Security Monitoring

Security Monitoring

What is security monitoring?



"Security monitoring" is monitoring the devices (majorly security devices ) for the security related activities or events. As I had given example for the "monitoring" earlier. In security monitoring we use security monitoring tool (like SIEMs) as a "monitor", devices which we monitor as a "students" and Security Analyst is like "teacher".

Security monitoring tools are used by the security analysts for continuous vigilance over security infrastructure and critical information assets by analyzing, correlating security logs and alerts in real time, 24x7 to identify the cyber intrusions.

It is very important to understand that security monitoring tools ( like SIEMs ) only detect the security incidents (or any cyber attacks) and cannot prevent (or block the attack) the intrusion incident. One version of this philosophy is that security breaches are inevitable. As the new threats are becoming more advanced and intelligent, its become impossible to make the organization security layer impenetrable and avoid the breaches. So there is trend undergoing in which organization is focusing more on the rapid detection and then quickly identifying and mitigating the threats.

Suppose some attacker tried and become successful in installing the backdoor on organization's system in-order to steal some sensitive data. But the attacker will get fail in his mission, if the defenders can detect the backdoor creation at right time and takes proper action to remove that backdoor and finally blocking the IP address of the attacker at the firewall level.

Need to Add :[One proper attack scenario and how siem help in mitigating the security risk just by detecting, to convince the reader properly]

Hence the detection of the intrusion and proper security response (action) by the defenders (security team) before the attacker getting successful in his final motive (like stealing sensitive data after creating backdoor) can fail the attacker. So, detection of attack can also be highly valuable.

You can understand from the diagram below, that security risk rate increases after any zero day vulnerability got detected and become known in public. So time is the major factor in this. As soon as some incident gets detected, proper action should be taken like it should be patched ( if patch is available ) or it should be temporarily disconnected from the network, or any other action should be taken. So in security monitoring, we try to identify the vulnerability exploit attempts, security policy violation, suspicious activity etc. at right time, so that proper action could be taken before attacker finishes his final mission.




Prevention by the discreet security devices (like firewall, IDS/IPS, DLPs, Endpoint antivirus), deployed at various security perimeters and layers get failed against APTs(Advance Persistent Threat). This is where SIEM comes into picture to fill the gap by correlating the events generated by various security devices(firewall, IDS\IPS, Endpoints devices etc.) deployed in your network.

We will discuss bout the SIEM in detail later.















Reference:

Book: THE PRACTICE OF NETWORK SECURITY MONITORING by Richard Bejtlich.

http://www.secureworks.com/it_security_services/security_monitoring/

http://www.networkworld.com/article/2172882/network-security/is-rapid-detection-the-new-prevention-.html

http://security.hsr.ch/lectures/Internet_Security_1/01b-HackingCycle.pdf

1 comment: