Why Security Monitoring?
Security monitoring is the automated process of collecting and analyzing indicators of potential security threats, then triaging these threats for appropriate action.
Security monitoring, sometimes referred to as “security information monitoring (SIM)” or “security event monitoring (SEM),” involves collecting and analyzing information to detect suspicious behaviour or unauthorized system changes on your network, defining which types of behaviour should trigger alerts and taking action on alerts as needed.
Different aspects of Security Monitoring.
The Key Aspects of security monitoring to consider, are:
- Business traffic crossing a boundary
- Activity at a boundary
- Internal workstation, server or device
- Internal network activity
- Network connections
- Session activity by user & workstation
- Alerting on events
- Accurate time in logs
- Data backup status
Security Operations Center (SOC)
The Security Operations Center is a collection of tools, processes and human factors that centralize event monitoring, collect, analyze and manage events, and provide the ability to integrate and coordinate between different tools and technologies.
Integrated and comprehensive security monitoring, in addition to providing the best response to threats, will enable managers to more accurately analyze the security situation and its degree of risk. This process will ultimately lead to improved methods, policies and security solutions and, in general, a significant improvement in security.
The Security Orchestration, Automation and Response (SOAR), formally defined by Gartner as Security Automation and Orchestration (SAO), product space has grown exponentially in recent years as an increasing number of enterprises, security operations centres and managed security service providers have looked to new and innovative solutions to address several pervasive problems.
Gartner, which refers to the products as Security Orchestration, Automation and Response (SOAR) solutions, reported that less than 1 per cent of businesses with more than five IT security professionals was using SOAR tools at the end of 2017. But the firm has forecasted that, by 2020, 15 per cent of those organizations will be using the tools.
SOAR vs SIEM
Like many new product categories, SOAR was born from problems without solutions (or perhaps more accurately, problems which had grown beyond the point that they could be adequately solved with existing solutions). To more accurately define the product category, it is crucial to first understand what problems drove its creation. There are five key problems the SOAR market space has evolved to address. Increased workload combined with budget constraints and competition for skilled analysts means that organizations are being forced to do more with less.
SOAR solutions are different than SIEM solutions. While SIEM systems aggregate log data from a variety of sources and provide real-time alerts, SOAR integrates a broader range of internal and external applications. However, most SOAR solutions are deployed alongside SIEM systems. Also, Gartner noted that many SIEMs are beginning to add SOAR capabilities, so it is possible the two categories of tools may eventually merge into one.
What can Terminus System do for you?
We help you to:
- Authorize traffic exchanges and conform to security policy. Transport of malicious content and other forms of attack by manipulation of business traffic are detected and alerted.
- Detect suspect activity indicative of the actions of an attacker attempting to breach the system boundary or other deviation from normal business behaviour.
- Detect changes to devise status and configuration from accidental or deliberate acts by a user, or by malware.
- Detect suspicious activity that may indicate attacks by internal users or external attackers who have penetrated the internal network.
- Prevent unauthorized connections to the network made by remote access, VPN, wireless or any other transient means of network connection.
- Detect unauthorized activity and access that is suspicious or violates security policy requirements.
- Be able to respond to security incidents in a time frame appropriate to the perceived criticality of the incident.
- Be able to correlate event data collected from disparate sources.
- Be able to recover from an event that compromises the integrity or availability of information assets.
- Collect details of imports and exports executed by internal users.
- Track cross-boundary information exchange operations.
- Collect information on the use of any externally visible interfaces.
- Collect information and alerts from content checking and quarantine services.
- Collect information from firewalls and other network devices for traffic and traffic-trend
- Collect information from an Intrusion Detection Service (IDS) at the boundary with any un-trusted network.
- Record changes to device configuration.
- Record indications that could be attributed to accidental or malicious activity Record indications of unauthorized actions in tightly controlled environments such as the attachment of USB storage devices.
- Collect information relating to access to any business critical file areas.
- Monitor critical internal boundaries and resources within internal networks. Possible candidates for heightened internal
Possible candidates for heightened internal monitoring include:
- Core electronic messaging infrastructure
- Sensitive databases Project servers and file stores with restricted access requirements
- Monitor network access points that are open to connection attempts by anyone
- Monitor mobile users and remote working solutions.
- Monitor restrictive environments in which the attachment of modems and wireless access points are prohibited.
- Monitor network ports of the wired network environment.
- Monitor user activity and sensitive data access to ensure they can be made accountable for their actions.
- Monitor workstation connectivity connected peripherals and data ports.
- Profile normal user activity to enable detection of abnormal behaviour.
- Tightly control and monitor administration and service accounts.
- Ensure events classed as critical are notified in as close to real-time as is achievable.
- Ensure automation and filtering is sufficient to bring events to the attention of the right people using the right mechanism.
- Establish the correct level of monitoring for the organization, ranging from simple monitoring to integrated solutions using enterprise level centralized security.
- Consider combining functions such as security and network management, taking into account maintaining segregation requirements.
- Implement secondary alerting channels (e.g. SNMP, email, SMS, etc.) using in-hours or
- Provide a master clock system component which is synchronized to an atomic clock
- Update device clocks from the master clock using the Network Time Protocol (NTP)
- Record time in logs in a consistent format – Universal Co-ordinated Time (UTC) is recommended
- Provide a process to check and update device clocks on a regular basis (eg weekly)
- Define the error margin for time accuracy according to business requirements
- Provide manual maintenance for devices that do not support clock synchronization
- Provide support for local time on human interfaces
- Provide a process to correct clock drift on mobile devices upon reconnection
- Provide an audit trail of backup and recovery to enable identification of the last known good state of the information assets.
- Alert storage failure events.