Most companies are exposed to security threats, both small and large, fairly frequently. Having automated, continuous security monitoring ensures you can detect these threats quickly and respond in kind. Whether it be a hacker, malware, careless employees, outdated operating systems or third-party service providers, exposure is inevitable — but negative consequences are avoidable.
If we consider the omnipresent (and almost inevitable) nature of security risks, it is easy to see why automated security monitoring — and the quick response time that comes with it — is a necessity for swiftly detecting and responding to threats.
Let’s dive into some of the specifics under the larger “security monitoring” umbrella.
Types of Security Monitoring
As you may have noticed from our first two articles in this Modern Monitoring series (Application Monitoring and Infrastructure Monitoring), the monitoring industry is both broad and deep, with many competitors offering countless types of services. Even within the silo of security, there is much to consider: for instance, what is it that you are aiming to protect your systems from? Is it people? Threats? Viruses? Other attacks? With so many variations, it helps to break these tools down into smaller categories.
Endpoint Security Monitoring
Sometimes known as endpoint protection, endpoint security refers to “the approach of protecting a business network when accessed by remote devices like smartphones, laptops, tablets or other wireless devices,” otherwise known as “endpoints.” Tools in this space monitor the status, activities, software, performance, authorization, and authentication of the various endpoints. IT professionals are continuing to realize the growing necessity to implement endpoint security monitors. A recent McAfee study found that among organizations “that have been breached in the past year, 35% are increasing security and audit requirements and 26% are increasing spending on threat intelligence technologies, 26% on prevention technologies, and 22% on incident response programs.”
The need for endpoint monitoring makes perfect sense if you take a moment to think about how mobile our world has become in recent years: most business professionals have (at the very least) a mobile phone and work laptop, meaning that enterprises already have two devices per employee that could contain sensitive data and need protection. (It is important to note that endpoint security can often be confused with other network security tools such as antivirus and firewall, but they are in fact different.)
File Integrity Monitoring
There are countless paths bad actors can use to exploit vulnerabilities (and cause extensive damage) across your IT assets, with one major way being through your critical files. As you may know, most IT systems that store and process information use file-based architectures, where every piece of the infrastructure — from core operating system to logs — is stored on files. If an attacker is able to compromise any of these critical files, the enterprise is looking at a high-level IT disaster.
This is where File Integrity Monitoring (FIM) comes in. FIM ensures that your IT team is notified when any suspicious activities take place on critical files, thereby allowing you to fix the issue and mitigate any future risk from the point of vulnerability.
In reality, most enterprises really do need to have some sort of FIM in place. With the increasing sophistication, frequency, and diversity of modern threats, it is only a matter of time before your organisation could be compromised.
Security Log Monitoring
As we discussed in our piece on application monitoring, logs are documentation of events relevant to a specific system. They are automatically produced when something notable happens and each one has a timestamp. In this context, logs are used to track security-related information on a computer system.
When it comes to security, one can see how simply collecting and tracking information, events, and alerts would not be sufficient to protect your systems from threats. Security log monitoring allows you to effectively fight attacks by continuously tracking all elements of your infrastructure, looking for patterns, comparing to historical data, and more. Having all the information means that your team is better equipped to not only handle security threats when they come up, but to prevent future ones from ever happening in the first place.
SIEM and SOAR
As the security marketplace continues to grow, acronyms can end up being used interchangeably by mistake: for example, security information and event management (SIEM) and security orchestration, automation, and response (SOAR) are often confused for one another. Although each one has capabilities that complements the other, they are not the same.
SIEM software products are actually the combination of two fields that were traditionally separate: security information management (SIM) and security event management (SEM). When combined into one, SIEM is “the process of identifying, monitoring, recording and analyzing security events or incidents within a real-time IT environment.” TripWire sums up its functions like this:
- It provides centralized security event management.
- It provides correlation and normalization for context and alerting.
- It provides reporting on all ingested data.
- It can take in data from virtually any vendor or in-house applications.
Simple enough, right? So, what is SOAR and how are they different?
Like SIEM, SOAR is designed so that security teams can agilely manage and respond to countless alarms extremely rapidly. However, SOAR goes one step further by “combining comprehensive data gathering, case management, standardization, workflow and analytics to provide organizations the ability to implement sophisticated defense-in-depth capabilities.”
Essentially, SOAR unites all the aspects of an organisation’s security toolset (e.g. tools, systems, applications) and then enables the SecOps team to automate their workflows for incident response.
Both SIEM and SOAR exist separately, but there are many benefits to using them in conjunction. By increasing efficiency and efficacy across the board, using both is sure to make the lives of your entire security team much better. SIEM solutions collect meaningful data but tend to produce a high volume of alerts; SOAR enables your SecOps team to handle the alert load more efficiently, leaving them more free time for other skills-based tasks.
Here are some SIEM and SOAR tools to check out if you want to make your SecOps team very happy: Splunk Enterprise Security, Splunk Phantom, AlienVault USM, SolarWinds Log & Event Manager and Siemplify.
Every company in every country has rules and regulations they must comply with in order to remain in good standing with their respective governments and/or ruling bodies. Some industries have more to worry about in terms of compliance than others, but no matter what your business model is, monitoring compliance is vital.
For example, consider the Payment Card Industry Data Security Standard (PCI DSS), set by the PCI Security Standards Council to protect cardholder data. The PCI DSS applies to all entities that store, process, and/or transmit cardholder data — in other words, a lot of companies.
Another that affects countless businesses? HIPAA, or the Health Insurance Portability and Accountability Act (specific to the US). Created in 1996 to set the standard for sensitive patient data protection, HIPAA compliance ensures that companies dealing with protected health information have physical, network, and process security measures in place and follow them.
You could find endless resources and read up on the compliance requirements for each of these examples, but let’s skip those details for now. The important thing to know here is that compliance can be generally split into two phases: phase 1 involves setting the controls (where your organisation “plans and commits to being compliant”), while phase 2 is where monitoring enters the game. For example, in the case of PCI DSS, this can involve “monitoring those controls to include vulnerability scanning, monitoring for configuration changes, intrusion detection, user behavior monitoring, and incident response.”
Compliance is a tricky game. There are innumerable rules to keep track of, and things can fall through the cracks quite easily if the proper systems are not in place to keep everything secure. For some compliance monitoring tools that can give your company peace of mind, try out UpGuard, Qualys, Reciprocity ZenGRC, ManageEngine.
Insider Threat Monitoring
While we would all like to believe that bad actors and security threats all come from external forces, it is just as important to monitor the security of your enterprise from the inside. Remember the General Electric Co. headlines from August 2018? An engineer accused of stealing intellectual property was arrested, and the FBI then had to investigate whether the theft compromised any of the company’s trade secrets.
Sound like a nightmare? It was — and not only for PR, but for security, stock prices, public trust, and more. Insider threats are commonly called one of the biggest security risks for organisations, and security experts define these attacks as “the most silent and devastating.” Insiders could be anyone internal to the company: employees, third-party contractors, and other business partners that have legitimate, legal access to corporate data.
Some of the top insider threat behaviors to monitor include privileged account abuse, abnormal access to sensitive information, unusual login durations and times, and inappropriate sharing of passwords. On an even simpler level, just think of all the devices (endpoints) and browsers being used by insiders at your enterprise. With so much to keep track of, a monitoring solution to alert you of suspicious activity seems almost imperative for any enterprise wishing to remain secure from the inside out.
Cloud Security Monitoring
We have mentioned it many times before, but in case you forgot: “the cloud” is pretty important. With that in mind, it is easy to see why enterprises probably want to keep their systems on the cloud as safe as possible, and monitoring is a critical component of cloud security and management. Cloud Security Monitoring products provide vulnerability and compliance monitoring, configuration scanning, threat detection, firewalls, and intrusion detection. This silo also includes security monitoring for virtualised infrastructure: “Container Security Monitoring” (for Docker and Kubernetes containers) and “Serverless Security Monitoring” (for AWS Lambda, Azure Functions, Google Cloud Functions).
These monitoring tools look for things like external attacks, misconfigured settings, excessively permissive roles and permissions, and compliance with standards such as PCI, HIPAA, GDPR. Ideally, products should provide security of the entire DevOps lifecycle from Development (build, code, test) to Release (CI/CD pipeline) and into Production (monitor, operate). Bonus features: some “cloud native” products (e.g. Twistlock) provide both Container and Serverless Security Monitoring.
Enterprise organisations around the world have long recognized the importance of having solid security systems in place to protect themselves from threats (both external and internal). Gartner predicted that spend on enterprise security solutions would reach $96.3 billion by the end of 2018, and while monitoring is only a portion of the total security solutions industry, it is clear that these tools and services are not going anywhere.
Over the past three articles, we have explored the various types of monitoring in-depth: while this is a crowded space, we hope we were able to shed some light on the background and key players of many monitoring tools that your enterprise could come in contact with. OpsMatters has over 250 contributing organisations and more than 7,500 articles and videos (with more being added every day) to help you research the best tools and applications to fit your needs.
As always, if you have any questions or comments regarding this piece or the OpsMatters platform, please leave a comment below or reach out to us at firstname.lastname@example.org.