Monitor and Test Infrastructure

Learning Objectives

After completing this unit, you’ll be able to:

• List steps to support security authorization (SA), implement security controls, and monitor system functionality.
  
• Describe how to monitor networks.
  
• Explain how to test hardware and software infrastructure functionality.
  
• Identify how to test and evaluate controls and configurations of platforms managed by service providers.
  

Support Security Authorization and Implement Controls

You’ve put in place protections for your infrastructure. Now, you need to verify that it’s authorized for use, and security controls are implemented correctly. You do this as part of the security authorization (SA) process.

Support Security Authorization

Security authorization or SA is the decision your senior organizational leader gives to authorize an information system to operate. The leader explicitly accepts or rejects the risk to organizational operations, assets, and individuals, based on the implementation and testing of security controls.

Your authorizing senior leader grants information systems authority to operate (ATO) before they are placed into production, and reauthorizes systems on a regular basis (for example, every 3 years), as well as whenever changes are made that affect the potential risk level of operating the system.

The SA process is as follows:

• Categorize the system by determining the level of adverse impact (low/moderate/high) if a breach of confidentiality, integrity, or availability (CIA) occurs.
  
• Select and implement security controls (for example, the National Institute of Standards and Technology’s (NIST’s) Security and Privacy Controls for Information Systems and Organizations) appropriate to the system categorization.
  
• Assess the effectiveness of security controls.
  
• Authorize the information system.
  
• Monitor security controls.
  

This process helps your organization manage risk in a way that’s consistent with its mission, business objectives, and overall risk strategy. By following the SA process, you integrate information security into your organization’s enterprise architecture and systems engineering lifecycle. You may not be directly responsible for conducting an SA, but as an infrastructure support specialist, you need to oversee and monitor the process and ensure security controls are implemented.

Implement Security Controls

Let’s look at an example. Christos is an infrastructure support specialist working at a cable news network. His office has a policy that critical vulnerabilities should be remediated within 15 calendar days of initial detection. Christos’s manager, Jordyn, is in the process of completing the SA for a new system that’s scheduled to go online next week. Christos helps Jordyn review the implementation of technical controls on the system to verify that no critical vulnerabilities are present before she grants the SA. 

Develop a Monitoring Strategy

During the security control selection process, you begin planning for how you’ll monitor the system by developing a continuous monitoring strategy. The strategy can include:

• Monitoring criteria, such as the volatility (how likely the control is to change over time) of controls
  
• Guidance on the appropriate level of monitoring for high-value data
  
• The appropriate frequency of monitoring specific controls
  
• Areas to alert on, such as if a user logs in from a different device or location than normal
  

You also monitor configuration and control changes to the system and assess their impact prior to implementation. In addition, your monitoring strategy includes a security assessment plan, which reflects the type of assessment your organization conducts. Examples include:

• Developmental testing and evaluation
  
• Independent verification and validation
  
• Assessments supporting SAs or reauthorizations
  
• Audits
  
• Monitoring
  
• Assessments subsequent to remediation actions
  

Monitor Your Network

You’ve authorized your system and put in place a monitoring strategy. Now, it’s time to monitor your network. Your organization relies on your network for all of its operations, and monitoring it is crucial. By monitoring your network infrastructure, you can detect operational issues and identify possible security breaches. 

You start by monitoring process-specific network performance metrics, like latency, to proactively identify connection issues. Your network may span globally, having multiple links established between geographically separated data centers and public and private clouds, creating challenges in network management. It’s important to have a complete view of your network so you can quickly identify and troubleshoot network issues. You make sure to monitor inbound and outbound processes distributed across all of your virtualized environments and physical data centers. 

You understand how your systems are connected and what issues may impact performance. You identify which processes are vital to network operations, those connections that consume the most network bandwidth, and those that have connection problems. Your goal is to identify services and processes that may suffer from network connection problems, and improve the connections between vital infrastructure components. 

You monitor your firewalls, routers, switches, and more. You collect metrics on network data over time and analyze them to better understand what is normal or an anomaly. You also automate as much monitoring as possible, such as setting up a network access control capability that alerts and blocks the addition of new devices or deviations from normal network performance. Monitoring your network for deviations from baselines also helps you to actively identify and remediate unauthorized activities, such as large data transfers from your cloud storage. 

So, how exactly do you perform this monitoring? You implement specialized software tools that aggregate data in the form of log events from your information technology (IT) infrastructure. These event logs are automatically computer generated by applications or devices on the network in response to network traffic or user activity. 

Let’s check back in with Christos. The system Jordyn was assessing has been authorized and is now in production. Christos now helps Jordyn audit and review alerts related to user authentication to the system. Christos received an alert that a user attempted to log in incorrectly five times within a 4-hour span. He investigates by digging into event logs further and notices that the login is coming from a foreign country where his office does not typically have employees or customers. Gathering all of his notes together, he notifies the security operations center and Jordyn for further investigation.

Test Hardware and Software Infrastructure Functionality

In addition to monitoring your network, you also test the hardware and software infrastructure (operating systems, tools, or applications) functionality to make sure it’s up and running as expected. You’ll want to test one or more assessment objects under specified conditions to compare actual versus expected behaviors.

You perform infrastructure testing to mitigate the risk of failure of any hardware or software component. This testing is performed whenever hardware or software resources are changed, to analyze system efficiency and performance. Following the test, you analyze the findings and develop mitigation strategies.

Test Controls and Configurations of Service Provider Platforms

Another aspect of your job as an infrastructure support specialist is to work with your organization’s information system security officers (ISSOs) to verify processes are in place for overseeing and monitoring your organization’s managed service providers (MSPs), such as cloud service providers (CSPs). Having such processes is important in order to verify services are being managed consistent with contractual requirements and in a secure manner. You put in place processes for regular auditing and testing of security controls and configurations commensurate with the risk of the operations supported by the MSP.

These processes can include the audit and testing of your organization’s security configurations and settings, access management controls, and security monitoring program. It’s important to be clear about the division of responsibilities for infrastructure operations and security between yourself and the MSP. For example, in an infrastructure as a service (IaaS) cloud model, your organization is responsible for:

• Security configuration of cloud assets and network services
  
• OS patching
  
• User-specific application configuration settings
  
• Identity and access management
  
• Risk management of the relationship with the CSP
  

The CSP is responsible for:

• Physically storing and maintaining servers
  
• Making computing resources available through simple interfaces such as virtual machines
  
• Some basic level of network security (for example, detecting breaches at the cloud provider level)
  
• Physical and environmental security (for example, data center access and fire suppression)
  

Attackers can exploit misconfigured MSP resources to access your data and services. This can happen if you fail to properly configure security tools within MSP systems. Your organization can use its own tools, leverage those provided by the MSP, or use tools from third-party organizations. These tools help securely configure systems, provision access, and log and monitor your systems and information assets residing in the MSP’s environment.

You perform oversight and monitoring of the MSP, including evaluating independent assurance reviews (for example, audits, penetration tests, and vulnerability assessments) and evaluating corrective actions to confirm that any adverse findings are appropriately addressed. You may also test or audit the MSP’s security controls. However, some providers may limit your ability to perform your own security assessments due to potential performance impacts. In this case, you can leverage independent audit results from available reports (for example, system and organizational control [SOC] reports).

You also evaluate how the MSP’s operations affect both your business continuity and recovery plans through regularly testing and validating resiliency and recovery capabilities. This testing may be conducted jointly with the provider depending on the service model you use.

Sum It Up

You now have a better understanding of the SA process, the need for a monitoring strategy, the methods for monitoring networks, and how to test and evaluate your infrastructure and platforms managed by service providers.

Next, let’s turn to how to respond when your monitoring detects an infrastructure incident, and how to remediate your environment.

Resources

• External Site: National Initiative for Cybersecurity Careers and Studies (NICCS): Cyber Defense Infrastructure Support 
  
• External Site: DoD Cyber Exchange Public: DoD Cyber Workforce Framework
  
• PDF: National Institute of Standards and Technology (NIST): Technical Guide to Information Security Testing and Assessment
  
• External Site: National Credit Union Administration: Security in a Cloud Computing Environment
  
• PDF: Department of Homeland Security: Security Authorization Process Guide
  
• External Site: NIST: Security and Privacy Controls for Information Systems and Organizations