Detect Risks and Deviations
After completing this unit, you’ll be able to:
- Describe how to monitor system security and detect risks.
- Explain the importance of using data to identify security operations patterns and trends.
Monitor Systems and Detect Risks
Monitoring systems is a daily activity. Let’s meet Matthew, who is a security operations engineer at a network security technology company. Matthew’s first task is to collect and analyze IT data from across all the devices, detection technologies, and other sources in his company’s IT environment, covering all aspects of the business, in order to detect risks.
He monitors systems, user accounts, network traffic, security tools, logs from endpoints, applications, and so on, so that he can identify emerging threats and diagnose them to prevent security incidents. He knows that it’s crucial that he implements a monitoring capability that covers all IT devices, endpoints and business units, managed in a central location, in order to provide complete visibility to the organization’s security posture. This gives him a baseline of what normal activity looks like.
Once he understands what a “normal” day on the network looks like, it makes it easier for him to then detect anomalies that may indicate suspicious activity. Matthew knows that as a security operations engineer, he is ground zero for threat detection and response, and must continuously monitor day-to-day access and security of system resources.
Matthew combines the information he has on the baseline state of the network, and alerts of anomalous activity, with information about malicious actors, in order to enhance his ability to escalate and analyze potential security incidents. He uses security intelligence to correlate all of this different data via a security information and event management (SIEM) system. The SIEM functions as a single pane of glass, which Matthew uses to monitor systems and detect suspicious activity. He also helps configure the SIEM to be most useful to him and his team.
Identify Patterns and Anomalies
When it comes to detecting risks, the key is to first understand the baseline, and then identify deviations or anomalies that may indicate possible abuse and fraud. This type of monitoring is known as behavioral monitoring. You first seek to understand what normal network traffic patterns look like, and then detect anomalies that signal an attack is underway.
Traditional methods of monitoring and detection relied on “signatures” or distinctive patterns of known malicious programs to block these programs from executing. However, in today’s world made up of many adversaries who often change their methods and tactics, using a behavioral, rather than a signature-based approach increases the likelihood of finding the things that warrant investigation. This is because a behavioral approach does not rely on knowing a specific actor’s signature moves, but rather looks at general behavior on the network and deviations from the norm.
Behavioral monitoring analyzes user and device actions and creates a baseline of normal behavior to then detect patterns and aberrations. Take for example, a phishing attack. Once you understand the usual pattern of email communications on the company’s network, you can use behavior monitoring tools to spot anomalous patterns in email traffic that may indicate malicious activity.
In collecting and analyzing data to help the organization better detect and monitor threats, you as the security operations engineer also enable the organization to collect, analyze, and track metrics to measure performance and progress and set goals. This allows the security operations center (SOC) to make recommendations on changes to existing protections that further harden systems against attack. You report on these trends at regularly scheduled intervals, creating reports and dashboards to communicate metrics to management across the technology and business units. Finally, you also maintain awareness of industry trends, and take these into account when thinking critically about your own progress in strengthening the organization’s cyber resilience.
Ready to review what you’ve learned? The knowledge check below isn’t scored—it’s just an easy way to quiz yourself. To get started, select the appropriate word from the options provided in the drop-down within the paragraph. When you finish selecting all the words, click Submit to check your work. If you’d like to start over, click Restart.
Sum It Up
Great work! You now understand how you as a security operations engineer monitor the network and detect suspicious activity. Let’s now turn to your role in responding to alerts and recovering from incidents.
- External Link: Deloitte: From Security monitoring to cyber risk monitoring
- External Link: National Institute of Standards and Technology (NIST): Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations
- External Link: Center for Internet Security (CIS) Maintenance, Monitoring, and Analysis of Audit Logs