Analytics // Security Monitoring
1/3/2014
08:21 AM
50%
50%

5 Monitoring Initiatives For 2014

To get better visibility into the business and potential threats inside their networks, companies should collect more data, use context, and invest more in their employees' expertise

Security information and event management systems (SIEMs) became much more common in 2013, while more companies talked about using massive data sets to fuel better visibility into the potential threats inside their networks.

Yet effective security monitoring has a long way to go. To better secure their networks and improve visibility into the threats on their systems in 2014, companies first need good communication between business executives and information-security managers. While 90 percent of managers surveyed by network security and management firm SolarWinds thought security was under control, only 30 percent of the actual IT practitioners believe that security is well-established, according to the firm.

A good place to start is for information-technology leaders to ask themselves and their business counterparts what more they want to know about their networks, systems, and employees. Without the right questions, monitoring for threats will be hard, says Dave Bianco, Hunt Team manager for incident-response firm Mandiant, which was acquired by FireEye this week.

"It pays for companies to take a step back and look at what they are doing," Bianco says. "I can look at things that I'm really worried about because of my business, or things that might be interesting to those who are attacking me -- not only figure out what you might be able to detect, but figure out what you have to detect them with."

To start the conversation, here are five initiatives that security-monitoring experts say should be undertaken this year.

1. Catalog the sources in your network
Companies first have to know what they have to work with. A business looking at improving its visibility into its network and the threats in the network should first find out what data sources are available, Mandiant's Bianco says.

Companies should not only collect the logs from Web servers, firewalls, and intrusion-detection systems, but other systems that may not initially be considered sources of intrusion information, he says. One example: the authentication logs for all the systems in the environment, he says.

"Make sure that you are logging the data from these systems correctly and sending it to a central place where you can get access to it," Bianco says. "That way you can turn all those independent log sources into new detection platforms."

2. Monitor users, not just devices
Many companies continue to attribute activities to Internet addresses -- that is, devices -- on their networks, rather than dealiasing the user behind those actions, says Patrick Hubbard, head geek for SolarWinds. Yet adding context to the actions being taken on the network is important, he says.

"With more and more Internet-connected devices on the network, the number of humans on the network relative to the number of devices on the network is beginning to decrease, so it is not as easy to have strong authentication from the device," Hubbard says.

[Companies analyzing the voluminous data produced by information systems should make sure to check user access and configuration changes, among other log events. See 5 Signs Of Trouble In Your Network.]

Businesses should make an effort this year to attribute actions to specific employees and users by combining authentication information and other sources with network logs.

"You want to look at users not just as logons, but within the context of the identity breadcrumbs they are leaving behind on the network," he says.

3. Use more math
By collecting more data and knowing the questions to ask, companies should find themselves with a lot more information on what is happening in their networks. IT security teams can ask questions of the data and discover incidents that may have otherwise been hidden. However, companies should also allow the data to speak for itself -- and to do that, they need math, says Joe Goldberg, senior manager of security and compliance product marketing for data-analytics firm Splunk.

By using statistical analysis, companies can determine the outliers in a big data set. If the average employee downloads 10 files from a SharePoint server in a day, then someone downloading 50 files may be an advanced threat actor harvesting data from the company's server, he says.

"Use statistics and math on the sea of data that you've collected to figure out what is abnormal and what is odd," Goldberg says.

4. Find out more about attackers
Once companies have the data and the capability to analyze it, they need to know what types of threats may be targeting their company, Mandiant's Bianco says.

Companies need to know the adversaries that might be targeting their businesses or industries. Focused threat intelligence can provide that as well as what techniques are common for those adversaries, Bianco says. Whether an attacker uses spearphishing, SQL injection, or malware to attack a business' systems makes a difference for how a company detects the threats, he says.

"You need to know all these things that influence the catalog that a company creates of detection scenarios and how they are going to detect those threats," he says.

5. Invest more in your people
While security practitioners continue to be in high demand, companies should do everything they can to find the necessary expertise and develop that expertise with training, Splunk's Goldberg says.

"You are going to need security practitioners to not only deploy these systems and collect the data, but also to sit behind the desk and monitor and fine-tune them," he says. "You want skilled people who know you environment well, and you cannot always outsource that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7178
Published: 2014-11-28
Enalean Tuleap before 7.5.99.6 allows remote attackers to execute arbitrary commands via the User-Agent header, which is provided to the passthru PHP function.

CVE-2014-7850
Published: 2014-11-28
Cross-site scripting (XSS) vulnerability in the Web UI in FreeIPA 4.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via vectors related to breadcrumb navigation.

CVE-2014-8423
Published: 2014-11-28
Unspecified vulnerability in the management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to execute arbitrary commands via unknown vectors.

CVE-2014-8424
Published: 2014-11-28
ARRIS VAP2500 before FW08.41 does not properly validate passwords, which allows remote attackers to bypass authentication.

CVE-2014-8425
Published: 2014-11-28
The management portal in ARRIS VAP2500 before FW08.41 allows remote attackers to obtain credentials by reading the configuration files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?