As compliance requirements and best practice for cyber security now include continuous monitoring of your network, how do you choose the best solution to meet your needs?
Here are 5 key questions you will want to confirm:
1) Which systems need to be included in the monitoring? If you fall under a regulatory compliance, the scope is dictated by the systems that fall under the regulation, such as systems that transmit, process or store cardholder data for PCI or health information for HIPAA. If you are not under compliance, you will need to determine which systems are involved with protection of critical data.
2) What level of monitoring is needed? Do you have internal staff who can review monitoring logs as long as they have the data, or do you need an outsourced solution that can monitor and alert you to potential issues that require further investigation?
3) Who will handle tickets? Typically when an anomaly is found through monitoring, a ticket is created for further investigation. Will your internal staff be able to confirm if there is truly an issue, or do you need to work with outside security resources to make that kind of determination?
4) What about Incident Response? The monitoring service alerts you to a breach. Now what? Do you have the resources to contain, investigate, notify affected individuals, and remediate to prevent further damage? Ideally an Incident Response plan should be in place to outline the steps and resources required BEFORE an incident occurs.
5) What kind of reporting are you looking for? Regulatory requirements aside, there is a wealth of data in the logs, and the monitoring solution can provide views into this data that are very useful, such as which systems are using the most bandwidth, who is accessing sensitive data, how many unsuccessful attempts to access the network and where do those attempts originate from? The best solutions allow customization of onscreen portal views and reports for the differing needs of your team, from CFO and CIO to Network Analyst.