informa
News

Is Monitoring The New Must-Have Of Security?

With attacks regularly getting past the perimeter, detecting anomalies early is increasingly important. Companies should go beyond compliance, experts say
Conventional wisdom in the security industry is that companies should expect that attackers will get into their networks, if they haven't already done so. While technologies and processes to prevent attacks are necessary, early detection of anomalies is increasingly important.

That puts security monitoring and information management technologies front and center. Companies have to sift through a growing amount of information to detect attacks, and that information comes from an increasing number of devices.

"The importance of monitoring has gone up because the number of sources that you need to monitor has gone up," says Matt Ulery, director of product management at NetIQ. "Name a company whose network is less heterogenous than it was two years ago. It's crazy."

A major part of the current crop of security information and event monitoring (SIEM) tools is putting security events in context -- correlating disparate alerts and warnings to determine whether the activity is a technology problem, an insider mistake, or an actual attack. Good SIEM products reduce the complex network landscape and alert CISOs to anomalies that could be attacks, says Michael Callahan, vice president of worldwide product and solution marketing for Hewlett-Packard's enterprise security products group.

"Because we have more security events occurring, you have more information being generated. You need a way to sift through all of that and find the real nuggets [to] find what is important," Callahan says.

The need for a clearer view of what is happening on corporate networks has led companies to speed their adoption of SIEM tools. About 22 percent of companies have deployed or are currently deploying a monitoring system, while another 21 percent plan to deploy one in the next 12 to 24 months, according to analyst firm Gartner.

Determining how to prioritize monitoring solutions as part of an overall security program is difficult, security experts say. The average company spends about 6 percent of its information-technology budget on security, according to Gartner. For a small company, the budget may buy antivirus and a firewall, while a large company may have its own security operations center.

[When a company starts to worry about losing data to attack, it could be time to create a simple SOC. See Do You Need A Security Operations Center?] 

More important than the exact amount spent is that, to keep up with the threats, companies need to adapt their defenses just as quickly, says Lawrence Pingree, research director with Gartner. Companies can, for example, relegate commodity security products to a managed security service provider to save budget that can then be spent on newer technologies.

"If you stagnate on your security controls, you are likely to get breached," Pingree says.

Unfortunately, rather than choose a monitoring solution to give them better visibility into the security of their networks, most companies adopt a solution to satisfy compliance requirements. The reason: Security professionals find it much easier to budget monitoring costs as part of complying with regulations than trying to argue for better network awareness, NetIQ's Ulery says.

"Most security professionals don't know how to have that conversation about minimizing risk," he says. "It's far easier to throw [the cost] under compliance."

Yet companies need to go beyond just complying with regulations and improve their overall security, Gartner's Pingree says. Many firms store the logs from their various hardware appliances, as required, but that does little to prevent an attack. Less than half of companies set their security information systems to fully block traffic or behavior that violates policy, he says.

"If you want threat prevention, you have to go into preventative mode on these products," Pingree says.

In the end, unless companies go beyond compliance, they are opening themselves up to attack, HP's Callahan says.

"Just being compliant does not mean you are secure," he says. "You have to take a more focused approach on the monitoring side."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Recommended Reading: