All Monitoring is Security Monitoring
What tools do you think of when you think about security? Probably things like your firewall, intrusion detection software, data loss prevention software, antivirus software, a cloud access security broker… Of course, identity management and multifactor authentication are important security tools.
The one thing all of those tools have in common is that they’re designed and labelled as security tools. It’s easy to overlook how your other monitoring tools can also contribute to security:
Network and application performance monitoring is often driven by user experience considerations and throughput requirements. But performance can also be an indication of a security incident, either a malicious attempt to bring your systems down or a bad actor attempting to break in.
Application CPU usage generally is consistent over time, perhaps with spikes during periods of expected increased demand. Disk utilization typically grows at an expected rate based on past behavior. Any sudden change in those utilization metrics can reflect malware, such as cryptojacking taking over a device to mine cryptocurrency, or malware exporting a large volume of data to steal from the business.
The most basic system or device health check—that it’s up and responsive—can indicate an attack if a device that should be active is down. Monitoring that detects new devices added to the network can identify devices that shouldn’t be there. Not all of those may be malicious, but any unknown device needs to be investigated as a potential threat. Monitoring changes in configurations is also an important security measure, as unauthorized changes can enable unauthorized access.
Of course, having tools by themselves doesn’t increase security. The alerts generated need to be interpreted, and alert thresholds need to be set so operations teams aren’t overwhelmed with unimportant data. In addition, often looking at one individual log, even if it indicates a potential threat, doesn’t provide enough information to truly understand the potential risk. There needs to be a way to consolidate the alerts from all the various monitoring systems and correlate them with each other, as well as correlating them with data from dedicated security monitoring systems and with known threats.
Prescient Solutions helps businesses in Chicago and Schaumburg implement effective IT management strategies as well as information security solutions. With our expert guidance, your IT monitoring can be an important contributor to your IT security. Contact Prescient Solutions to learn more about why you should think about all your monitoring tools as essential contributors to your security solution.