Cyber Security or Network Security monitoring is incumbent upon organizations through various regulations or laws prevalent in respective countries or regions. The purpose of Network Security monitoring is to establish and maintain a command and control center which monitors the security hygiene of the entire organizational IT infrastructure and act upon any anomalous observations.
Network Security Monitoring comprises of three distinct phases including Collection, Detection, and Analysis.
1. COLLECTION – Identification of Network Entities from which logs are collected.
2. DETECTION – Examination of detected events & logs.
3. ANALYSIS – Interpretation and Investigation of Alerts by Human Analysts.
However, it is often the case that the security analysts are unable to fully understand the data on which they are supposed to perform their analysis and subsequently differentiate between anomalous behavior and normal behavior.
This problem primarily stems from two major factors:
1. Lack of understanding threats to the organization.
2. Inappropriate planning of collection & detection phase.
I conducted a Webinar on the challenges that impair Security Operations teams and discussed how the lack of a structured approach in Collection & Detection planning can limit the efficacy of Cyber Security Operations
One of the common myths prevailing around security monitoring is that the more data you collect, the bigger your horizon is. However, the truth is that the overabundance of data (particularly inconsequential) is detrimental. It involves more operational costs either in terms of alert fatigue to the security analysts, IT resources required for processing the data and retention or restoration of the data to guard against any disaster.
These problems can be effectively dealt with by incorporating the Applied Collection Framework (ACF). The high-level steps involved in Applied collection framework are highlighted below.
1. DEFINE THREATS
In order to enable Security analysts in effective and efficient Network Security monitoring, it is critical to adopt a threat-centric approach. The threat-centric approach to Network security monitoring keeps the team abreast of potential methods of attack, motivations of threat actors and cybercriminals, and the actors or criminals targeting the Industry vertical and the specific region.
Adoption of a threat-centric approach begins with understanding the mission, objectives, and goals of the organization. It is then proceeded by identifying the assets which are critical in the attainment of the business mission. Once the mission and the associated assets are identified, we need to then identify and define the threats to those assets (tangible or intangible). It is critical that all this planning by Information Security personnel is done in close coordination with security leadership.2. QUALIFY RISK
Risk Assessment should be proceeded by the phase of threat identification where associated risks are identified and assessed. Remember that these threats are associated with the confidentiality, integrity, and availability of the assets tied to the organization’s mission, goals, or objectives. It is therefore important that the risk scenarios associated with threats are identified, assessed and their risk levels are determined.
Based on the risk levels determined, the organization decides to implement Network Security monitoring.3. IDENTIFY POTENTIAL DATA SOURCES
Once the risk is qualified, then you have to review the Network architecture and IT assets placement in the broader architecture. The purpose is to identify the path through which the data traverses across the network to carry out its objective, the personnel who have access to the IT assets.
Going through this process, you will be able to develop a broader list of network or host-based sources from which you may need to collect the logs, traffic data, session data, etc.4. NARROW FOCUS
I mentioned in the beginning, that the overabundance of data has an operational cost and can create further technical risks. This phase requires you to refine your coarse-grained data sources and identify the data source and specific logs, packet data, etc. which will provide you the most value in performing Network Security monitoring.
This phase involves assessing the needs related to storage, processing, and management of data gathered from disparate sources along with the collection frequency. It also involves consideration of Human resources required to maintain the IT assets and to perform Network Security Monitoring.
The Applied Collection Framework allows adopting a risk-based approach towards your Network Security Monitoring by identifying threats, qualifying risks, and performing a cost/benefit analysis. It enables the security leadership to justify their collection needs and investments by tying them to the business mission and threats to the business mission.
Remember that Network Security Monitoring is a cyclical process in which you need to assess existing collection sources again to enhance the effectiveness and efficiency of Network Security Monitoring.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.