Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

10/3/2019
02:00 PM
Aaron Sierra
Aaron Sierra
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Common Pitfalls of Security Monitoring

We need technology, but we can't forget the importance of humans working methodically to make it effective.

No matter how much we invest in defense and how many new solutions hit the market every year, we still face an onslaught of highly successful cyberattacks. Hackers are savvy and persistent, and our failure to keep pace is leading to a problem projected to eclipse $3 billion in losses, according to 2018 data.

Particularly as the cyber arms race has ratcheted up over the years, I have seen a fixation on technology and consistently poor investment in people and process to operate it. We absolutely need the technology, but we can't forget or overstate the importance of humans working methodically to make it effective, especially for security monitoring.

I have long seen organizations of all kinds fail to approach security monitoring with the same discipline and rigor they afford to other business programs. For cyber defenses to be effective, we must begin to view and manage security monitoring as an essential business service.

Here are the common pitfalls I see, and how to overcome them.

Inadequate Resourcing
When a business function is regarded as critical, it is resourced with the time and talent it requires. Could a security breach render your organization helpless? If you answered yes, security monitoring is more than just a "nice-to-have."

I routinely see organizations task folks with security monitoring duties while still expecting them to drive other IT initiatives and work on a myriad of unrelated issues. This best-effort approach lacks the experience, training, focus, and proper staffing necessary to run an effective monitoring program. Tasking even your most skilled generalist with security monitoring is the equivalent of asking a sales rep to take over an entire marketing function. They may have dabbled, but they need expertise, a team, and ample time to do it right.

Your monitoring analysts need to know what they're looking for and looking at. It's a tough role to fill, and analyst burnout is a thing. That makes developing this team one of the more difficult challenges for a security leader. However, taking the time to recruit and retain good analysts will pay dividends in threat detection and ultimately business risk reduction. Moreover, as team members begin to perform a deeper analysis of environment activity, they will likely arm you with valuable insights about the implementation and efficacy of your broader security infrastructure investments and overall program.  

Failure to Identify and Drive Toward Outcomes
There's an assumption that security analysts inherently know what constitutes an "incident" and how to find it, and to some extent this is true. But if the organization hasn't defined and prioritized the kinds of incidents that might cripple or cost the business, there's a good chance that important events will never even cross the analysts' radar.

Consider a business with an e-commerce presence. Should the security monitoring program be extended to the applications and infrastructure delivering that service? Let's assume it should. Does the monitoring program look for traditional network-based attacks? Application-level attacks? Insider activity? Account takeovers? Compliance-impacting events? You see where this is going.

Each one of these monitoring use cases is supported by special telemetry and processes, and some may warrant special service-level agreements. Without careful planning and prioritization, it's quite likely that the monitoring team doesn't even have visibility into some of these events, let alone the ability to deliver consistent outcomes the business requires.

Make sure your monitoring program has clearly defined and prioritized service deliverables, then be sure to establish the telemetry and processes necessary to fulfill these essential business objectives.

Forgetting the Basics
We invest in security infrastructure with the hope of becoming less penetrable or better equipped to detect and respond to those events that warrant our attention. Unfortunately, many businesses make major technology purchases, then fail to get those technologies fully integrated into the environment and the business operations they serve.

Take firewalls, for instance — a basic, decades-old technology that is synonymous with network security. They remain a table-stakes infrastructure investment in every organization with a modicum of cybersecurity concern. At the same time, firewall management practices are straight from the Wild West in many, many organizations.

Time and time again, I have encountered organizations, even enterprise environments, that have no semblance of configuration standards, porous rule sets, and unenabled features. In many of these organizations, each firewall configuration looks like a complete one-off. In the rush to next-gen devices, many implementation efforts were declared complete immediately after performing a like-for-like migration of outdated Cisco Adaptive Security Appliance policies.

What does this have to do with monitoring? Everything.

Firewalls are just one example of monitoring telemetry. When telemetry is not implemented correctly, consistently, and completely, your monitoring effort will have visibility gaps. When these gaps are the result of inconsistent implementations, they may go undetected for some time, all the while leaving you with a false sense of security. Your telemetry (all that security technology you've invested in), where it's placed, how it's configured, and how it's managed is critical to your monitoring program success.  

Conclusion
People, process, technology: We all know how important these are, yet we often lose sight of that fact. Hopefully, these insights help you to maintain the balanced view required to monitor your environment effectively.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How the City of Angels Is Tackling Cyber Devilry."

Aaron Sierra, Sr. Security Architect at Alagen cybersecurity services firm, is a passionate cybersecurity leader and consultant with nearly two decades of developing, leading, and advising diverse security programs. Leveraging this deep experience, Aaron advises security ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
5 Common Errors That Allow Attackers to Go Undetected
Matt Middleton-Leal, General Manager and Chief Security Strategist, Netwrix,  2/12/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20477
PUBLISHED: 2020-02-19
PyYAML 5.1 through 5.1.2 has insufficient restrictions on the load and load_all functions because of a class deserialization issue, e.g., Popen is a class in the subprocess module. NOTE: this issue exists because of an incomplete fix for CVE-2017-18342.
CVE-2019-20478
PUBLISHED: 2020-02-19
In ruamel.yaml through 0.16.7, the load method allows remote code execution if the application calls this method with an untrusted argument. In other words, this issue affects developers who are unaware of the need to use methods such as safe_load in these use cases.
CVE-2011-2054
PUBLISHED: 2020-02-19
A vulnerability in the Cisco ASA that could allow a remote attacker to successfully authenticate using the Cisco AnyConnect VPN client if the Secondary Authentication type is LDAP and the password is left blank, providing the primary credentials are correct. The vulnerabilities is due to improper in...
CVE-2015-0749
PUBLISHED: 2020-02-19
A vulnerability in Cisco Unified Communications Manager could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack on the affected software. The vulnerabilities is due to improper input validation of certain parameters passed to the affected software. An attacker ...
CVE-2015-9543
PUBLISHED: 2020-02-19
An issue was discovered in OpenStack Nova before 18.2.4, 19.x before 19.1.0, and 20.x before 20.1.0. It can leak consoleauth tokens into log files. An attacker with read access to the service's logs may obtain tokens used for console access. All Nova setups using novncproxy are affected. This is rel...