Nowadays it’s common knowledge that when you log onto a corporate network that your activities can and will be monitored. Technology has created new possibilities for human interaction and monitoring employees has become a necessity in order to maintain legal, regulatory, security and performance. A written code of ethics and providing the training will help employees understand what is expected.
The organization must adapt the features in technology to suit their community, norms, and culture of the organizations while still meeting any legal requirements under the law. Some sectors have a requirement to provide a continuous monitoring systems that is constantly monitoring the corporate network. So an “it depends” answer would have to apply to the question of the best method of obtaining the proper permissions to monitor user actions.
Monitoring user actions of employees’ behavior will continue to be a controversial topic. To ensure the buy-in from the employees then every level of management and non-management employees must understand the ethical implications of the decision to monitor as it relates to their personal and professional values.
The resounding threats that are present throughout an organization requires that it be monitored properly to ensure that the capabilities are the to ensure the bad guys are not getting access to corporate information.
I’m not a security professional by trade, but I definitely understand the challenges that the security personnel are concerned with so I can identify. So I think this makes me a better architect by understanding the key areas in which a system gets deployed.
Monitoring the IT systems is part of the due diligence that most organizations are familiar and have well established practice when it comes to the procedures and tools to use. By observing anomalies from already established baselines then incident responders can better generate the breadcrumb for the root cause. Capturing the evidence to put the puzzle pieces together is a vital element of continuous monitoring.
Security baselines align the responsibility to be shared outside of the IT management area so that business management has input. This in turn should make the security controls which are used to be more appropriate to the business needs and will provide a senior level sign-off that the security standards are enforced throughout the organization. The idea of having a basic mandatory level of information security will allow the organization to provide the layers of security to establish a defense in depth layered approach to the security framework.
These security baselines, which should be validated early on in the development of a new system, will drive the continuous monitoring and irregularities in usability trends. When an irregularity is determined, then a closer look needs to then take place in order to determine whether the event is a true incident or a potential false positive.
A Security Information and Event Management (SIEM) solution provides real-time analysis of security alerts generated by applications and network hardware. These reports from the SIEM solutions can be used to establish a baseline and to monitor for compliance purposes. The log files generated can provide the resource when it comes to troubleshooting and supporting other incidents. With the aid of a log management solution that can collect logs from all sources and organize these logs in a centralized, scalable manner, then it allows the responders to paint the picture of what is causing the irregular behavior from the established baselines.
The amount of activity that these log files generate is enormous. The presence of logs in all environments allows thorough tracking and analysis if something does go wrong, which can then be used to determine the cause of the compromise.
Enterprise SysLog systems can be used to provide data aggregation from many different sources, including network, security, servers, databases and applications to provide the ability to basically monitor everything. By aggregating these logs, then it helps to avoid missing subtle but important ones. While having the logs centralized then a correlation to look for common attributes and link events together into meaningful bundles of information. Also, the automated analysis of correlated events can produce more substantial and detailed alerts.
Ultimately, utilizing an enterprise syslog tool to parse these vast amounts of logs can provide the IT department with a set of automatic eyes in the sky to sift through all of the data and help to identify what is most important to have a prioritized response. A trend scenario can be put on a dashboard to have a visualization point of view to begin tackling those events in a systematic approach. Granted a set of human eyes will have to validate all of these findings.