5 Monitoring Initiatives For 2014

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.darkreading.com/monitoring/5-monitoring-initiatives-for-2014/240165105

Security information and event management systems (SIEMs) became much more
common in 2013, while more companies talked about using massive data sets
to fuel better visibility into the potential threats inside their networks.

Yet effective security monitoring has a long way to go. To better secure
their networks and improve visibility into the threats on their systems in
2014, companies first need good communication between business executives
and information-security managers. While 90 percent of managers surveyed by
network security and management firm SolarWinds thought security was under
control, only 30 percent of the actual IT practitioners believe that
security is well-established, according to the firm.

A good place to start is for information-technology leaders to ask
themselves and their business counterparts what more they want to know
about their networks, systems, and employees. Without the right questions,
monitoring for threats will be hard, says Dave Bianco, Hunt Team manager
for incident-response firm Mandiant, which was acquired by FireEye this
week.

"It pays for companies to take a step back and look at what they are
doing," Bianco says. "I can look at things that I'm really worried about
because of my business, or things that might be interesting to those who
are attacking me -- not only figure out what you might be able to detect,
but figure out what you have to detect them with."

To start the conversation, here are five initiatives that
security-monitoring experts say should be undertaken this year.

1. Catalog the sources in your network
Companies first have to know what they have to work with. A business
looking at improving its visibility into its network and the threats in the
network should first find out what data sources are available, Mandiant's
Bianco says.

Companies should not only collect the logs from Web servers, firewalls, and
intrusion-detection systems, but other systems that may not initially be
considered sources of intrusion information, he says. One example: the
authentication logs for all the systems in the environment, he says.

"Make sure that you are logging the data from these systems correctly and
sending it to a central place where you can get access to it," Bianco says.
"That way you can turn all those independent log sources into new detection
platforms."

2. Monitor users, not just devices
Many companies continue to attribute activities to Internet addresses --
that is, devices -- on their networks, rather than dealiasing the user
behind those actions, says Patrick Hubbard, head geek for SolarWinds. Yet
adding context to the actions being taken on the network is important, he
says.

"With more and more Internet-connected devices on the network, the number
of humans on the network relative to the number of devices on the network
is beginning to decrease, so it is not as easy to have strong
authentication from the device," Hubbard says.

[Companies analyzing the voluminous data produced by information systems
should make sure to check user access and configuration changes, among
other log events. See5 Signs Of Trouble In Your Network.]

Businesses should make an effort this year to attribute actions to specific
employees and users by combining authentication information and other
sources with network logs.

"You want to look at users not just as logons, but within the context of
the identity breadcrumbs they are leaving behind on the network," he says.

3. Use more math
By collecting more data and knowing the questions to ask, companies should
find themselves with a lot more information on what is happening in their
networks. IT security teams can ask questions of the data and discover
incidents that may have otherwise been hidden. However, companies should
also allow the data to speak for itself -- and to do that, they need math,
says Joe Goldberg, senior manager of security and compliance product
marketing for data-analytics firm Splunk.

By using statistical analysis, companies can determine the outliers in a
big data set. If the average employee downloads 10 files from a SharePoint
server in a day, then someone downloading 50 files may be an advanced
threat actor harvesting data from the company's server, he says.

"Use statistics and math on the sea of data that you've collected to figure
out what is abnormal and what is odd," Goldberg says.

4. Find out more about attackers
Once companies have the data and the capability to analyze it, they need to
know what types of threats may be targeting their company, Mandiant's
Bianco says.

Companies need to know the adversaries that might be targeting their
businesses or industries. Focused threat intelligence can provide that as
well as what techniques are common for those adversaries, Bianco says.
Whether an attacker uses spearphishing, SQL injection, or malware to attack
a business' systems makes a difference for how a company detects the
threats, he says.

"You need to know all these things that influence the catalog that a
company creates of detection scenarios and how they are going to detect
those threats," he says.

5. Invest more in your people
While security practitioners continue to be in high demand, companies
should do everything they can to find the necessary expertise and develop
that expertise with training, Splunk's Goldberg says.

"You are going to need security practitioners to not only deploy these
systems and collect the data, but also to sit behind the desk and monitor
and fine-tune them," he says. "You want skilled people who know you
environment well, and you cannot always outsource that."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.