Categories Topics
Description
Security Monitoring

Overview
Information Security Monitoring is the process of continuously assessing and maintaining the effectiveness of security controls and the security posture of the organization. Monitoring includes automated real-time monitoring or audit logging of technical controls as well as manual reviews of management or operational controls.

Guidelines
Information Security Monitoring is a necessary and critical component of risk management process to raise security awareness and visibility into information security, threats and vulnerabilities and respond to threats in a timely manner.

To ensure effective monitoring, organizations should first start with establishing Information Security Policies and Standards to include but not limited to: Vulnerability, Configuration Standards and Asset Management. For example, an effective Asset Management program should include process to document assets within the organization that will need to be monitored and assessed. New assets introduced to the organization and network should be documented in asset repository and categorized based on data classification and risk to ensure appropriate monitoring is in place and prioritized.

The organization should also maintain awareness of the threats to the organization to ensure security controls are implemented to mitigate risk to assets (to include critical information). For example, maintaining vendor provided patches or secure system configurations can prove effective in managing potential threats that can expose software vulnerabilities. Understanding malicious software threats can be managed by maintaining anti-virus updates via subscription service.

Once assets and potential threats are identified and security controls are implemented to meet established policies and standards, monitoring should then be used to assess the effectiveness of controls, raise awareness and respond to threats
. Process should include the ability to log security events on assets, such as servers, workstations, networks, security devices, and critical applications to name a few. Security events should be captured in as real-time as possible (see Audit Logging topic for more details).

Security events should then be forwarded (and archived) to a central log repository for correlation and analysis of potential security threats and violations to organization policies. Rules should be established to filter events from the various systems to help prioritize remediation efforts and for timely incident response. Please see Security Information Event Management (SIEM) for details that can help with managing security events.

Security status in the form of security reporting and metrics should also be communicated to business units so that security vulnerabilities can be addressed in a timely manner. Security reporting can be effective if presented via a risk-based approach to help business units in prioritizing activities. The most common type of reporting used by many organizations is Vulnerability Scanning reports of systems that may be missing critical patches or other vulnerabilities. However, it's recommended reporting metrics report on broader effectiveness of controls to include: configuration management, application security, network segregation for more critical applications, and access controls to name a few.

Governance Risk and Compliance (GRC) tools can be leveraged to help businesses manage risk more effectively. GRC offers a mechanism to help automate and consolidate the various security metrics into a central reporting dashboard that businesses can better understand overall risk posture to reduce risk holistically.


Topic Category
Monitoring and Logging
 
News Articles
Cisco, Interpol team up to share cybercriminal threat datawww.zdnet.com11/21/2017
DHS Alert on Dragonfly APT Contains IOCs, Rules Likely to Trigger False Positivesthreatpost.com10/23/2017
Three Equifax execs sold $1.8 million of stock days after breach discoverywww.grahamcluley.com9/9/2017
It took 14 years for this Massachusetts hospital to detect a data breachwww.grahamcluley.com8/25/2017
Blizzard Entertainment Hit With Weekend DDoS Attackthreatpost.com8/14/2017
APT29 Domain Fronting With TORwww.fireeye.com3/27/2017
Fileless PowerShell malware uses DNS as covert channelwww.computerworld.com3/3/2017
Cybersecurity alliance promoting intel-sharing seeks to expandwww.computerworld.com2/14/2017
Intel Security Launches ‘Threat Landscape Dashboard’securingtomorrow.mcafee.com2/10/2017
PowerShell threats surge: 95.4 percent of analyzed scripts were maliciouswww.symantec.com12/8/2016
Treasury Dept Tells Financial Orgs to Report Computer Crime and Attackswww.tripwire.com10/26/2016
Vendetta Brothers, Inc. – A Window Into the Business of the Cybercriminal Undergroundwww.fireeye.com9/29/2016
Sofacy’s ‘Komplex’ OS X Trojanresearchcenter.paloaltonetworks.com9/26/2016
Improvements to Safe Browsing Alerts for Network Administratorssecurity.googleblog.com4/6/2016
DHS launches two-way threat sharing system for public-private collaborationwww.scmagazine.com3/18/2016
Your SSH Server On Port 8080 Is No Longer "Hidden" Or "Safe"isc.sans.edu8/3/2015
Most businesses unprepared for cyberattack, study findswww.zdnet.com3/18/2014
How Target detected hack but failed to act -- Bloombergnews.cnet.com3/13/2014
Bank data of 20 million customers leaked in South Koreawww.zdnet.com1/20/2014
SANS Institute Gives McAfee’s ESM 9.2 A Solid Reviewblogs.mcafee.com8/7/2013
McAfee ESM named Leader in 2013 Gartner Magic Quadrant for SIEMblogs.mcafee.com6/12/2013
Cisco hints at possible new security standardwww.theregister.co.uk6/12/2013
Businesses ignore early warning signs of hacking: NABwww.zdnet.com6/6/2013
DDoS Services Advertise Openly, Take PayPalkrebsonsecurity.com5/13/2013
'Chinese' attack sucks secrets from US defence contractorwww.theregister.co.uk5/2/2013
Big data can be a big headache for data defenderswww.computerworld.com4/25/2013
How Facebook Prepared to Be Hackedthreatpost.com3/8/2013
RSA 2013: Hackers will get in, so spend the money on pushing them outwww.scmagazine.com2/27/2013
HP joins Hadoop party with security plug-in for ArcSightwww.zdnet.com2/25/2013
McAfee updates business security management toolswww.computerworld.com2/12/2013
Almost all US networks can be hacked: Intelligence Committeewww.zdnet.com2/11/2013
Enterprises using new tech to deceive hackerswww.zdnet.com1/28/2013
'Active defense' benefits public sector morewww.zdnet.com1/16/2013
Security audit finds dev OUTSOURCED his JOB to China to goof off at workwww.theregister.co.uk1/16/2013
Bank DDoS Attacks Using Compromised Web Servers as Botsthreatpost.com1/11/2013
Regulator Warns Banks About DDoS Attacks, Encourages Information Sharingthreatpost.com12/27/2012
Juniper Networks offers to mislead hackers from Indian govt, enterpriseswww.zdnet.com12/19/2012
Looking for kernel changes among flocks of computers can help organizations detect rootkits, finds a team of researcherswww.darkreading.com11/9/2012
Monitoring To Detect The Persistent Enemieswww.darkreading.com10/26/2012
Possible 'Patch' For Policy On Protecting Government Agency Systemswww.darkreading.com10/22/2012
‘Project Blitzkrieg’ Promises More Aggressive Cyberheists Against U.S. Bankskrebsonsecurity.com10/8/2012
What do cyberattacks mean for the banking industry?www.zdnet.com10/1/2012
Bank attackers more sophisticated than typical hacktivists, expert sayswww.csoonline.com9/28/2012
Triple DDoS vs. KrebsOnSecuritykrebsonsecurity.com8/8/2012
Japanese govt sucked dry for TWO YEARS by Trojanwww.theregister.co.uk7/25/2012
TSA wants spyware to screen employees’ digital activities for leakswww.nextgov.com6/21/2012
Nortel hacking attack went unnoticed for almost 10 yearswww.zdnet.com2/14/2012
DreamHost resets passwords after database breachwww.computerworld.com1/23/2012
Caution urged in City College of SF computer usewww.sfgate.com1/17/2012
Pessimism over FISMA deadline starts at the top, survey findsgcn.com1/3/2012
White House Orders New Computer Security Ruleswww.nytimes.com10/6/2011
White Papers
McAfee Labs Threats Report: September 2017securingtomorrow.mcafee.com9/25/2017
McAfee Labs Threats Report: April 2017www.mcafee.com4/10/2017
Draft - Technical requirements for continuous monitoring and cloud boundary defensewww.fbo.gov6/25/2012
The CERT Insider Threat Centerwww.cert.org4/28/2012
2012 DATA BREACH INVESTIGATIONS REPORTwww.verizonbusiness.com3/22/2012
Policies
Security Incident Management Policy
Standards
NIST Information Security Continuous Monitoring for Federal Information Systems and OrganizationsNIST9/1/2011
NIST SP 800-184 Guide for Cybersecurity Event RecoveryNIST12/22/2016