10) Has your organisation implemented any network or cloud monitoring controls such as Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), or Security Information and Event Management (SIEM) systems?
Answer yes if your organisation has implemented any network or cloud monitoring solutions (either in house or via a third party service provider). Please describe which solutions you have in place and the coverage they have over your network(s) or cloud environment(s).
What is the control?
Intrusion Detection Systems (IDSs) monitor the network for signs of malicious activity. Typically, this is done with network sensors placed at strategic locations across the network. The IDS can then compare traffic against rules, heuristics, or other logic to determine if it may be malicious and reports it via an alert in a centralised console.
Intrusion Prevention Systems (IPSs) operate in virtually the same way but, by acting as a kind of dynamic firewall themselves and/or having integration with other network devices, they can actually block traffic in addition to reporting it.
More recently, IDS and IPS capabilities are also being added to endpoints, so that individual endpoints are monitoring for activity and possibly blocking certain behaviours. This trend is blurring the line between traditionally network-based IDS and client/endpoint-based EDR (Endpoint Detection and Response) solutions.
Conversely, Security Information and Event Management (SIEM) platforms collect and correlate logs. These typically come from endpoints rather than network monitoring (though these endpoints can include network devices).
A SIEM creates a central point in which to collect and monitor event logs. These logs sometimes indicate a compromise or malicious activity on their own, but the strength of a SIEM platform is the ability to take events from multiple sources and correlate them together. This can help flag incidents where individual events would have seemed benign and been ignored. That correlation can also give far greater context once an attack is detected.
Why should I have it?
While fundamental proactive security practices like strong access controls, encryption, and network segmentation are important and, if done well, can prevent the large majority of incidents from occurring, it’s important to be able to detect if something gets through the cracks. Without it, it’s difficult to know if your other controls have been effective and therefore difficult to have real assurance as to the environment’s integrity.
It’s critical to employ a mix of detection [and response] technologies such as those listed above. In fact, it’s a requirement for many security compliance certifications and a common question on security due diligence questionnaires.
How to implement the control
There are a lot of choices in the types of detection technologies available. All have strengths and weaknesses and, as such, tend to be used in combination with each other.
An effective detection infrastructure requires detailed knowledge of your systems and networks, not only to determine what solution(s) to select and how to architect them, but also in order to tune them.
IDS systems can be notoriously ineffective if not configured properly. Misconfiguration can cause them to either be triggered too often, causing alert fatigue (and incidents to be lost in the noise), or not enough which can result in missing potential incidents.
IPS’s suffer the same problems with one additional caveat: Since they have the ability to also block traffic, they can be particularly disruptive if configured incorrectly. They could even be used against you if an attacker tricks your IDS into blocking legitimate traffic, effectively using it to cause a denial of service attack.
SIEMs meanwhile cannot be effective if they are not fed the right data, and provide little extra value if correlation rules are not intelligently created.
Therefore, all of these technologies require detailed knowledge of your environment, time, and a continuous improvement process that ensures their configurations are reviewed, reflect changes in the environment, and that outcomes (too few alerts, too many alerts, and the type of alerts) are used to improve the system configuration or environment.
There are numerous consultancies or individual consultants that will be able to assist in crafting the correct security architecture in a way that meets your business and technical requirements. Please message us if you would like a recommendation.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.
