This week, I stumbled across the NCSC blog post on how to keep your security monitoring effective. This is a topic that is definitely worth revisiting on a regular basis. Far too often I come across instances where security activities sound good but are implemented in a way that causes them to lack the effectiveness one would expect from such good stuff. One example are log sinks that are not monitored or reviewed. If you have a log sink that is not being regularly reviewed or ingested into your monitoring, then that’s something you ought to change. It’s not enough just to review logs sinks you need to ensure that the review is effective and is able to effectively give you the intelligence you need.
Security monitoring is key and its critical to get it right after all if something is going wrong then you want to know about it at the earliest opportunity and do something about it. Industry wide statistics on the time it takes between a breach and its detection rate is still too high hence it’s critical that an effective monitoring programme is established and is able to detect malicious activities.
What should be monitored?
Which assets are monitored, and which are not is typically based on resource constraints? There is a finite number of resources and hence need to be deployed wisely, most cybersecurity operations have a finite budget and hence can’t defend everything, it is interesting to see which assets organisations choose not to monitor. The organisation’s monitoring strategy should be well defined. Its key that the right assets are being monitored, and ideally you need to be creating your monitoring play book using tried and tested methods and continue to be evolved over time.
The Mitre framework provides a good framework to understand the type of tactics deployed by a would-be attacker, this is definitely something worth factoring into your monitoring decisions. The tactics and techniques attackers use to infiltrate networks, steal data, extort payments, or otherwise do harm to legitimate businesses and their reputations strategically monitoring key hops can be very useful.
Let’s say we have done a review of our assets inventory and have come up with a list of assets that we want to monitor, then what? You need to create a logging and monitoring plan, there could be prerequisites that you may need to contend with. A concept that you don’t. tend to hear discussed very often in the area of logging and monitoring is forensic readiness. This is the ability of an organisation to maximise its potential to use digital evidence whilst minimising the costs of an investigation. In an ideal world you want to be able to detect and prevent a breach but in the unfortunate event that you are not able to you need the ability to be able to extract forensic digital evidence. This ideally needs to be considered as part of the logging prerequisites.
You have identified what you need to monitor, and you work on your technology stack to help your analysts be able to respond to alerts and investigate and deal with them. So what should I be looking to iterate on? It’s key that you automate effectively in order to reduce the strain on security analysts. There is little benefit in analysts spending most of their efforts on false positives but rather on true positives. Security is often framed in the paradigm of technology, people, and process and this is a good way to look at these things hence as part of your evaluation the processes being used as part of the security operations team. Processes need to be standardised to ensure consistent actions so that nothing is omitted or fabricated. This extends to incident management workflows and processes ensure that team members will function effectively as a cohesive unit.
A conversation on monitoring should also include a threat hunting strategy. A threat hunting strategy needs to be well defined and ideally linked to your threat intelligence capability this could be in-house or external sources or a combination of the two. Cyber threat hunting is an active cyber defense activity that entails proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions.