Pass through any public spaces these days (and a good deal of private ones too), and the chances are you’re on CCTV. Caught on camera, beamed back to a security office where your behaviour is constantly monitored by staff trained to spot anything suspicious or inappropriate
Should any activity arouse suspicion, those security staff are well-placed to detect and react to the threat with alacrity, far quicker than in those hazy pre-CCTV days when dodgy behaviour might go unnoticed until damage was already done.
Now, just as any airport or shopping centre today would not dream of compromising the round-the-clock monitoring of their premises, so every single cyber-risk-conscious company should be constantly and at all times monitoring the use of their systems.
Monitoring is a crucial part of the cyber risk management regime we’ve been discussing in this blog series. While you’re assessing risks, publishing policies, educating your users, managing their privileges, and addressing the risks posed by mobile working and use of removable media, how will you know whether these steps are working, unless you are monitoring day-to-day traffic and use? And how, even with your risk-minimising steps in place, would you detect a threat if it arose?
Just like those security guys in their shopping centre CCTV booth, your constant day-to-day monitoring should enable you to:
- • Detect attacks, from both outside your organisation, and the result of accidental or deliberate internal user activity.
- • React to attacks – if you’re on the ball with detecting an attack, you can be far swifter at countering it, thus minimising the impact or damage caused.
- • Keep an eye on user activity – day-to-day surveillance of your systems will give you the full picture as to how your systems, services and information are being used by your employees. Without sounding too Big Brother-like, you’ll soon pick up on behaviour that’s suspicious or just not in line with the policies staff have signed up to.
- • Comply with legal or regulatory requirements that are becoming more and more the norm.
And it’s worth pointing out that this monitoring shouldn’t be delegated to someone way down in the IT team, but should involve the big bods right up to board level, with regular reports made to them and their feedback expected on any action to take or developments moving forward.
So how do you establish the most effective monitoring process?
As ever, the UK National Cyber Security Centre is helpful in giving some sage advice:
Back To Blog Page
- • Write a monitoring strategy: Drawn up by the leadership team and understood by all employees. Base it on business need and realistic assessment of risk, and cover both technical and transactional monitoring as appropriate. When writing it, think about how any previous security incidents slipped through, and tie it in with your incident management plan (discussed in next week’s blog).
- • Monitor all systems: it’s no good having a patchy approach, or something will slip through – so make sure all networks, systems and services are covered, including network, host-based and wireless Intrusion Detection Systems (IDS). Ideally set up signature-based capabilities to detect attacks, and more open capabilities to track unusual system behaviour.
- • Monitor network traffic: Traffic both in and out of your network should be tracked to identify unusual activity or trends that could indicate attacks. Unusual traffic - such as connections from unexpected IP ranges overseas - or large data transfers should automatically generate security alerts and prompt investigation.
- • Monitor user activity: Your monitoring capabilities should have the ability to identify unauthorised or accidental misuse of systems or data. Critically, it should be able to tie specific users to suspicious activity – though do take care to ensure that all user monitoring complies with legal or regulatory constraints.
- • Fine-tune your monitoring: Tune your monitoring systems appropriately to only collect events and generate alerts that are relevant. Otherwise you’ll end up with so much information and unnecessary alerts that this could mask the detection of real attacks as well as costing a fortune in data storage and investigatory resources.
- • Collect and analyse your information in one place: Establish somewhere central to collect and analyse the information and alerts you’re getting from monitoring right across the organisation. Make sure most of it is automated, so your analysts aren’t spending hours trawling through volumes of data but can concentrate on anomalies. Also, critically, ensure that your monitoring system does not itself provide an opportunity for attackers to bypass normal network security and access controls.
- • Provide resilient and synchronised timing: Have your monitoring and analysis of audit logs supported by a centralised and synchronised timing source, used across the entire organisation to support incident response and investigation.
- •Write an incident management policy: So that you know what to do in the event of an incident being detected. We’ll be looking at this in our next blog.
- • Constantly test and review: Don’t assume things are running like clockwork as you intended. Have processes in place to test your monitoring capabilities, learn from any incidents that do arise, and continuously work on improving the efficiency of your monitoring.