Subscribe to our blog
Thanks for subscribing to the blog.
Why monitor? Monitoring is the process of watching operations and making sure that they proceed as planned. Traditionally, with digital operations, monitoring has been performed on in-house networks, servers, and applications to help with performance and troubleshooting. Over the past decade, environments have changed with the advent of cloud (both public and hybrid), virtualization, microservices, and container (such as Kubernetes) architecture. As a result of these changes, IT and security staff are having trouble maintaining effective, compliant, and complete monitoring solutions.
There are a number of challenges to monitoring in the modern environment, the most significant of which is the advent of increasingly complex cloud infrastructures that are often provided by multiple vendors and cloud service providers. Another challenge is IT staff’s lack of understanding of the architecture and operations of the systems they maintain.
Monitoring systems exist because this process has become too complex to rely on just one individual to recognize a problem. Businesses need tools that can rapidly assess vast information sets across multiple systems to identify—and possibly take action to avoid—corruption, data loss, or breaches. Monitoring, therefore, is very much a part of compliance, since the role of compliance is to ensure that businesses have addressed risk. As we explained in a previous blog post, failure to address compliance requirements is a risk in and of itself. This article will examine common monitoring compliance expectations and discuss some of the challenges that are often faced in meeting and managing them.
Compliance Requirements: A Review
Many compliance programs require monitoring in multiple areas. The information below reviews compliance requirements across a range of sources, such as FISMA, ISO 27001, and PCI.
- Policy Monitoring: Policy monitoring is designed to ensure that actions and events taking place on a system meet company policy and alert staff to possible security incidents. This category includes incident monitoring (such as breach/exfiltration activity), inappropriate behavior (e.g. insider threats and acceptable use rules), completion of training (especially computer-based training), legal hold, and exceptions to policy. Typically, this type of monitoring is performed by a collection of monitoring systems on operating systems, services, and infrastructure.
- Compensating Controls Monitoring: This type of monitoring addresses risks to key controls. A common example is the protection of system logs to ensure that bad actors are not able to obfuscate their behavior by deleting or corrupting the audit logs which track their activities—a process sometimes referred to as “hardening the monitoring systems.” This type of requirement underscores the importance of securely installed and managed monitoring systems.
- Physical Environment/Data Center Monitoring: Operations of a data center or server room must typically address the mitigation of multiple possible threats and vulnerabilities including fire, power, connectivity, and physical and logical access control. Resulting compliance requirements call for environmental monitoring of heat, humidity, power, cabling, and door access.
- Devices and Network Monitoring: Communications monitoring becomes important when there is connection between trusted and untrusted zones on a network. Only by monitoring gateways can you understand what normal vs. unusual communication looks like. Monitoring systems can be adjusted to alert staff to suspicious or malicious activity appearing on communication devices.
- Risk/Threat-Informed Monitoring: Threat-informed monitoring takes the form of either a manual process (such as determining that a possible insider threat requires deeper monitoring or blocking) or a set of automated assessment rules that are triggered to lock down specific assets based on external information. Tools that use machine learning and other automation that integrates risk assessment and threat determination (e.g.Cloud Insights) address these requirements.
- Network Traffic: Traffic overload and payload examination are two common threats to network availability and operations. Monitoring for traffic can be an expensive process, but it is necessary in environments where availability and integrity are paramount.
- Event Log: The use of automated monitoring is paramount in today’s digital world since an overwhelming amount of event data is produced by almost all systems, devices, and networks. Automation and aggregation of audit events with Cloud Insightsprovides a means to aggregate and correlate security events across all files hares, even when the file shares extends to virtual and cloud resources.
- Access Log: Access monitoring covers a wide range of possible systems from facilities’ doors, gates, and windows to logical access controls such as logins, system access, and privilege escalation. Cloud Insights Premium Edition is able to not only track all user activities on any file but also do the analysis to highlight abnormal behavior and alert if files are accessed, which have never been accessed before.
- Utility Usage: Utility usage must be monitored because many utilities provide mechanisms to bypass or examine data in a manner that should be performed by authorized and trained users. Monitoring the utilities present on the network or system provides a cross-check of approved behavior.
As you consider compliance monitoring with tools such as Cloud Insights, encourage your team to keep in mind that monitoring should include collecting information from operating systems, services, and infrastructure systems. By collecting information with a robust tool like Cloud Insights, you will be able monitor all the critical compliance areas mentioned above. By enabling Cloud Insights data collectors in cloud and hybrid environments, you begin to collect monitoring information that can inform required protection settings, centralize alerting and reporting, reduce threats, and apply risk analytics to system problems.
In the end it comes down to three steps:
- Mapping out the Attack Ground: Get the information what’s out there, who uses it, how it is protected today and what category it belongs to
- Define Strategy: Define your strategy and implement it by using as much automation as possible to ensure future changes will easy be adjusted
- Monitor: Start your monitoring and alerting as soon as possible and do not rely on only one KPI especially around compliance related information
Of course monitoring in all of these areas can present challenges itself. In my next post I’ll take a closer look at these, and how you can start to address them.