Analytics //

Security Monitoring

4/14/2012
12:33 AM
50%
50%

Is Monitoring The New Must-Have Of Security?

With attacks regularly getting past the perimeter, detecting anomalies early is increasingly important. Companies should go beyond compliance, experts say

Conventional wisdom in the security industry is that companies should expect that attackers will get into their networks, if they haven't already done so. While technologies and processes to prevent attacks are necessary, early detection of anomalies is increasingly important.

That puts security monitoring and information management technologies front and center. Companies have to sift through a growing amount of information to detect attacks, and that information comes from an increasing number of devices.

"The importance of monitoring has gone up because the number of sources that you need to monitor has gone up," says Matt Ulery, director of product management at NetIQ. "Name a company whose network is less heterogenous than it was two years ago. It's crazy."

A major part of the current crop of security information and event monitoring (SIEM) tools is putting security events in context -- correlating disparate alerts and warnings to determine whether the activity is a technology problem, an insider mistake, or an actual attack. Good SIEM products reduce the complex network landscape and alert CISOs to anomalies that could be attacks, says Michael Callahan, vice president of worldwide product and solution marketing for Hewlett-Packard's enterprise security products group.

"Because we have more security events occurring, you have more information being generated. You need a way to sift through all of that and find the real nuggets [to] find what is important," Callahan says.

The need for a clearer view of what is happening on corporate networks has led companies to speed their adoption of SIEM tools. About 22 percent of companies have deployed or are currently deploying a monitoring system, while another 21 percent plan to deploy one in the next 12 to 24 months, according to analyst firm Gartner.

Determining how to prioritize monitoring solutions as part of an overall security program is difficult, security experts say. The average company spends about 6 percent of its information-technology budget on security, according to Gartner. For a small company, the budget may buy antivirus and a firewall, while a large company may have its own security operations center.

[When a company starts to worry about losing data to attack, it could be time to create a simple SOC. See Do You Need A Security Operations Center?] 

More important than the exact amount spent is that, to keep up with the threats, companies need to adapt their defenses just as quickly, says Lawrence Pingree, research director with Gartner. Companies can, for example, relegate commodity security products to a managed security service provider to save budget that can then be spent on newer technologies.

"If you stagnate on your security controls, you are likely to get breached," Pingree says.

Unfortunately, rather than choose a monitoring solution to give them better visibility into the security of their networks, most companies adopt a solution to satisfy compliance requirements. The reason: Security professionals find it much easier to budget monitoring costs as part of complying with regulations than trying to argue for better network awareness, NetIQ's Ulery says.

"Most security professionals don't know how to have that conversation about minimizing risk," he says. "It's far easier to throw [the cost] under compliance."

Yet companies need to go beyond just complying with regulations and improve their overall security, Gartner's Pingree says. Many firms store the logs from their various hardware appliances, as required, but that does little to prevent an attack. Less than half of companies set their security information systems to fully block traffic or behavior that violates policy, he says.

"If you want threat prevention, you have to go into preventative mode on these products," Pingree says.

In the end, unless companies go beyond compliance, they are opening themselves up to attack, HP's Callahan says.

"Just being compliant does not mean you are secure," he says. "You have to take a more focused approach on the monitoring side."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JCharles
50%
50%
JCharles,
User Rank: Apprentice
1/23/2013 | 5:11:27 PM
re: Is Monitoring The New Must-Have Of Security?
Cost effective SIEM tools like Secnology allow organizations to to not only do compliance but also threat management at their own pace.
macker490
50%
50%
macker490,
User Rank: Ninja
4/15/2012 | 12:39:49 PM
re: Is Monitoring The New Must-Have Of Security?
There is a single common thread to computer hacking and that is getting malware into the victim's system.- Once this has been done the victim is said to be "pwned" : controlled by the attacker .

the defense then has to be directed at preventing un-authorized software updates.- User Account Control (UAC) addresses this but a more complete solution is in system lock-down, e.g. "AppLocker"

but this does not go far enough: it addresses only prevention.- A security response must also address detection and response.

the recent hack at Alta East described by Brian Krebs
see https://krebsonsecurity.com/20...

contained this critical note:

Weeden said Alta EastGs internal IT guys scanned her machine with six
different antivirus tools, but the scans turned up no evidence of
infection. It wasnGt until the company hired an outside forensics expert
who removed the hard drive and examined it in an isolated environment
that the expert found the ZeuS infection.

Detection requires a Software Audit

a Software Audit must be done using a separate machine as described here although a read-only bootable DVD could be used

Devastating Cyberattack on Email Provider Destroys 18 Years of Data
Jai Vijayan, Freelance writer,  2/12/2019
Up to 100,000 Reported Affected in Landmark White Data Breach
Kelly Sheridan, Staff Editor, Dark Reading,  2/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8360
PUBLISHED: 2019-02-16
Themerig Find a Place CMS Directory 1.5 has SQL Injection via the find/assets/external/data_2.php cate parameter.
CVE-2019-8361
PUBLISHED: 2019-02-16
PHP Scripts Mall Responsive Video News Script has XSS via the Search Bar. This might, for example, be leveraged for HTML injection or URL redirection.
CVE-2019-8362
PUBLISHED: 2019-02-16
DedeCMS through V5.7SP2 allows arbitrary file upload in dede/album_edit.php or dede/album_add.php, as demonstrated by a dede/album_edit.php?dopost=save&formzip=1 request with a ZIP archive that contains a file such as "1.jpg.php" (because input validation only checks that .jpg, .png, o...
CVE-2019-8363
PUBLISHED: 2019-02-16
Verydows 2.0 has XSS via the index.php?c=main a parameter, as demonstrated by an a=index[XSS] value.
CVE-2019-8358
PUBLISHED: 2019-02-16
In Hiawatha before 10.8.4, a remote attacker is able to do directory traversal if AllowDotFiles is enabled.