Security Monitoring is the catch-all name for the process of detecting threats and managing security incidents. It’s generally broken into two phases:
In this article, let's take a look at what security monitoring means and how it forms the foundation for your cybersecurity posture.
Security monitoring is essential for many reasons and they all have to do with the evolving security landscape your organization faces every day. The cost of a data breach averages $9.44 million: no small change. The most important assets in your organization — user data, intellectual property and trade secrets — are frequent targets of attacks by malicious actions, including hacktivists, financially motivated cybercriminals and state-sponsored threat actors.
Even worse? These threats can originate from within the network itself, by a rogue internal user or a hacker who is able to successfully compromise login credentials and network access.
The initial stages of the cyber-attack kill chain involve actions such as login attempts, data transfer and server access requests that may indeed be legitimate — but they remain Indicators of Attack (IoA). Vulnerabilities within the network means that a cyberattack can remain under the radar, continuing to exfiltrate data to an external command and control center by employing tactics such as:
The good news is that network endpoints and nodes generate large volumes of information in real-time. The logging data contains metadata pertaining to user requests, TCP/IP protocols, error codes, and other information about the endpoint, systems, events, incidents and the wider network.
This data presents an unprecedented opportunity to discover patterns of anomalous behavior and gain insight on potential attempts to infiltrate the network — and that brings us to security monitoring.
The principles behind security monitoring are simple: The technology continuously monitors the real-time health of the network by…
Remediation actions are often automated, but can also include manual work, as determined by security analysts in charge of this sort of monitoring.
(Power your SOC with full visibility and security monitoring from Splunk.)
Now to the challenging bits… This all sounds good, in theory. But there are of course challenges with it.
Enterprise IT networks are huge, generating vast volumes of logging data in real-time. That means you’ll need a robust mechanism to capture all the log data. To use this log data for security monitoring and analytics applications, you’ll need to know that it’s quality data.
Log analysis requires an efficient and highly scalable data platform that can ingest multi-modal and multi-structured data from multiple sources, and then preprocess it on-demand based on third-party analytics tooling specification. Such a data platform is typically built as a data lake.
Not convinced all this is needed? An inefficient log analysis and data pipeline can also bottleneck the security monitoring process. And in doing so, it reverses the benefits:
Security monitoring can become expensive quite fast. Though cloud-based storage is inexpensive, the sheer volume of data storage and analytics requests means that cloud-based storage and analytics solutions can scale up to whatever size you need — but this can result in a high Total Cost of Ownership.
Triaging the security risk insights from monitoring and analytics with appropriate control actions is challenging, and often a tradeoff between risk management and flexibility:
These sorts of network access requests are not common, predicted or within the acceptable margins of the risk threshold. That means your SIEM tool may trigger an immediate isolation of the affected network resources, cutting off legitimate users from the network.
On the other hand, offering too much flexibility before triggering a security control action means that the SIEM tools would ignore anomalous traffic patterns and small-scale but costly network infringements until it detects a large-scale DDoS attack.
(See the must-have features of any modern SIEM.)
One way to handle this tradeoff is to optimize your security metrics performance against realized business objectives of cybersecurity.
This extends the role of monitoring network logs and traffic data and incorporates metrics and KPIs that directly impact operational and business outcomes.
Consider evaluating the Mean-Time metrics (aka failure metrics) such as MTTR, MTBF, MTTA and MTBF. These metrics are intended to achieve service dependability and availability goals. In this context, these metrics are also a direct function of incident management, which depends on network resilience against cyber-attacks, traffic anomalies, data transfer and network access patterns.
Network and security logs, when analyzed, can therefore directly contribute to improving your Mean-Time metrics, which in turn improves business continuity and cybersecurity resilience.
Security monitoring performance also depends significantly on the placement of sensors, or selecting network nodes of interest when it comes to analyzing the network for unauthorized activities. The idea here is to optimally tradeoff between efficiency and coverage: Selecting many endpoints can enhance the security monitoring coverage — but at the cost of efficiency.
Conversely, an efficient security monitoring application is only useful if it encompasses all critical network and data assets.
Interested in learning more about Splunk Enterprise Security, our very own SIEM? We’ve got you covered! Take a guided tour now or talk to your account manager.
See an error or have a suggestion? Please let us know by emailing [email protected].
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.