It is rather obvious what continuous monitoring is all about. It’s a service that constantly examines your network for malicious and unusual activity. It’s like having a security guard on duty 24/7/365 to keep your network safe.
But really, why do we continuously monitor our system? What are we looking for that monitoring provides for us?
What we should be asking is “Will this give me the fastest notification when something is going wrong with my system?” Then the answer to why we continuously monitor our systems seems easier to understand. “Always on” monitoring still is not enough. You also want to monitor a variety of areas.
- Network monitoring is a service usually through a listen-only (also known as passive) device that monitors the traffic on the network. It doesn’t matter what other devices are being used on the network. Network monitoring deals only with who is talking to whom and, if possible (because of encryption), what communication is taking place. This service can detect communication streams that are not normal or to places the network shouldn’t be attempting communication. This is a quick way to determine “call-home” malicious code where a service tries to start communicating with a remote host for the purpose of controlling the local host.
- Host-based monitoring is a service where a piece of software (called an agent) is installed on the local host to monitor the internal operations of the host. This monitors the services the host is using, hardware and software failures, as well as unknown services starting up. These agents can have additional services associated with them, such as anti-virus detection and intrusion detection capabilities.
- Logging is also a part of monitoring, since it provides a record of what has been captured and chronicled through monitoring. Unfortunately, monitoring services can be sold without logging. If you don’t have logging, you will have no proof or correlation of events for legal or forensic purposes. Therefore, logging should be stored off the network and/or captured through out-of-band communication since it can hold sensitive information on business activities.
So, if you have monitoring and logging, what should you be looking for in real-time (continuously) from this service? Alerts of course. Reaction time is critical to reduce the damage of an incident, and those alerts need to be germane to your business. That means alerts should be configurable to help the organization detect what is important to their operations.
For example, if you have a database that contains research work on a proprietary product, wouldn’t you want to know if information was being extracted/copied (or altered) from that database? (The answer is “Yes.” You need to protect your intellectual property, and so you need a configuration that targets this area.) How about the HR department that is communicating with a company in a foreign country? Or an unapproved network scan? Many generic alerts are preconfigured in a monitoring program. However, some unique detections may need to be configured as well.
Every organization is different and has different concerns and possible threats to their system. These potential threats can be determined through a risk assessment, a topic for a future article, or you can reach out to me to discuss further.