5 Valuable Contextual Data Sources for Small Businesses

Tuesday, February 10, 2015 By: Lynne Gillespie

Data is Critical for Proper Information Security Monitoring. Researchers rely on data from multiple sources before they announce their findings at a worldwide conference. Doctors rely on data from multiple tests before they make a diagnosis. It’s difficult to get a comprehensive view of any situation without data – and not just one source. Multiple sources of data can help provide a better assessment of security posture. The more reliable the data, the better prepared you are.

“Are We as Secure as We Could Be?” This question is asked not only by an organization’s IT department but by its leaders as well. Continuous monitoring of your information security infrastructure for contextual data - supplemental information security data retrieved from other critical assets - can help provide answers to that question. What is Priority in Information Security Monitoring? Information security data can be found within virtually all critical assets–servers, websites, applications, devices, and endpoints on a corporate network, however, all systems do not provide equally valuable security context. While monitoring each security system would be ideal, lack of time and resources make this impractical for most organizations. So what data sources should be prioritized to optimize information security monitoring efforts? Continuous security monitoring and context are the keys to effective information security monitoring. The more relevant security context you have from other critical assets on your network, the more likely it is you will successfully detect real cyber security incidents while weeding out false positives (e.g. non-threats). In determining which devices and systems to monitor for security data, gathering the most useful context is top priority. Dell SecureWorks recommends you take a look at the following as valuable data sources for contextual security data.

1. Network-Based Intrusion Detection Systems and Intrusion Prevention Systems (IDS/IPS) Network Intrusion Detection System and Network Intrusion Prevention System devices use signatures to detect information security events on your network. Performing full packet inspection of network traffic at the perimeter or across key network segments, most IDS/IPS devices provide detailed alerts that help to detect:

Known vulnerability exploit attempts
Known Trojan activity
Anomalous behavior (depending on the IDS/IPS)
Port and Host scans

2. Firewalls Serving as the network’s gatekeeper, firewalls allow and log incoming and outgoing network connections based on your policies. Some firewalls also have basic IDS/IPS signatures to detect information security events. Monitoring firewall logs help to detect:

New and unknown cyber threats, such as custom Trojan activity
Port and Host scans
Worm outbreaks
Minor anomalous behavior
Most any activity denied by firewall policy

3. Host-Based Intrusion Detection Systems and Intrusion Prevention Systems (HIDS/HIPS) Like NIDS/NIPS, host-based intrusion detection systems and intrusion prevention systems utilize signatures to detect security events. But instead of inspecting network traffic, HIDS/HIPS agents are installed on servers to directly alert on security activity. Monitoring HIDS/HIPS alerts helps to detect:

Known vulnerability exploit attempts
Console exploit attempts
Exploit attempts performed over encrypted channels
Password grinding (manual or automated attempts to guess passwords)
Anomalous behavior by users or applications

4. Network Devices with Access Control Lists (ACLs) Network devices that can use ACLs, such as routers and VPN servers, have the ability to control network traffic based on permitted networks and hosts. Log Monitoring from devices with ACLs helps to detect:

New and unknown threats, such as custom Trojan activity
Port and Host scans
Minor anomalous behavior
Most anything denied by the ACL's

5. Server and Application Logs Many types of servers and applications are able to log events such as login attempts and user activity. Depending on the extent of logging capabilities, monitoring server and application logs can help to detect:

Known and unknown exploit attempts
Password Grinding
Anomalous behavior by users or applications

Information Security Monitoring Value It is important to understand that the incremental value of a data source will vary from situation to situation. A source’s purpose, its location in your network and the quality of the data it provides are a few of the many variables that must be considered when planning your continuous information security monitoring strategy. By monitoring the assets that provide the highest value security context, you can optimize security monitoring efforts. Doing so will provide faster, more accurate detection of threats while making the most of your security resources. Utilize Security Monitoring Best Practices Security Monitoring is critical to all organizations whether you are a large corporation or a small business and it is never ending. Cyber threats do not take breaks and neither can you when it comes to your organization's information security. Are you using all of the security resources you currently have to its fullest capabilities? Are there areas that you are lacking when it comes to security monitoring? Contact an Information Security Consultant at Dell SecureWorks to help implement security monitoring best practices for your organization today.