Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

5 Monitoring Initiatives For 2014

To get better visibility into the business and potential threats inside their networks, companies should collect more data, use context, and invest more in their employees' expertise

Security information and event management systems (SIEMs) became much more common in 2013, while more companies talked about using massive data sets to fuel better visibility into the potential threats inside their networks.

Yet effective security monitoring has a long way to go. To better secure their networks and improve visibility into the threats on their systems in 2014, companies first need good communication between business executives and information-security managers. While 90 percent of managers surveyed by network security and management firm SolarWinds thought security was under control, only 30 percent of the actual IT practitioners believe that security is well-established, according to the firm.

A good place to start is for information-technology leaders to ask themselves and their business counterparts what more they want to know about their networks, systems, and employees. Without the right questions, monitoring for threats will be hard, says Dave Bianco, Hunt Team manager for incident-response firm Mandiant, which was acquired by FireEye this week.

"It pays for companies to take a step back and look at what they are doing," Bianco says. "I can look at things that I'm really worried about because of my business, or things that might be interesting to those who are attacking me -- not only figure out what you might be able to detect, but figure out what you have to detect them with."

To start the conversation, here are five initiatives that security-monitoring experts say should be undertaken this year.

1. Catalog the sources in your network
Companies first have to know what they have to work with. A business looking at improving its visibility into its network and the threats in the network should first find out what data sources are available, Mandiant's Bianco says.

Companies should not only collect the logs from Web servers, firewalls, and intrusion-detection systems, but other systems that may not initially be considered sources of intrusion information, he says. One example: the authentication logs for all the systems in the environment, he says.

"Make sure that you are logging the data from these systems correctly and sending it to a central place where you can get access to it," Bianco says. "That way you can turn all those independent log sources into new detection platforms."

2. Monitor users, not just devices
Many companies continue to attribute activities to Internet addresses -- that is, devices -- on their networks, rather than dealiasing the user behind those actions, says Patrick Hubbard, head geek for SolarWinds. Yet adding context to the actions being taken on the network is important, he says.

"With more and more Internet-connected devices on the network, the number of humans on the network relative to the number of devices on the network is beginning to decrease, so it is not as easy to have strong authentication from the device," Hubbard says.

[Companies analyzing the voluminous data produced by information systems should make sure to check user access and configuration changes, among other log events. See 5 Signs Of Trouble In Your Network.]

Businesses should make an effort this year to attribute actions to specific employees and users by combining authentication information and other sources with network logs.

"You want to look at users not just as logons, but within the context of the identity breadcrumbs they are leaving behind on the network," he says.

3. Use more math
By collecting more data and knowing the questions to ask, companies should find themselves with a lot more information on what is happening in their networks. IT security teams can ask questions of the data and discover incidents that may have otherwise been hidden. However, companies should also allow the data to speak for itself -- and to do that, they need math, says Joe Goldberg, senior manager of security and compliance product marketing for data-analytics firm Splunk.

By using statistical analysis, companies can determine the outliers in a big data set. If the average employee downloads 10 files from a SharePoint server in a day, then someone downloading 50 files may be an advanced threat actor harvesting data from the company's server, he says.

"Use statistics and math on the sea of data that you've collected to figure out what is abnormal and what is odd," Goldberg says.

4. Find out more about attackers
Once companies have the data and the capability to analyze it, they need to know what types of threats may be targeting their company, Mandiant's Bianco says.

Companies need to know the adversaries that might be targeting their businesses or industries. Focused threat intelligence can provide that as well as what techniques are common for those adversaries, Bianco says. Whether an attacker uses spearphishing, SQL injection, or malware to attack a business' systems makes a difference for how a company detects the threats, he says.

"You need to know all these things that influence the catalog that a company creates of detection scenarios and how they are going to detect those threats," he says.

5. Invest more in your people
While security practitioners continue to be in high demand, companies should do everything they can to find the necessary expertise and develop that expertise with training, Splunk's Goldberg says.

"You are going to need security practitioners to not only deploy these systems and collect the data, but also to sit behind the desk and monitor and fine-tune them," he says. "You want skilled people who know you environment well, and you cannot always outsource that."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/21/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Latest Comment: Exactly
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-21
IBM WebSphere Application Server Liberty through running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. IBM X-Force ID: 184650.
PUBLISHED: 2020-09-21
IBM Aspera Web Application 1.9.14 PL1 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 188055.
PUBLISHED: 2020-09-21
IBM Business Automation Content Analyzer on Cloud 1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the i...
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted HTTP/2 request with invalid characters. IBM X-Force ID: 184438.
PUBLISHED: 2020-09-21
IBM DataPower Gateway 2018.4.1.0 through 2018.4.1.12 could allow a remote attacker to cause a denial of service by sending a specially crafted a JSON request with invalid characters. IBM X-Force ID: 184439.