In my previous blog, I introduced the idea that the concepts around security incident response need to evolve based on the threat landscape facing organizations. The first step in heading towards this next generation of security operations is improving the visibility into what is going on with the technical infrastructure. I used the analogy of giving telescopes to the lookouts on the castle walls to see the impending attack sooner.
First, our lookouts need to be looking in the right direction and taking in the activities in and around our castle. Real Time Monitoring is necessary to capture events and organize the data such that the security operations function can make sense of the activity. Security Event Information Management (SEIM), log collection and correlation systems are examples of this infrastructure. This infrastructure also would include file integrity monitoring systems, system event logging systems, application logging systems and any other technology, role or process that is actively monitoring systems.
Secondly, the lookouts need to not only see, but understand, what is going on around them. So a second element is enabling Forensics and Analysis to review security information from the real time monitoring processes and perform analysis based on expert input to identify patterns of active threats in the infrastructure. This also includes the evidence collection, preservation and analysis processes that would support Incident Management and Investigations.
Most organizations have these capabilities. The depth and breadth of the ability to capture and inspect events and network traffic are varied but this infrastructure has been part of security strategies for a while. There are two key inputs that are needed to really move the needle when it comes to improving these capabilities within Security Operations.
'Real time' event analysis opens up many challenges – too much data moving too quickly towards an overwhelmed team of people. The technologies for these monitoring processes are getting better. A dimension that can greatly advance the process is feeding the criticality and data profile of devices into the mix. Understanding the connection of the devices to business processes, and ultimately what data is flowing through those devices, provides ‘business context’ and is the next evolution of “tuning” for real time monitoring.
The second factor in improving monitoring processes is security intelligence and ‘indicators of compromise’. Known malicious code, URLs, hosts and other data will assist security operations in identifying possible attacks or actual breaches. This information, coupled with the ‘business context’, greatly improves the prioritization ability of security operations.
I won’t keep the analogy running too much longer and exhaust my readers, but I think it is an apropos way to look at this. The first iteration of real time monitoring placed lookouts on the ramparts focused on watching everything going on OUTSIDE the castle. Next, we told the lookouts to watch both outside and inside the castle. Now we need to give the lookouts better methods to view what is going on and methods to identify areas of surveillance (key vulnerable areas, indicators of malicious activity, etc.) that need extra attention.