Security Monitoring is the catch-all name for the process of detecting threats and managing security incidents. It’s generally broken into two phases:
- Phase 1. Acquiring and analyzing logs, data and indicators of security threats.
- Phase 2. Responding with security risk remediation actions.
In this article, let's take a look at what security monitoring means and how it forms the foundation for your cybersecurity posture.
The security landscape: what security monitoring aims to solve
Security monitoring is essential for many reasons and they all have to do with the evolving security landscape your organization faces every day. The cost of a data breach averages $9.44 million: no small change. The most important assets in your organization — user data, intellectual property and trade secrets — are frequent targets of attacks by malicious actions, including hacktivists, financially motivated cybercriminals and state-sponsored threat actors.
Even worse? These threats can originate from within the network itself, by a rogue internal user or a hacker who is able to successfully compromise login credentials and network access.
The initial stages of the cyber-attack kill chain involve actions such as login attempts, data transfer and server access requests that may indeed be legitimate — but they remain Indicators of Attack (IoA). Vulnerabilities within the network means that a cyberattack can remain under the radar, continuing to exfiltrate data to an external command and control center by employing tactics such as:
- IP spoofing
- Man in the Middle (MiTM) attacks
The good news is that network endpoints and nodes generate large volumes of information in real-time. The logging data contains metadata pertaining to user requests, TCP/IP protocols, error codes, and other information about the endpoint, systems, events, incidents and the wider network.
This data presents an unprecedented opportunity to discover patterns of anomalous behavior and gain insight on potential attempts to infiltrate the network — and that brings us to security monitoring.
How security monitoring works
The principles behind security monitoring are simple: The technology continuously monitors the real-time health of the network by…
- Aggregating logs from all network endpoints and nodes.
- Analyzing this data for real-time threat intelligence.
- Integrating this information with a Security Information and Event Management (SIEM) platform to perform remediation actions.
Remediation actions are often automated, but can also include manual work, as determined by security analysts in charge of this sort of monitoring.
(Read specifically about network security monitoring.)
Challenges with security monitoring
Now to the challenging bits… This all sounds good, in theory. But there are of course challenges with it.
Real-time, scalable data platform & pipeline
Enterprise IT networks are huge, generating vast volumes of logging data in real-time. That means you’ll need a robust mechanism to capture all the log data. To use this log data for security monitoring and analytics applications, you’ll need to know that it’s quality data.
Log analysis requires an efficient and highly scalable data platform that can ingest multi-modal and multi-structured data from multiple sources, and then preprocess it on-demand based on third-party analytics tooling specification. Such a data platform is typically built as a data lake.
Not convinced all this is needed? An inefficient log analysis and data pipeline can also bottleneck the security monitoring process. And in doing so, it reverses the benefits:
- Too many alerts can cause legitimate security threats to be ignored.
- Responding to every monitoring alert can easily overwhelm the limited internal workforce responsible for cybersecurity.
Security monitoring can become expensive quite fast. Though cloud-based storage is inexpensive, the sheer volume of data storage and analytics requests means that cloud-based storage and analytics solutions can scale up to whatever size you need — but this can result in a high Total Cost of Ownership.
Triage & control
Triaging the security risk insights from monitoring and analytics with appropriate control actions is challenging, and often a tradeoff between risk management and flexibility:
- A user can act in a legitimate way to access computing resources and data assets to handle a new and unexpected job requirement.
- Your network can experience spikes of data traffic in response to an external geopolitical event.
These sorts of network access requests are not common, predicted or within the acceptable margins of the risk threshold. That means your SIEM tool may trigger an immediate isolation of the affected network resources, cutting off legitimate users from the network.
On the other hand, offering too much flexibility before triggering a security control action means that the SIEM tools would ignore anomalous traffic patterns and small-scale but costly network infringements until it detects a large-scale DDoS attack.
Optimizing security monitoring for business objectives
One way to handle this tradeoff is to optimize your security metrics performance against realized business objectives of cybersecurity.
Using network & security logs for mean time metrics
This extends the role of monitoring network logs and traffic data and incorporates metrics and KPIs that directly impact operational and business outcomes.
Consider evaluating the Mean-Time metrics (aka failure metrics) such as MTTR, MTBF, MTTA and MTBF. These metrics are intended to achieve service dependability and availability goals. In this context, these metrics are also a direct function of incident management, which depends on network resilience against cyber-attacks, traffic anomalies, data transfer and network access patterns.
Sensors and network nodes
Security monitoring performance also depends significantly on the placement of sensors, or selecting network nodes of interest when it comes to analyzing the network for unauthorized activities. The idea here is to optimally tradeoff between efficiency and coverage: Selecting many endpoints can enhance the security monitoring coverage — but at the cost of efficiency.
Conversely, an efficient security monitoring application is only useful if it encompasses all critical network and data assets.
SIEM with Splunk Enterprise Security
Interested in learning more about Splunk Enterprise Security, our very own SIEM? We’ve got you covered! Take a guided tour now or talk to your account manager.
What is Splunk?
This posting does not necessarily represent Splunk's position, strategies or opinion.