Well, it’s central to the identification and detection of threats to your IT systems. It acts as your eyes and ears when detecting and recovering from security incidents and it enables you to ensure that devices are used in accordance with your organisational policies.
Effective monitoring relies on proportionate, reliable logging and device management practices. This guidance is designed to give system and network admins advice on the logging and monitoring options available on modern platforms.
What use is it to me, I hear you ask? Well, many incidents have been shown to target individual hosts, from which attackers will attempt to further strengthen their access through lateral movement techniques such as credential theft, account impersonation, use of legitimate network tools or known exploits in outdated versions of network protocols to propagate and compromise additional devices to access additional data and services.
In a cloud environment some of these techniques may be less effective or not apply, however your users still have to access these cloud services and monitoring device activity, health and configuration are still important, perhaps more so, when deciding whether or not to permit access to organisational services and data.
It begs the question, how many of you actually know if your network security devices are actually logging i.e., what logging are the capable of and is logging actually enabled? Seems a basic question but often when your IT supplier installs a firewall, for instance, they may will not enable logging as they are not carrying out any maintenance of the firewall and know that no one is looking at the logs anyway.
These logs can be critical. They will tell you if the bad guys are trying to break in, and how often. Crucially whether they made it in or not. Many people tell me they believe they have adequate security because they’ve never been hacked. My response is, ‘how do you know?’. A stealth attack on a network is designed so that you don’t know if you’ve been hacked or not. The idea is very often to build a back door into the network so that they can come back again and again. It is almost impossible to for a human to monitor firewall logs. A busy network can generate logs in their thousands per hour. It needs a machine.
A security operations system that includes protective monitoring, can do many other things if required. It can monitor and correlate your anti malware and end point protection, with the logging. It can provide threat intelligence and vulnerability assessments. The list is not exhaustive.
But the real problem here is a return on investment for SMEs. It’s great that the enterprise environment of Fortune 500 companies and the like, and of course, major central government departments, can afford this, often on an individual basis. But it’s traditional been well out of scope for SMEs on the grounds of cost alone.
So it’s time for a bit of innovation. Here at H2 we are partnering up with a couple of other companies to come up with a way where this becomes affordable, especially when coupled with other network administration functions. In brief, the idea is that we would manage multiple different SMEs via the same environment, pretty much as you do in a cloud environment, and then provide a menu of options to them for protective monitoring and correlation, to include alerting and incident recovery. Costs would then be shared amongst all and very possibly, the more that join, the cost effective it becomes.
We are very excited about this and more detail will be coming out in the coming weeks.