Monitoring Systems
To conclude this series of publications on the 6 elements to consider when implementing a SOC, we proceed to present the one regarding to "Monitoring Systems".
The primary mission of the Security Operation Center (SOC) is to monitor, detect, investigate and respond to cyber threats; in this sense, our main objective was to show you, through this one and the previous chapters, the true function and importance of establishing this scheme.
Similarly, we can emphasize that among the goals of the SOC is the attention to incidents in the short term, considering that this is made possible largely thanks to the monitoring service that can be developed in real time, through this area of operation and monitoring, by analyzing the activity received or detected by the security tools to determine the degree of danger it represents.
Broadly speaking, when we speak about monitoring, we mean those processes that consist of the collection, observation and use of information with the objective of following up on a particular event, in our case, a security incident until it is identified, contained, investigated, remediated and finally resolved.
Potential incidents do not have a single vertex of occurrence, i.e., incidents can also originate through threats, equally potential, unexpected cyber attacks or new and unknown vulnerabilities in the systems, therefore, in the same way, a physical level monitoring of the status and availability of the equipment under the scope of cybersecurity and checking its proper functioning must be performed. With this in mind, and to meet the objective previously stated, let's get to know some monitoring systems:
Database Activity Monitor (DAM)
A high percentage of sensitive information for organizations, either part of the business itself or its dependents, is hosted in databases that should not be accessible to any user. In addition to this, there is always the risk that the information can be compromised through unauthorized changes, in other words, both inside and outside the company there are risks that could represent a danger to the integrity and confidentiality of this information.
In order to avoid these problems, tools have been developed to audit the existing databases within the organization, so that the administrator or the corresponding personnel has complete visibility of everything that happens with them.
DAM is one such tool that provides real-time monitoring of all queries and operations performed on a database, as well as global user information, source and destination addresses, access controls, etc.
Intrusion Detection/Prevention System (IDPS)
Intrusion Detection System (IDS) devices, whether physical or logical, perform the function of analyzing network traffic to identify possible malicious or anomalous packets. They are passive defense mechanisms, since their main characteristic is to alert suspicious activity and they do not perform attack containment or mitigation actions, and therefore represent a tool for visibility only. A feature that is present in systems focused on prevention, through certain internal traffic analysis mechanisms, they can identify and trigger response actions in case of detecting activities that coincide with suspicious behavior.
Events correlator (SIEM)
Organizations usually represent many different devices in their IT infrastructure, from the most essential to perform their daily activities, such as workstations (PCs) and routers, to special security equipment such as IPS, IDS and Firewalls. In this sense, the manual management of security events becomes more complex and difficult to visualize since all these events come from different sources and locations, with different formats.
As a way to minimize this situation and turn it into a more productive task, it is important to implement event correlation tools, also known as Security Information and Event Management (SIEM). These tools are capable of concentrating and managing events from a large number of devices, making it possible to detect patterns that could represent a possible security incident.
The SIEM is the fundamental instrument of a SOC, where devices, application logs and events from security tools can be aggregated throughout the organization and through different collection methods. It uses statistical and correlation models to identify events that might constitute one or more suspicious behaviors, alert SOC staff and provide contextual information to aid the investigation, it comes functioning as a "single pane of glass" that allows the team to monitor systems and the network.
It is very important to ensure that the data we are going to collect is useful for the SOC processes and that the information is in the place we expect it to be, only then we will have confidence and the green light to collect that information through data flow mechanisms, telemetry, packet capture, syslog, among others, so all activity can be correlated and analyzed in an aligned manner among all SOC personnel.
The security operations center also monitors networks and devices for breaches to provide data protection and comply with regulations that are present in all types of organizations. For example, there are organizations with special systems that are not seen in others. One example can be found in industrial environments with SCADA or supervisory control and data acquisition systems. With these systems as data sources, the operations in these environments have a high relevance because of the type of information they work with, since they have a way to:
Control industrial processes locally or at remote locations.
Monitor, collect and process data in real time.
Interact directly with devices such as sensors, valves, pumps, motors, and others, through human-machine interface (HMI) software.
Store events in a log file
These systems are crucial to industrial organizations as they help maintain efficiency, process data for more informed decision making, and communicate system needs.
There are other monitoring systems, one of them can be to monitor system conditions such as uptime, bandwidth and collect metrics from network control devices, and other applications. In this part, we must take into account that there are different tools that meet these characteristics, however, these will depend on the need that you have.
With this we can call as finished this compendium of articles. Cordially, we thank you for your follow up and interest in knowing these elements that we defined. Likewise, we encourage you to be attentive to our next publication, where we will announce the next topic to be discussed to continue contributing with this sharing of information and knowledge within our area of profession.
Hi! I am Kendra Mazara
Senior Information Security Specialist | MBA | Cofounder MujeresTICs RD | Speaker | LinkedIn Learning Instructor
