By now, most organizations understand the importance of monitoring their networks. But is all network security monitoring the same?
The first decision is to identify what devices need to be monitored. If you fall under regulatory compliance, such as Payment Card Industry or HIPAA, the devices that handle the protected data need to be monitored. If you are monitoring for cybersecurity best practice, think about where sensitive data is located, which systems have access to it, and also what type of log information you can retrieve from those devices.
Once you have a device inventory – how will you collect all of the data feeds? Log collection can bring disparate device feeds together for easier viewing and correlation of data. Log collectors can be found as open source tools or high-end security information and event management (SIEM) software. If you want to be able to customize business rules for monitoring, such as setting an alert for failed logon attempts or multiple logons with the same credentials at the same time from different IPs, you will want a solution that allows you to specify rules that provide meaningful information for you.
Who will be monitoring the data? The biggest decision is often whether to monitor using internal resources or to outsource monitoring. Questions to consider include:
Do you have enough staff to consistently monitor the feeds 24/7/365? Some monitoring is better than none, but it’s very easy to miss suspicious activity without constant vigilance due to the sheer volume of data. A single firewall can easily generate a million log entries a month.
Does your internal staff have the training to know what to look for? Sure, some device alerts are obvious. But malware purveyors and hackers are always using new techniques to evade detection, and it won’t help you to look at logs if you can’t recognize anomalies that need further investigation to rule out an issue.
Can your team respond to a cyber incident on their own? Let’s assume they are watching 24/7/365 and can recognize something suspicious. Now what? Do they have the knowledge and experience to respond in a way that mitigates the incident and preserves forensic data that can be key to proper remediation, reporting and/or future legal action?
Have you come to the conclusion that outsourcing your network security monitoring is the way to go? Not all outsourced security solutions are the same either, and not just because of costs. The solution you choose should be able to receive the feeds that are critical to you, adapt their business rules and create specific rules that meet your needs, continue to tune beyond the initial onboarding to screen out “noise” that could mask important alerts, manage your devices (if needed), and include an option for incident response should it be needed. If you do have an internal team, they should have access to the data as well for their own analysis and reporting.