Analytics //

Security Monitoring

4/14/2012
12:33 AM
50%
50%

Is Monitoring The New Must-Have Of Security?

With attacks regularly getting past the perimeter, detecting anomalies early is increasingly important. Companies should go beyond compliance, experts say

Conventional wisdom in the security industry is that companies should expect that attackers will get into their networks, if they haven't already done so. While technologies and processes to prevent attacks are necessary, early detection of anomalies is increasingly important.

That puts security monitoring and information management technologies front and center. Companies have to sift through a growing amount of information to detect attacks, and that information comes from an increasing number of devices.

"The importance of monitoring has gone up because the number of sources that you need to monitor has gone up," says Matt Ulery, director of product management at NetIQ. "Name a company whose network is less heterogenous than it was two years ago. It's crazy."

A major part of the current crop of security information and event monitoring (SIEM) tools is putting security events in context -- correlating disparate alerts and warnings to determine whether the activity is a technology problem, an insider mistake, or an actual attack. Good SIEM products reduce the complex network landscape and alert CISOs to anomalies that could be attacks, says Michael Callahan, vice president of worldwide product and solution marketing for Hewlett-Packard's enterprise security products group.

"Because we have more security events occurring, you have more information being generated. You need a way to sift through all of that and find the real nuggets [to] find what is important," Callahan says.

The need for a clearer view of what is happening on corporate networks has led companies to speed their adoption of SIEM tools. About 22 percent of companies have deployed or are currently deploying a monitoring system, while another 21 percent plan to deploy one in the next 12 to 24 months, according to analyst firm Gartner.

Determining how to prioritize monitoring solutions as part of an overall security program is difficult, security experts say. The average company spends about 6 percent of its information-technology budget on security, according to Gartner. For a small company, the budget may buy antivirus and a firewall, while a large company may have its own security operations center.

[When a company starts to worry about losing data to attack, it could be time to create a simple SOC. See Do You Need A Security Operations Center?] 

More important than the exact amount spent is that, to keep up with the threats, companies need to adapt their defenses just as quickly, says Lawrence Pingree, research director with Gartner. Companies can, for example, relegate commodity security products to a managed security service provider to save budget that can then be spent on newer technologies.

"If you stagnate on your security controls, you are likely to get breached," Pingree says.

Unfortunately, rather than choose a monitoring solution to give them better visibility into the security of their networks, most companies adopt a solution to satisfy compliance requirements. The reason: Security professionals find it much easier to budget monitoring costs as part of complying with regulations than trying to argue for better network awareness, NetIQ's Ulery says.

"Most security professionals don't know how to have that conversation about minimizing risk," he says. "It's far easier to throw [the cost] under compliance."

Yet companies need to go beyond just complying with regulations and improve their overall security, Gartner's Pingree says. Many firms store the logs from their various hardware appliances, as required, but that does little to prevent an attack. Less than half of companies set their security information systems to fully block traffic or behavior that violates policy, he says.

"If you want threat prevention, you have to go into preventative mode on these products," Pingree says.

In the end, unless companies go beyond compliance, they are opening themselves up to attack, HP's Callahan says.

"Just being compliant does not mean you are secure," he says. "You have to take a more focused approach on the monitoring side."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JCharles
50%
50%
JCharles,
User Rank: Apprentice
1/23/2013 | 5:11:27 PM
re: Is Monitoring The New Must-Have Of Security?
Cost effective SIEM tools like Secnology allow organizations to to not only do compliance but also threat management at their own pace.
macker490
50%
50%
macker490,
User Rank: Ninja
4/15/2012 | 12:39:49 PM
re: Is Monitoring The New Must-Have Of Security?
There is a single common thread to computer hacking and that is getting malware into the victim's system.- Once this has been done the victim is said to be "pwned" : controlled by the attacker .

the defense then has to be directed at preventing un-authorized software updates.- User Account Control (UAC) addresses this but a more complete solution is in system lock-down, e.g. "AppLocker"

but this does not go far enough: it addresses only prevention.- A security response must also address detection and response.

the recent hack at Alta East described by Brian Krebs
see https://krebsonsecurity.com/20...

contained this critical note:

Weeden said Alta EastGs internal IT guys scanned her machine with six
different antivirus tools, but the scans turned up no evidence of
infection. It wasnGt until the company hired an outside forensics expert
who removed the hard drive and examined it in an isolated environment
that the expert found the ZeuS infection.

Detection requires a Software Audit

a Software Audit must be done using a separate machine as described here although a read-only bootable DVD could be used

8 Ways Hackers Monetize Stolen Data
Steve Zurier, Freelance Writer,  4/17/2018
Securing Social Media: National Safety, Privacy Concerns
Kelly Sheridan, Staff Editor, Dark Reading,  4/19/2018
Firms More Likely to Tempt Security Pros With Big Salaries than Invest in Training
Sara Peters, Senior Editor at Dark Reading,  4/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.