Security Event Monitoring: How Rapid Incident Response Helps Defeat Cyber ​​Attacks

Why preventive security tools are not enough to protect the company 

Let's imagine that on

on the HR manager's computer, the user startssee what rights the current account has, connect using legitimate remote control tools on the Internet, and perform other actions unusual for an employee from the HR department. 

Cyber ​​Security Preventatives -antiviruses, firewalls, intrusion detection systems - in this situation, with standard settings, they will not block such actions. They look for telltale signs of cyberattacks, such as attempts to establish a network connection to a known malicious resource, download a malicious file, or run tracking tools on a computer. And requesting the rights to your account or connecting to the network remotely using standard programs are completely legitimate actions for most companies. 

However, a security professional will understand howevents can develop further. If an attacker penetrates the HR manager's computer, he can at any time open a remote connection to this workstation and introduce malicious software, and information about the accounts will help him develop the attack. 

To eliminate potential hacking, such actions need to be monitored and controlled. This is precisely the main task of cybersecurity monitoring.  

What is effective cybersecurity monitoring 

Without threat monitoring, a company will most likelylearns about a hack after the fact, when it becomes impossible not to notice the incident, for example, when encrypting data on servers and workstations. In turn, a proactive approach allows for timely identification of illegitimate activity through centralized collection, systematization and analysis of security events. This can work in different ways. 

Some organizations provide onea specialist who monitors alerts - notifications from security tools, for example, antivirus, about suspicious activity. To some extent, this is also monitoring, but it cannot provide real protection: the expert will control only a small section of the infrastructure.  

A more advanced option - and so do manycompanies to implement a SIEM system (security event management system). It will collect data from different parts of the infrastructure, create chains of events and track alarms. Unfortunately, this may not be enough either, because simply finding the problem is not enough.

The SIEM system will collect data from different parts of the infrastructure, create chains of events and monitor alarm signals

For a mature approach to cybersecurity and complete protection, you also need: 

  1. Be able to foresee in advance what incidents the company may encounter. 
  2. If an event occurred, analyze what exactly happened. 
  3. Correctly respond to the incident. 
  4. Work on the mistakes so that the situation does not repeat in the future. 

Such processes will require integrating security event monitoring with proactive threat analysis and incident response. 

It is more effective to do this within a specialdivision, which is called: the center for monitoring and responding to cyber threats (security operations center, SOC). It can work both on the company’s own resources and with the involvement of a third-party team. 

A SOC connects technology, people, and cybersecurity processes—a combination that provides optimal protection as attacks become more sophisticated. 

Next, we’ll tell you how SOC works and how to get maximum results from it.  

How SOC makes incident monitoring more efficient 

Before implementing monitoring, a company needstake care of preventive protection measures that will help protect against common attacks. This stage of work can be designated as prevention. The implemented information security tools (ISIS) will be able to automatically block known attacks, but many attackers have long learned to bypass them. To cope with “invisible” threats, the company requires other means, in particular, monitoring systems. 

At its core, the prevention stage is not directly included in the threat monitoring process, but is an important precursor to it. 

As we said above, the majority of companies build cybersecurity monitoring based on SIEM systems. In this case, the process can be divided into the following stages: 

1. Security information systems are installed on the network: antiviruses, firewalls, network security scanners and other systems, the main purpose of which is to automatically look for signs of hacking.  

2.Security events are collected from these information security systems, as well as from end devices, network equipment, applications and other sources - passively or with the installation of agent programs. Events enter the SIEM system, where correlation rules are applied to them. Based on the results of this analysis, it is possible to identify potentially dangerous actions.  

This stage of work can be designated as detection, and it is already included in the threat monitoring process. 

3.Alarm signals detected by the rules are analyzed by a team of specialists. If the threat is confirmed, they initiate a response. Within its framework, specialized systems of the IRP/SOAR(i) class can be used, which launch (at the analyst’s command or automatically based on pre-configured rules) response scenarios for the identified type of incident - playbooks.  

This stage of work can be designated as response. 

(i) Incident Response Platform/SecurityOrchestration, Automation and Response is a class of software products for coordinating and managing security systems. These solutions allow you to collect data on security events from various sources, process them and automate typical response scenarios. 

SOC extends the cycle with two more steps:continuous identification of vulnerabilities (prediction) and learning lessons for the future (lessons learned). It is important to identify vulnerabilities on an ongoing basis in order to close them in a timely manner and reduce the likelihood of them being exploited by cybercriminals. And as the company responds to an incident, it can identify what events could have been prevented during the prevention phase and learn lessons to complement its response policies. Taken together, this allows us to formulate the most complete approach to protection.  

How to get the most out of monitoring 

In addition to standard cybersecurity incidents,The company may also experience other events that could disrupt the continuity of business processes. It is also important to identify such incidents in the SOC, which means they should be monitored. 

Let's take a local wastewater treatment plant as an example.An attack on an automated process control system (APCS), operator error, or an unregulated command can cause the discharge of untreated wastewater. The result is an environmental disaster, huge fines, and even criminal cases against those responsible. To reduce the damage from an incident, you can monitor the operation of the valve sensor around the clock: if it opens, for example, during an inactive cleaning mode, engineers can immediately take action. SOC is a suitable technological base for this, if you prepare rules for correlating events in SIEM and write playbooks. 

How to identify such events and enrich themthe most picture for monitoring? We recommend conducting a business impact analysis (BIA). It will give a real idea of ​​what the risks of different incidents are and will help you find risk factors - including outside cybersecurity. 

At each stage (prediction, prevention,detection, response, lessons learned) this analysis will allow you to optimize processes, prioritize risks, create logic for identifying and preventing various attacks and develop effective response measures to minimize possible damage. 

You can conduct a BIA yourself if youThe company has an experienced team of experts who understand business continuity management processes and are oriented in standards. If there are no such specialists on staff, you can involve external experts in the work. 

Does every company need an SOC 

The answer depends on the risks that become clearbased on BIA results. At the same time, it is necessary to consider the damage not only to the IT infrastructure: the continuity of business processes can, for example, be disrupted by failures of external services, which are also important to identify in the SOC. 

Based on the results of the analysis, on one side of the scale there will bethe costs of implementing your own or connecting an external SOC, and on the other hand, the damage from a delayed response to security events. Management will be able to make decisions by evaluating specific scenarios. If it becomes clear that losses from any incidents are unacceptable for the company, and the SOC will not create an excessive burden on the budget, it makes sense to spend money to eliminate those critical losses. 

It can also be the other way around:potential business losses will not justify the expense of a SOC. Then the company can monitor individual key events and build response procedures for the most dangerous scenarios. 

SOC: in-house or outsourcing? 

When a company has decided that it really needs a SOC, it remains to decide whether it will work on its own resources or whether it needs to contact an expert organization. 

The following questions will help you make this decision.  

  1. Can you yourself assess the criticality of systems in terms of monitoring? 

Companies believe that the more valuable the information that is stored and processed in a system, the more critical the system is and the more important it is to monitor it. But this approach will not always be correct. 

If cybercriminals can reach thesecritical systems and, for example, putting a database on the network, it’s too late to protect the information - it has already been compromised. But on the way to the target, the attacker needs to gain access to the infrastructure, conduct reconnaissance, create an account with maximum rights, and so on. The company’s task is to notice illegitimate actions as early as possible and react, without waiting for the attacker to gain access to critical assets. Therefore, monitoring should cover not only such assets, but also all points that the attacker will pass. These can be mail servers, user workstations, secondary information systems. These are all infrastructure elements that are not typically considered critical. 

To create an effective custom SOC,the company needs specialists who can correctly rank systems by importance. If the organization does not have such employees, third-party experts will help it. 

2.Do you need to comply with legal requirements for reporting incidents to regulators? 

Subjects of critical informationinfrastructure (KII) must transmit information about incidents to the state system for detecting, preventing and eliminating the consequences of computer attacks (GosSOPKA). To do this, it is necessary to build interaction with the regulator, work out regulations, perform integration, establish automated transmission of information about incidents, etc. 

You can do all this yourself.If the company does not have the opportunity to allocate its own resources for such work, it is possible to entrust these tasks to an external SOC, which has the status of a corporate center of the State Sociological Organization.  

3.How fast do you need to start monitoring? 

To build and put into operation yourA SOC may take several years for a company to complete. The SOC must reach a certain level of maturity to truly begin to identify incidents that standard preventive defenses have missed. Increasing the expert base of rules that identify suspicious events, constantly updating them, building processes, preparing playbooks - all this requires a lot of time and resources. For example, we have been developing 1,300 rules (as of January 2023) in our SOC database for more than four years. At the same time, you can launch an external SOC within a few weeks. 

4.What incident response speed is critical for you? 

A business impact analysis will show whichboundaries need to be met when responding to an incident. It may turn out that a one-hour failure will not have any impact on the business, after two hours problems will begin in the processes, and two days of downtime will threaten major financial and reputational damage. All this needs to be taken into account in playbooks, from which the response procedure will be clear. Some incidents must be responded to within minutes, including at night. Therefore, the SOC must operate around the clock, and if specialized experts are needed, they will need to be connected as soon as possible.  

Having your own 24/7 SOC is bigexpenses. The main part of the costs will be personnel - people need to be found and adapted to work in the company. The external SOC already has experienced specialists who deal with incidents from companies from various industries every day 24/7. 

5.Are you ready to bear the large one-time costs? 

Budget issues when creating a SOC at home or withoutsourcing is decided individually; there is no clear answer as to which option will be cheaper. It all depends on the number and qualifications of the staff, the technical solutions and services used, and other tools.  

It is worth considering that your ownand external SOC refer to different budget items. In the first case, we are talking about capital investments: equipment, software, licenses, premises, furniture. In the second, operating expenses will be. 

Accordingly, to create your own SOC you will need large initial investments, but not with outsourcing. 

6.Do you have qualified employees? 

In SOC you need to initially dialhighly qualified specialists who must constantly gain experience. At the same time, resolving the personnel issue today is not easy. All over the world there are a shortage of several million specialized employees; in Russia the number is close to thousands of people. Assembling a team on staff can take months, but a third-party SOC already has one. In addition, when planning the costs of your own monitoring center, you need to take into account not only the salaries of experts, but also the costs of professional training, certification and advanced training. 

Summarizing 

Without monitoring incidents, it is impossible to talk about cybersecurity - you cannot protect yourself from threats that you cannot see. But, perhaps, it’s even worse to spend money and not achieve results. 

Start by analyzing the impact of events on the business,to determine which monitoring will give the expected result. Constantly update the list of security events that affect the sustainability of the company. This will improve the overall quality of monitoring and significantly increase the level of cyber maturity in your organization. 

Read more:

Scientists have figured out the nature of strange radio signals from a planet similar to Earth

Experts have predicted how many people will live on Earth by 2100

New type of black hole found lurking in Earth's 'cosmic backyard'