5 Valuable Contextual Data Sources for Small Businesses
By: Lynne GillespieData is Critical for Proper Information Security Monitoring. Researchers rely on data from multiple sources before they announce their findings at a worldwide conference. Doctors rely on data from multiple tests before they make a diagnosis. It’s difficult to get a comprehensive view of any situation without data – and not just one source. Multiple sources of data can help provide a better assessment of security posture. The more reliable the data, the better prepared you are.
“Are We as Secure as We Could Be?”
This question is asked not only by an organization’s IT department but by its leaders as well. Continuous monitoring of your information security infrastructure for contextual data - supplemental information security data retrieved from other critical assets - can help provide answers to that question.
What is Priority in Information Security Monitoring?
Information security data can be found within virtually all critical assets–servers, websites, applications, devices, and endpoints on a corporate network, however, all systems do not provide equally valuable security context. While monitoring each security system would be ideal, lack of time and resources make this impractical for most organizations. So what data sources should be prioritized to optimize information security monitoring efforts?
Continuous security monitoring and context are the keys to effective information security monitoring. The more relevant security context you have from other critical assets on your network, the more likely it is you will successfully detect real cyber security incidents while weeding out false positives (e.g. non-threats). In determining which devices and systems to monitor for security data, gathering the most useful context is top priority.
Dell SecureWorks recommends you take a look at the following as valuable data sources for contextual security data.
1. Network-Based Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS) Network Intrusion Detection System and Network Intrusion Prevention System devices use signatures to detect information security events on your network. Performing full packet inspection of network traffic at the perimeter or across key network segments, most IDS/IPS devices provide detailed alerts that help to detect:
- Known vulnerability exploit attempts
- Known Trojan activity
- Anomalous behavior (depending on the IDS/IPS)
- Port and Host scans
- New and unknown cyber threats, such as custom Trojan activity
- Port and Host scans
- Worm outbreaks
- Minor anomalous behavior
- Most any activity denied by firewall policy
- Known vulnerability exploit attempts
- Console exploit attempts
- Exploit attempts performed over encrypted channels
- Password grinding (manual or automated attempts to guess passwords)
- Anomalous behavior by users or applications
- New and unknown threats, such as custom Trojan activity
- Port and Host scans
- Minor anomalous behavior
- Most anything denied by the ACL's
- Known and unknown exploit attempts
- Password Grinding
- Anomalous behavior by users or applications