Analytics // Security Monitoring
1/3/2014
08:21 AM
50%
50%

5 Monitoring Initiatives For 2014

To get better visibility into the business and potential threats inside their networks, companies should collect more data, use context, and invest more in their employees' expertise

Security information and event management systems (SIEMs) became much more common in 2013, while more companies talked about using massive data sets to fuel better visibility into the potential threats inside their networks.

Yet effective security monitoring has a long way to go. To better secure their networks and improve visibility into the threats on their systems in 2014, companies first need good communication between business executives and information-security managers. While 90 percent of managers surveyed by network security and management firm SolarWinds thought security was under control, only 30 percent of the actual IT practitioners believe that security is well-established, according to the firm.

A good place to start is for information-technology leaders to ask themselves and their business counterparts what more they want to know about their networks, systems, and employees. Without the right questions, monitoring for threats will be hard, says Dave Bianco, Hunt Team manager for incident-response firm Mandiant, which was acquired by FireEye this week.

"It pays for companies to take a step back and look at what they are doing," Bianco says. "I can look at things that I'm really worried about because of my business, or things that might be interesting to those who are attacking me -- not only figure out what you might be able to detect, but figure out what you have to detect them with."

To start the conversation, here are five initiatives that security-monitoring experts say should be undertaken this year.

1. Catalog the sources in your network
Companies first have to know what they have to work with. A business looking at improving its visibility into its network and the threats in the network should first find out what data sources are available, Mandiant's Bianco says.

Companies should not only collect the logs from Web servers, firewalls, and intrusion-detection systems, but other systems that may not initially be considered sources of intrusion information, he says. One example: the authentication logs for all the systems in the environment, he says.

"Make sure that you are logging the data from these systems correctly and sending it to a central place where you can get access to it," Bianco says. "That way you can turn all those independent log sources into new detection platforms."

2. Monitor users, not just devices
Many companies continue to attribute activities to Internet addresses -- that is, devices -- on their networks, rather than dealiasing the user behind those actions, says Patrick Hubbard, head geek for SolarWinds. Yet adding context to the actions being taken on the network is important, he says.

"With more and more Internet-connected devices on the network, the number of humans on the network relative to the number of devices on the network is beginning to decrease, so it is not as easy to have strong authentication from the device," Hubbard says.

[Companies analyzing the voluminous data produced by information systems should make sure to check user access and configuration changes, among other log events. See 5 Signs Of Trouble In Your Network.]

Businesses should make an effort this year to attribute actions to specific employees and users by combining authentication information and other sources with network logs.

"You want to look at users not just as logons, but within the context of the identity breadcrumbs they are leaving behind on the network," he says.

3. Use more math
By collecting more data and knowing the questions to ask, companies should find themselves with a lot more information on what is happening in their networks. IT security teams can ask questions of the data and discover incidents that may have otherwise been hidden. However, companies should also allow the data to speak for itself -- and to do that, they need math, says Joe Goldberg, senior manager of security and compliance product marketing for data-analytics firm Splunk.

By using statistical analysis, companies can determine the outliers in a big data set. If the average employee downloads 10 files from a SharePoint server in a day, then someone downloading 50 files may be an advanced threat actor harvesting data from the company's server, he says.

"Use statistics and math on the sea of data that you've collected to figure out what is abnormal and what is odd," Goldberg says.

4. Find out more about attackers
Once companies have the data and the capability to analyze it, they need to know what types of threats may be targeting their company, Mandiant's Bianco says.

Companies need to know the adversaries that might be targeting their businesses or industries. Focused threat intelligence can provide that as well as what techniques are common for those adversaries, Bianco says. Whether an attacker uses spearphishing, SQL injection, or malware to attack a business' systems makes a difference for how a company detects the threats, he says.

"You need to know all these things that influence the catalog that a company creates of detection scenarios and how they are going to detect those threats," he says.

5. Invest more in your people
While security practitioners continue to be in high demand, companies should do everything they can to find the necessary expertise and develop that expertise with training, Splunk's Goldberg says.

"You are going to need security practitioners to not only deploy these systems and collect the data, but also to sit behind the desk and monitor and fine-tune them," he says. "You want skilled people who know you environment well, and you cannot always outsource that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.