When working with prospective clients, we often encounter confusion regarding what monitoring really means. There is usually a perception that their current service provider is already doing the monitoring, and that they are covered from a cybersecurity point of view. Many firms subscribe to a managed firewall service, or they have an invoice that indicates that their network infrastructure is being monitored. But what does that really mean? The devil is, as they say, in the details.
Unless your provider is delivering you a managed security service with a fully-staffed Security Operations Center (SOC), it is very likely that the monitoring you are paying for does not cover cybersecurity incidents. And this is because there are two forms of monitoring. The most common is performance & availability monitoring. With performance & availability monitoring, the provider is focused on ensuring that devices and the services they deliver (e.g., a firewall performing perimeter defense) are up and accepting connections from users. This type of monitoring is proactive as well, ensuring that your devices can handle the existing and foreseeable load.
Cybersecurity monitoring is much different. Rather than focusing on whether systems are available and performant, this discipline focuses on monitoring for data breaches and other security-related incidents. Good cybersecurity monitoring utilizes different toolsets than traditional performance & availability monitoring. Going back to the firewall example, rather than just ensuring the firewall is up and passing users’ traffic, cybersecurity monitoring would focus on the suspicious activity alerts that the firewall produces.
And good cybersecurity monitoring doesn’t stop there. Utilizing purpose-built tools like a SIEM (security information and event management) platform, devices throughout your environment – even end-user devices – can send their logs to a central aggregation point and then be correlated to highlight unusual and anomalous behavior better. Eliminating false-positives and other noise is critical, and only a recently improved, feature of modern SIEMs.
If you’re still unsure of whether your provider is delivering true cybersecurity monitoring, I would encourage you to ask them the following:
- Do you utilize a SIEM (security information and event management) platform to aggregate logs from all systems in the environment into a single monitoring platform?
- Is that monitoring being performed 24/7/365 by security experts (not desktop, infrastructure, or application specialists) who are staffed in three shifts?
- If a monitoring platform is in place that aggregates all logs, does it:
- Incorporate technology like behavioral analysis, event correlation, and other forms of intelligence to reduce false positives and highlight real, actionable events?
- Leverage crowd-sourced threat intelligence services and the benefits of seeing threats from over 400+ unique client environments?
- Perform real-time vulnerability scanning?
- Perform real-time device discovery so that you become aware of devices not in your known inventory?
- Provide integrated monitoring of cloud and SaaS services as well?
- Do you perform incident response for potential security events and/or breaches that are identified in monitoring?
If the answers aren’t satisfying, please reach out to us for a free one on one consultation.