Lately, most organizations are beginning to actively monitor their networks in response to different data breach incidents. To do that, we have numerous numbers of Security Event and Incident Management (SEIM) tools. These tools provide us a single platform where logs from entire organization can be brought and analyzed. While these tools provide us a lot of automation and optimize the process of monitoring, we need to understand that these are not tools which are pivotal in proactively monitoring but the human skills.
Right from designing the architecture of Security monitoring setup to the day-to-day operation require apt human intervention. In this article, we are trying to understand few of the pre-setup steps which one organization must take before starting the active monitoring:
Understand and Use a diverse portfolio of monitoring tools: One tool may not do it all. There are different tools available which have different features and expertise based on their primary functions. A smart mind is required to design the monitoring setup after taking above points in consideration. While preparing the design of a security monitoring setup, one should consider multiple tools instead of relying on one as the saying goes that ‘Do not put all of your eggs in one basket’.
After analyzing different monitoring tools, a set of products should be implemented to monitor the organization’s infrastructure.
Effective deployment of setup: Once products have been identified, fully qualified and skilled team is necessary to effectively install and configure different tools. Unfortunately, these types of tools require a lot of customization and management to work efficiently. While deploying the setup, adequate system logging is a very important step although it may be a tedious process. If System logging in network devices and application are not configured properly, we may not get expected results even though monitoring tools are functioning as they are supposed to. Skilled people are required to prepare the monitoring tools and strong logging practices.
Even though, monitoring tools provide us a lot of in-built features, it requires enormous amount of human hours and skill to prepare the setup.
Expert monitoring and operations: In SOC operations, daily monitoring is one of the most important tasks. Effective setup is a pre-requisite for an expert monitoring team. This again is a crucial job to perform and requires a lot of human skill set. Understanding logging methodology and tool mechanism is necessary before starting the operations. Once again, tools have the features of correlating the logs and generating the alerts but tools generate a lot of false positive notifications. An expert operator is required to filter out these false positives and to identify real incidents and threat to organization’s network and applications.
Mere installation and configuration may not produce expected results. Skilled analysis and interpretation of the logs is very crucial to detect any indicator of the any attack. Analytical blend in the operators and analysts is important to run the operations.
Let us take an example of domain account lockout issue which got hyped in year 2008 due to viral spread of ‘Conficker’ worm. By the nature, this worm harvests the active directory and picks up the user accounts and tries to login with password dictionary. This causes accounts to be lock out based on the configured password policies. While analyzing this type of attack, there are multiple types of scenarios to be considered:
- Multiple unique accounts which are getting locked out.
- Single account getting locked out
- Multiple sources for the same incident
- Single sources for multiple incidents
Apart from above mentioned scenarios, there are some other account lockout incidents which may be a genuine cases such as bad password attempts or any scheduled job attempting for authentication. These types of incidents should be identified right away and removed from analysis.
If the Security analyst does not possess ample amount of analytical ability, analysis may be misguided and original source may not be identified. Non-skilled operator may also attempt to point genuine account lockout incidents due to lack of analytical ability. This may cause delay in identifying the attack and putting organization’s network in danger.
As we have seen in above arguments, it is very critical to have right set of skills instead of relying totally on monitoring tools. It is to be understood that security monitoring is more about right optimized processes and human skills instead of only procuring best tools in the industry. An organization must consider building right set of skills in the resources while using latest technology because technology may grow old and expire, knowledge cannot.
To build a team of skilled security analysts, frequent trainings, awareness about latest threats and vulnerabilities identified are very important. Analytical blend in security monitoring process will certainly improve the security of organization’s data. A proper incident Response and Analysis process needs to be established and resources should possess the skills to stick to the process.
In the end, Industry leading monitoring products may collect right information to analyze but right Analytical Skills to visualize, articulate, and solve both complex and uncomplicated problems and concepts and make decisions that are sensible and based on available information lead the way.
Authored by Punit Dwivedi
TCS Enterprise Security and Risk Management