• Home
• Solution Center
  • Security Architecture
  • Cloud-Based SaaS
  • Industry Solutions
  • Why Should You Monitor?
  • Compliance Solutions
  • ThreatWatch IP Reputation
  • Client Security Portal
  • Solutions Library
  • Request Information
• On-Demand Services
  • Premises Security
    • Managed Firewall
    • Log Management
    • Vulnerability Scans
    • Managed IPS & IDS
    • Managed WAF
    • Managed Event Correlation
    • Managed Wi-Fi Security
    • Managed EndPoint IPS
    • Managed NAC
    • Managed DLP
  • Cloud Security
    • Managed Anti-Virus
    • Web App Vulnerability Scans
    • Network Vulnerability Scans
    • Managed DDOS Protection
    • File Integrity Monitoring
    • Policy & Compliance Analysis
    • Change Management
• Security Operations
  • Service Level Descriptions
  • Security Co-Management
  • Access to Support Resources
  • Supported Devices & Systems
  • Incident Response
• News & Events
  • Press Releases
  • Analyst & Press Briefs
  • Events
• Company
  • Careers
  • Partner Alliances
  • Industry Alliances
  • Partner Program
  • Contact Us

Business Case for Security Monitoring

Many of the recent publicized security breaches have hit companies that were compliant with PCI standards, had received SAS-70 Certifcation, and/or had passed numerous independent third party audits.  Based on the 2009 Verizon Data Breach Investigations Report,

"The majority of breaches still occur because basic controls were not in place or because those that were present, were not consistently implemented across the organization."

Our conclusion from this research study is that if active security monitoring was in place, the data breach may have been more quickly detected, prevented, or even stopped entirely. 

Why Should I Monitor?

If I'm not doing it now, why do I need it?  There are many issues surrounding security monitoring that range from compliance, detecting fraud, insider threat, employee abuse, data security breach, personal data compromise, legal liability, etc.  Several of key issues include:

• Protect Sensitive Data & Company Assets
• Required Compliance by Government & Industry
• Business Disruption
• Legal Liability
• Brand & Reputation Loss
• Fines for Data Breach (PCI, HIPAA, etc.)

A recent Verizon Business Data Breach Investigations Report quoted "the ability to detect a breach when it occurs is a huge stumbling block for most organizations, during the last five years, few victims discover their own breaches.  Fewer still discover them in a timely manner".  This is an alarming statistic, that the vast majority of companies do not have the ability to detect whether a data breach or attack has occurred.

What Is Monitoring?

Monitoring is NOT logging.  Computer security data and event monitoring incorporates the elements of security logs into an operations environment that consistently applies actions such as threat and risk evaluation along with response in a continuous monitoring and response process.  It consists of the following components:

1. Centrally collecting events from all critical systems, applications, security devices, and potential threat sources in real time
2. Performing active analysis of traffic, data, and events in real time.
3. Utilizing a risk based framework, applying standardized criteria to evaluate risk and decide what actions to take
4. Response to high risk security events/alerts according to the Security Incident Response Policy and Plan
5. On-going evaluation of threat and risk information along with response in a continuous process.

What Should I Monitor?

It is often impractical and also expensive to monitor every device, application, and system within the network.  It is a security Best Practice treat data differently based on the level of importance and risk to the organization.  This means that the best approach is to find the right balance between monitoring critical devices and systems that have important and compliance related data and the systems that do not.  This is a difficult challenge because often the weak link in the network that leads to a data compromise can be in an unprotected or less critical part of the network, therefore finding the right blend of different data sources, system devices, and threat indicators is essential to a cost-effective and well-tuned alerting and response system. Monitoring Best Practices in this area include:

• Integrate "siloed" data sources, such as vulnerability scans into the active monitoring environment
• Define a balanced Monitoring Scope relevant for your business, compliance environment, and risk tolerance
• You don't have to cover everything at once, you can start small and grow over time with the right subscription model (such as SaaS/IaaS)
• Monitoring multiple data sources improves context and correlation
• Centralize your monitoring efforts and data into a single Integrated Environment that includes reporting, alerting, triage, and response
• Every device that is security or compliance related in any way should be fully monitored
• Include often overlooked data sources such as DNS, Routers, Devices with ACLs, Application Logs, Directory Services and others

These are only a few of suggestions for monitoring.  If you would like to have a more indepth discussion regarding your security monitoring needs, please contact us.