Securing the Digital World

Operationalizing Monitoring and Response

Feb 17, 2016 | by RSA |

There are constant attacks against every network, and security practitioners need to be prepared to defend their organization's assets. However, while many organizations have technology to detect at least some of these threats, they do not have the resources to effectively follow up or act on what they may find.

Over the past few years, the industry has seen several large breaches in which organizations have fallen victim to this predicament. In the past, many security groups did not get funding for the technology needed to mitigate or detect threats, nor were they concerned with incident response. However, as attacks and breaches have become more visible and more public, organizations are attempting to limit their chances of becoming victims. In response, many organizations have created teams focused on detection of attacks, and allocated budgets to purchase security technologies that support this mission.

This is a positive for many organizations, since they would not have had the sponsorship to request these new security budget items a few years ago. However, a new predicament comes with the territory: These systems need a dedicated team that manages and monitors the system after it has been created and implemented in order to make them effective. When building security monitoring into an enterprise, the following considerations should be taken into account after the tools have been installed:

Tool Awareness and Placement

It is rare that a security team puts in a tool without consulting other groups that may be affected by its presence. Other teams need to understand how these systems work so that when an incident occurs, the organization can expedite a response. For example, a malware outbreak might include desktop teams, phishing attacks might involve mail teams, and application attacks might involve development teams. Other divisions are extensions of the security team during an incident, so they should be treated as such.

Keeping an Eye Out at All Times

If security monitoring technology is in place, the output needs to be perpetually reviewed and monitored; otherwise, attacks that are detected can still be successful. If an information security team is going to configure an alert in a system for attack notification but does not have a team member reviewing the alerts, the defense posture of the organization is degraded. Many times, organizations become preoccupied with compliance and put these systems in solely to pass audits. There is a large risk associated with having untuned and unmonitored security technologies within an organization, as they may provide a false sense of protection.

Filling Gaps with Third Party Assistance

If a security team has the budget but not the head count to monitor systems, a logical plan of action would be to have a third party assist. There are many managed security service providers (MSSPs) that can help with vigilance. These MSSPs serve as an extension of an internal security team and can provide expertise as well as cover the gaps in timing when the organization is unable to monitor its systems.

In summary, monitoring is only fully effective if the output is acted upon. Adopters of this essential technology must have a plan to act on the results to ensure effective protection of the organization's critical assets.