Every company I speak with uses some form of IT security monitoring. Some security operations groups use multiple monitoring tools, some free, some licensed. Others outsource IT security operations (translation: outsource operations of firewalls and IDS) and rely on the monitoring provided by their operations outsourcers.
IT security groups that are feeling pressure from their external auditors, their IT security governance committee, or from their compliance committee to provide the next level of compliance and security assurance need to pull out the big gun.
In my opinion outsourcing precision security monitoring is the big gun - the ultimate corrective control.
Detailed monitoring correlates data from event logs and alerts, then filters the correlated data within very tight client defined boundaries of acceptance or tolerance. Here are a few descriptive examples of targeted correlation and filtering for identification of compliance violations or security violations:
o COBIT related log events : failed accesses : admin privileges
o SCADA event logs : GFI LanGuard: patching system.
o Control points : attestations / signatures : timeframe thresholds
o Firewall log events : IDS network interface inside network : IDS network interface outside network
o Suspicious activity from outside the network : IP addresses : period of time
o Failed access attempts : domain : timeframe : NERC CIP control points Correlation of IDS and firewall logs to reduce false positives
o Correlation of IDS alerts and logs with corporate policy to reduce IDS false positives
To be very effective outsourced monitoring service must provide intense triage and analysis of the client's data. The service must distil hundreds of thousands of a client's log events and alerts to about 60 clear real-time trouble tickets per month. The trouble tickets must be clear calls to action.
Identify Violations with Laser Precision
You should consider deploying detailed monitoring in these situations:
o External financial or compliance auditors deliver a bad score and identify compliance violations or security risks that need to be reported to the board of directors.
o Lack of separation of duties within your outsourced managed security service provider or the need for due diligence to identify and rectify violations of separation of duties.
o Due diligence on the veracity of an IT security operations outsource provider's service.
o The IT Security Governance committee has mandated that the IT security operations group cannot be aware of security audits sponsored by the IT security governance committee.
o The need for additional IT security expertise, particularly when the inside expertise will be leaving or if expanded scope of work will require additional expenditures s on hiring additional expertise.
o There is a financial need to reduce costs of monitoring multiple unrelated platforms by consolidated monitoring. As an example, consolidate the monitoring of disparate financial, human resource, and asset management systems, thereby providing one single view to the enterprise.
o Client, legal regulatory, and industry regulatory requirements for impartial third party verification that your organization is in compliance.
Monitoring should deliver highly precise, correlated, meaningful, impartial , actionable recommendations.