Analytics //

Security Monitoring

4/14/2012
12:33 AM
50%
50%

Is Monitoring The New Must-Have Of Security?

With attacks regularly getting past the perimeter, detecting anomalies early is increasingly important. Companies should go beyond compliance, experts say

Conventional wisdom in the security industry is that companies should expect that attackers will get into their networks, if they haven't already done so. While technologies and processes to prevent attacks are necessary, early detection of anomalies is increasingly important.

That puts security monitoring and information management technologies front and center. Companies have to sift through a growing amount of information to detect attacks, and that information comes from an increasing number of devices.

"The importance of monitoring has gone up because the number of sources that you need to monitor has gone up," says Matt Ulery, director of product management at NetIQ. "Name a company whose network is less heterogenous than it was two years ago. It's crazy."

A major part of the current crop of security information and event monitoring (SIEM) tools is putting security events in context -- correlating disparate alerts and warnings to determine whether the activity is a technology problem, an insider mistake, or an actual attack. Good SIEM products reduce the complex network landscape and alert CISOs to anomalies that could be attacks, says Michael Callahan, vice president of worldwide product and solution marketing for Hewlett-Packard's enterprise security products group.

"Because we have more security events occurring, you have more information being generated. You need a way to sift through all of that and find the real nuggets [to] find what is important," Callahan says.

The need for a clearer view of what is happening on corporate networks has led companies to speed their adoption of SIEM tools. About 22 percent of companies have deployed or are currently deploying a monitoring system, while another 21 percent plan to deploy one in the next 12 to 24 months, according to analyst firm Gartner.

Determining how to prioritize monitoring solutions as part of an overall security program is difficult, security experts say. The average company spends about 6 percent of its information-technology budget on security, according to Gartner. For a small company, the budget may buy antivirus and a firewall, while a large company may have its own security operations center.

[When a company starts to worry about losing data to attack, it could be time to create a simple SOC. See Do You Need A Security Operations Center?] 

More important than the exact amount spent is that, to keep up with the threats, companies need to adapt their defenses just as quickly, says Lawrence Pingree, research director with Gartner. Companies can, for example, relegate commodity security products to a managed security service provider to save budget that can then be spent on newer technologies.

"If you stagnate on your security controls, you are likely to get breached," Pingree says.

Unfortunately, rather than choose a monitoring solution to give them better visibility into the security of their networks, most companies adopt a solution to satisfy compliance requirements. The reason: Security professionals find it much easier to budget monitoring costs as part of complying with regulations than trying to argue for better network awareness, NetIQ's Ulery says.

"Most security professionals don't know how to have that conversation about minimizing risk," he says. "It's far easier to throw [the cost] under compliance."

Yet companies need to go beyond just complying with regulations and improve their overall security, Gartner's Pingree says. Many firms store the logs from their various hardware appliances, as required, but that does little to prevent an attack. Less than half of companies set their security information systems to fully block traffic or behavior that violates policy, he says.

"If you want threat prevention, you have to go into preventative mode on these products," Pingree says.

In the end, unless companies go beyond compliance, they are opening themselves up to attack, HP's Callahan says.

"Just being compliant does not mean you are secure," he says. "You have to take a more focused approach on the monitoring side."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JCharles
50%
50%
JCharles,
User Rank: Apprentice
1/23/2013 | 5:11:27 PM
re: Is Monitoring The New Must-Have Of Security?
Cost effective SIEM tools like Secnology allow organizations to to not only do compliance but also threat management at their own pace.
macker490
50%
50%
macker490,
User Rank: Ninja
4/15/2012 | 12:39:49 PM
re: Is Monitoring The New Must-Have Of Security?
There is a single common thread to computer hacking and that is getting malware into the victim's system.- Once this has been done the victim is said to be "pwned" : controlled by the attacker .

the defense then has to be directed at preventing un-authorized software updates.- User Account Control (UAC) addresses this but a more complete solution is in system lock-down, e.g. "AppLocker"

but this does not go far enough: it addresses only prevention.- A security response must also address detection and response.

the recent hack at Alta East described by Brian Krebs
see https://krebsonsecurity.com/20...

contained this critical note:

Weeden said Alta EastGs internal IT guys scanned her machine with six
different antivirus tools, but the scans turned up no evidence of
infection. It wasnGt until the company hired an outside forensics expert
who removed the hard drive and examined it in an isolated environment
that the expert found the ZeuS infection.

Detection requires a Software Audit

a Software Audit must be done using a separate machine as described here although a read-only bootable DVD could be used

WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-7907
PUBLISHED: 2018-09-26
Some Huawei products Agassi-L09 AGS-L09C100B257CUSTC100D001, AGS-L09C170B253CUSTC170D001, AGS-L09C199B251CUSTC199D001, AGS-L09C229B003CUSTC229D001, Agassi-W09 AGS-W09C100B257CUSTC100D001, AGS-W09C128B252CUSTC128D001, AGS-W09C170B252CUSTC170D001, AGS-W09C229B251CUSTC229D001, AGS-W09C331B003CUSTC331D0...
CVE-2018-3972
PUBLISHED: 2018-09-26
An exploitable code execution vulnerability exists in the Levin deserialization functionality of the Epee library, as used in Monero 'Lithium Luna' (v0.12.2.0-master-ffab6700) and other cryptocurrencies. A specially crafted network packet can cause a logic flaw, resulting in code execution. An attac...
CVE-2018-17538
PUBLISHED: 2018-09-26
Axon (formerly TASER International) Evidence Sync 3.15.89 is vulnerable to process injection.
CVE-2018-11763
PUBLISHED: 2018-09-25
In Apache HTTP Server 2.4.17 to 2.4.34, by sending continuous, large SETTINGS frames a client can occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.
CVE-2018-14634
PUBLISHED: 2018-09-25
An integer overflow flaw was found in the Linux kernel's create_elf_tables() function. An unprivileged local user with access to SUID (or otherwise privileged) binary could use this flaw to escalate their privileges on the system. Kernel versions 2.6.x, 3.10.x and 4.14.x are believed to be vulnerabl...