Monitor Malicious Use to Avoid Hacks
Monitoring security-related events is essential for ongoing security efforts to deter hacking. This can be as basic and mundane as monitoring log files on routers, firewalls, and critical servers every day. Advanced monitoring might include implementing a correlation security incident management system to monitor every little thing that’s happening in your environment. A common method is to deploy an intrusion prevention system or data leakage prevention system.
The problem with monitoring security-related events is that humans find it very boring and very difficult to do effectively. Each day, you could dedicate a time to checking your critical log files from the previous night or weekend to ferret out intrusions and other computer and network security problems. However, do you really want to subject yourself or someone else to that kind of torture?
However, manually sifting through log files probably isn’t the best way to monitor the system. Consider the following drawbacks:
Finding critical security events in system log files is difficult, if not impossible. It’s just too tedious a task for the average human to accomplish effectively.
Depending on the type of logging and security equipment you use, you might not even detect some security events, such as intrusion detection system (IDS) evasion techniques and hacks coming into allowed ports on the network.
Instead of panning through all your log files for hard-to-find intrusions, try this:
Enable system logging where it’s reasonable and possible. You don’t necessarily need to capture all computer and network events, but you should definitely look for certain obvious ones, such as login failures, malformed packets, and unauthorized file access.
Log security events using syslog or another central server on your network. Do not keep logs on the local host, if possible, to help prevent the bad guys from tampering with log files to cover their tracks.
The following are a couple of good solutions to the security-monitoring dilemma:
Purchase an event-logging system. A few low-priced yet effective solutions are available, such as GFI EventsManager. Typically, lower-priced event-logging systems usually support only one OS platform — Microsoft Windows is the most common. Higher-end solutions, such as HP ArcSight Logger, offer both log management across various platforms and event correlation to help track down the source of security problems and the various systems affected during an incident.
Outsource security monitoring to a third-party managed security services provider (MSSP) in the cloud. A few MSSPs are available such as BT’s Assure managed service, Dell SecureWorks and Alert Logic. Now considered cloud service providers, these companies often have tools that you would likely not be able to afford and maintain. They also have analysts working around the clock and security experiences and knowledge they gain from other customers.
When these cloud service providers discover a security vulnerability or intrusion, they can usually address the issue immediately, often without your involvement. Check whether third-party firms and their services can free some of your time and resources. Don’t depend solely on their monitoring efforts; a cloud service provider may have trouble catching insider abuse, social engineering attacks, and web application hacks over Secure Sockets Layer. You need to be involved.