Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/3/2019
02:00 PM
Aaron Sierra
Aaron Sierra
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Common Pitfalls of Security Monitoring

We need technology, but we can't forget the importance of humans working methodically to make it effective.

No matter how much we invest in defense and how many new solutions hit the market every year, we still face an onslaught of highly successful cyberattacks. Hackers are savvy and persistent, and our failure to keep pace is leading to a problem projected to eclipse $3 billion in losses, according to 2018 data.

Particularly as the cyber arms race has ratcheted up over the years, I have seen a fixation on technology and consistently poor investment in people and process to operate it. We absolutely need the technology, but we can't forget or overstate the importance of humans working methodically to make it effective, especially for security monitoring.

I have long seen organizations of all kinds fail to approach security monitoring with the same discipline and rigor they afford to other business programs. For cyber defenses to be effective, we must begin to view and manage security monitoring as an essential business service.

Here are the common pitfalls I see, and how to overcome them.

Inadequate Resourcing
When a business function is regarded as critical, it is resourced with the time and talent it requires. Could a security breach render your organization helpless? If you answered yes, security monitoring is more than just a "nice-to-have."

I routinely see organizations task folks with security monitoring duties while still expecting them to drive other IT initiatives and work on a myriad of unrelated issues. This best-effort approach lacks the experience, training, focus, and proper staffing necessary to run an effective monitoring program. Tasking even your most skilled generalist with security monitoring is the equivalent of asking a sales rep to take over an entire marketing function. They may have dabbled, but they need expertise, a team, and ample time to do it right.

Your monitoring analysts need to know what they're looking for and looking at. It's a tough role to fill, and analyst burnout is a thing. That makes developing this team one of the more difficult challenges for a security leader. However, taking the time to recruit and retain good analysts will pay dividends in threat detection and ultimately business risk reduction. Moreover, as team members begin to perform a deeper analysis of environment activity, they will likely arm you with valuable insights about the implementation and efficacy of your broader security infrastructure investments and overall program.  

Failure to Identify and Drive Toward Outcomes
There's an assumption that security analysts inherently know what constitutes an "incident" and how to find it, and to some extent this is true. But if the organization hasn't defined and prioritized the kinds of incidents that might cripple or cost the business, there's a good chance that important events will never even cross the analysts' radar.

Consider a business with an e-commerce presence. Should the security monitoring program be extended to the applications and infrastructure delivering that service? Let's assume it should. Does the monitoring program look for traditional network-based attacks? Application-level attacks? Insider activity? Account takeovers? Compliance-impacting events? You see where this is going.

Each one of these monitoring use cases is supported by special telemetry and processes, and some may warrant special service-level agreements. Without careful planning and prioritization, it's quite likely that the monitoring team doesn't even have visibility into some of these events, let alone the ability to deliver consistent outcomes the business requires.

Make sure your monitoring program has clearly defined and prioritized service deliverables, then be sure to establish the telemetry and processes necessary to fulfill these essential business objectives.

Forgetting the Basics
We invest in security infrastructure with the hope of becoming less penetrable or better equipped to detect and respond to those events that warrant our attention. Unfortunately, many businesses make major technology purchases, then fail to get those technologies fully integrated into the environment and the business operations they serve.

Take firewalls, for instance — a basic, decades-old technology that is synonymous with network security. They remain a table-stakes infrastructure investment in every organization with a modicum of cybersecurity concern. At the same time, firewall management practices are straight from the Wild West in many, many organizations.

Time and time again, I have encountered organizations, even enterprise environments, that have no semblance of configuration standards, porous rule sets, and unenabled features. In many of these organizations, each firewall configuration looks like a complete one-off. In the rush to next-gen devices, many implementation efforts were declared complete immediately after performing a like-for-like migration of outdated Cisco Adaptive Security Appliance policies.

What does this have to do with monitoring? Everything.

Firewalls are just one example of monitoring telemetry. When telemetry is not implemented correctly, consistently, and completely, your monitoring effort will have visibility gaps. When these gaps are the result of inconsistent implementations, they may go undetected for some time, all the while leaving you with a false sense of security. Your telemetry (all that security technology you've invested in), where it's placed, how it's configured, and how it's managed is critical to your monitoring program success.  

Conclusion
People, process, technology: We all know how important these are, yet we often lose sight of that fact. Hopefully, these insights help you to maintain the balanced view required to monitor your environment effectively.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How the City of Angels Is Tackling Cyber Devilry."

Aaron Sierra, Sr. Security Architect at Alagen cybersecurity services firm, is a passionate cybersecurity leader and consultant with nearly two decades of developing, leading, and advising diverse security programs. Leveraging this deep experience, Aaron advises security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
TPM-Fail: What It Means & What to Do About It
Ari Singer, CTO at TrustPhi,  11/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5541
PUBLISHED: 2019-11-20
VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain an out-of-bounds write vulnerability in the e1000e virtual network adapter. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial-of-service...
CVE-2019-5542
PUBLISHED: 2019-11-20
VMware Workstation (15.x before 15.5.1) and Fusion (11.x before 11.5.1) contain a denial-of-service vulnerability in the RPC handler. Successful exploitation of this issue may allow attackers with normal user privileges to create a denial-of-service condition on their own VM.
CVE-2010-4660
PUBLISHED: 2019-11-20
Unspecified vulnerability in statusnet through 2010 due to the way addslashes are used in SQL string escapes..
CVE-2011-0529
PUBLISHED: 2019-11-20
Weborf before 0.12.5 is affected by a Denial of Service (DOS) due to malformed fields in HTTP.
CVE-2019-10765
PUBLISHED: 2019-11-20
iobroker.admin before 3.6.12 allows attacker to include file contents from outside the `/log/file1/` directory.