Analytics // Security Monitoring
1/3/2014
08:21 AM
Connect Directly
RSS
E-Mail
50%
50%

5 Monitoring Initiatives For 2014

To get better visibility into the business and potential threats inside their networks, companies should collect more data, use context, and invest more in their employees' expertise

Security information and event management systems (SIEMs) became much more common in 2013, while more companies talked about using massive data sets to fuel better visibility into the potential threats inside their networks.

Yet effective security monitoring has a long way to go. To better secure their networks and improve visibility into the threats on their systems in 2014, companies first need good communication between business executives and information-security managers. While 90 percent of managers surveyed by network security and management firm SolarWinds thought security was under control, only 30 percent of the actual IT practitioners believe that security is well-established, according to the firm.

A good place to start is for information-technology leaders to ask themselves and their business counterparts what more they want to know about their networks, systems, and employees. Without the right questions, monitoring for threats will be hard, says Dave Bianco, Hunt Team manager for incident-response firm Mandiant, which was acquired by FireEye this week.

"It pays for companies to take a step back and look at what they are doing," Bianco says. "I can look at things that I'm really worried about because of my business, or things that might be interesting to those who are attacking me -- not only figure out what you might be able to detect, but figure out what you have to detect them with."

To start the conversation, here are five initiatives that security-monitoring experts say should be undertaken this year.

1. Catalog the sources in your network
Companies first have to know what they have to work with. A business looking at improving its visibility into its network and the threats in the network should first find out what data sources are available, Mandiant's Bianco says.

Companies should not only collect the logs from Web servers, firewalls, and intrusion-detection systems, but other systems that may not initially be considered sources of intrusion information, he says. One example: the authentication logs for all the systems in the environment, he says.

"Make sure that you are logging the data from these systems correctly and sending it to a central place where you can get access to it," Bianco says. "That way you can turn all those independent log sources into new detection platforms."

2. Monitor users, not just devices
Many companies continue to attribute activities to Internet addresses -- that is, devices -- on their networks, rather than dealiasing the user behind those actions, says Patrick Hubbard, head geek for SolarWinds. Yet adding context to the actions being taken on the network is important, he says.

"With more and more Internet-connected devices on the network, the number of humans on the network relative to the number of devices on the network is beginning to decrease, so it is not as easy to have strong authentication from the device," Hubbard says.

[Companies analyzing the voluminous data produced by information systems should make sure to check user access and configuration changes, among other log events. See 5 Signs Of Trouble In Your Network.]

Businesses should make an effort this year to attribute actions to specific employees and users by combining authentication information and other sources with network logs.

"You want to look at users not just as logons, but within the context of the identity breadcrumbs they are leaving behind on the network," he says.

3. Use more math
By collecting more data and knowing the questions to ask, companies should find themselves with a lot more information on what is happening in their networks. IT security teams can ask questions of the data and discover incidents that may have otherwise been hidden. However, companies should also allow the data to speak for itself -- and to do that, they need math, says Joe Goldberg, senior manager of security and compliance product marketing for data-analytics firm Splunk.

By using statistical analysis, companies can determine the outliers in a big data set. If the average employee downloads 10 files from a SharePoint server in a day, then someone downloading 50 files may be an advanced threat actor harvesting data from the company's server, he says.

"Use statistics and math on the sea of data that you've collected to figure out what is abnormal and what is odd," Goldberg says.

4. Find out more about attackers
Once companies have the data and the capability to analyze it, they need to know what types of threats may be targeting their company, Mandiant's Bianco says.

Companies need to know the adversaries that might be targeting their businesses or industries. Focused threat intelligence can provide that as well as what techniques are common for those adversaries, Bianco says. Whether an attacker uses spearphishing, SQL injection, or malware to attack a business' systems makes a difference for how a company detects the threats, he says.

"You need to know all these things that influence the catalog that a company creates of detection scenarios and how they are going to detect those threats," he says.

5. Invest more in your people
While security practitioners continue to be in high demand, companies should do everything they can to find the necessary expertise and develop that expertise with training, Splunk's Goldberg says.

"You are going to need security practitioners to not only deploy these systems and collect the data, but also to sit behind the desk and monitor and fine-tune them," he says. "You want skilled people who know you environment well, and you cannot always outsource that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Robert Lemos is a veteran technology journalist of more than 16 years and a former research engineer, writing articles that have appeared in Business Week, CIO Magazine, CNET News.com, Computing Japan, CSO Magazine, Dark Reading, eWEEK, InfoWorld, MIT's Technology Review, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-4448
Published: 2014-10-22
House Arrest in Apple iOS before 8.1 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information from a Documents directory by obtaining this UID.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.