity that occurs on them.  These logs may only persist for a short amount of time and systems can be configured to log more or less information.  SIEM systems collect log information from servers, network devices, endpoints, and other systems and then correlate and analyze this information together.  Not only does this preserve critical log information for investigation, but it also provides a more complete picture of the activity across the enterprise.

SIEM systems are powerful, but they need to be managed correctly to detect security events effectively.  Teams will usually deploy agents to the devices that will be managed.  Some devices, such as switches or firewalls, may need to send their logs to another device for initial collection, and then the SIEM pulls from this device.  All the events are then normalized so that different event labels meaning the same thing from multiple vendors are all given the same label within the system.  Device timestamps may differ when data is collected, so their time offset is recorded so that log timestamps are made internally consistent within the SIEM.

Next, a team of cybersecurity professionals reviews the events in the system.  This often occurs in a security operations center where events and dashboards display threat intelligence in real time.  Automation is used to identify possible threats and then human intelligence is leveraged to screen out false positives or dig deeper into potential issues.

Cybersecurity monitoring can appear overwhelming, so many companies outsource the process to a trusted provider.  Outsourcing allows them to avoid costly software licensing as well as employing and managing the monitoring team.  Either way, you do it, cybersecurity monitoring remains a vital part of detecting and responding to today’s cyber threats.  It also is required by some of the most prevalent regulations.

Compliance requirements

Cybersecurity is an evolving space.  What once seemed bleeding edge becomes the expected minimum standard in just a few years.  Today, HIPAA, PCI, and GDPR each require some level of cybersecurity monitoring to be compliant.  These compliance bodies expect companies to be actively monitoring for potential data or privacy incidents to stop attacks before they result in a breach.  However, if a breach occurs, monitoring systems are utilized to quickly investigate the incident and determine the scope and impact so that patients or customers can take action to protect or change their information before they suffer greater damages.

Effective detection predicates effective response

The modern enterprise is a complex mix of diverse technologies.  Attackers only need to find one hole to get in, but companies need to stay vigilant against threats across the enterprise.  With the exception of ransomware, most cybercriminals will not tell you when they have breached your network so it is up to you to detect intrusions to stop cybercriminals before they can accomplish their objectives.  Cybersecurity monitoring is the key to obtaining the necessary threat intelligence to mount an effective defense.  Ensure that cybersecurity monitoring is a part of your organization’s security strategy.

About The Author

Eric Vanderburg

Eric Vanderburg is an author, thought leader, and consultant. He serves as the Vice President of Cybersecurity at TCDI and Vice Chairman of the board at TechMin. He is best known for his insight on cybersecurity, privacy, data protection, and storage. Eric is a continual learner who has earned over 40 technology and security certifications. He has a strong desire to share technology insights with the community. Eric is the author of several books and he frequently writes articles for magazines, journals, and other publications.

Leave a Reply