Businesses need visibility to know what’s going on in their environments, but sometimes having too much information can be detrimental to security efforts. In fact, an overload of information can prevent organizations from making appropriate and effective decisions. Have you ever heard the saying ‘you can’t see the forest for the trees?’
There is a lot to be said for having many information sources, logged devices, log feeds, health statuses, alerts, and events being captured and analyzed by your organization, but how much of this information is actionable intelligence, and how much is really just white-noise?
As experienced by our Global Threat Intelligence Center (GTIC) team, breaches do happen, and they are often accompanied by confusion and frustration. We often find the hardest part of managing the initial stages of breach management is to identify and isolate the relevant information pertaining to the incident at hand. We often support our clients as they are working through an active breach, and often we find clients in one of two situations:
- No monitoring has been implemented (or just performance monitoring)
- Monitoring is implemented everywhere
The first situation is certainly a challenge and is more common than we would like to see. Having limited to no visibility is certainly not a good thing when attempting to pick up the broken pieces and determine the scope of a breach.
However, the second situation can be just as bad, and sometimes worse if it gives you a false sense of confidence in your capabilities. Having so much information that you cannot effectively interpret what it is telling you can lead to much frustration as you try to separate the wheat from the chaff.
It is important to ensure you not only implement log monitoring, event monitoring and other detective controls, but it is just as important to make sure you ‘tune’ those controls so they are triggering on the right events.
Furthermore, continuously fine-tuning event triggers and clipping levels for alerts greatly increases the chances of identifying malicious activity, reducing false positives and limiting white-noise.
In closing, I offer the following advice:
- Implement log and event monitoring
- Ensure your organization is monitoring both performance and security event monitoring
- Continuously tune your event management solution to ensure relevant events are identified
- Monitor your event and log management solution.
- Review your implementation as your organization grows
- Ensure you have proper coverage to meet or exceed compliance requirements