Continuous monitoring: four considerations
April 11, 2016
When striving to understand threats outside of an organization’s boundary, continuous monitoring and real-time alerts are two features that are often talked about. Organizations need to receive qualified information that is timely in order for them to act upon it. Without this, it is pretty tough for the information to be considered intelligence. However, while timely intelligence is an obvious necessity, there are four notable caveats that ought to be considered.
Firstly – and most fundamentally – organizations need to know what they are looking for. A colleague recently wrote a blog on the importance of creating intelligence requirements and developing a collection plan. Organizations need to articulate what they care about and the threats they wish to focus on as not all threats and relevant to all businesses. To make this truly relevant, organizations can increase their cyber situational awareness by understanding how they look online as well as their attackers’ profiles. Organizations ought to look for a combination of the two in order to understand what they care about and develop a collection plan accordingly. For example, an organization may be initially interested in Distributed Denial of Service (DDoS) threats against them. If, by monitoring their digital footprint, an organization realizes that many of their executives have spoof social media profiles, this may cause them to rethink their threat model.
Figure 1: The configuration tab in our client portal.
It is also important to know where to look for such information. It is less about how many sources you have access to and more to do with the types of sources you are able to reach. This requires experience of knowing what crops up and where. A common misconception is dark web sources; while these sources sound very exciting, criminal activity actually exists everywhere and is not specific to the dark web. In fact, there are many underground forums available on the surface web catering to criminal elements. You may be receiving real-time, lightening fast alerts, but if you exclude key sources, then there is the potential for more serious threats to slip through the net.
Thirdly, you can generate as many alerts as you like, but if you cannot consume it, then you won’t be getting the full value. External services must be able to easily integrate into existing security solutions, such as SIEM platforms. This allows organizations to act faster and earlier to emerging threats, armed with more relevant content and insight. Furthermore, feeding this information into visualization and investigation tools, such as Maltego, can help to identify trends, patterns and commonalities – allowing you to make more informed decisions.
Finally, just as important as continuous monitoring is continuous configuration. Situations change, and so should collection. For example, if there is a new project name, a recently acquired subsidiary or other sensitive keywords, organizations should be vigilant to check for mentions of these online. This may be done by organizations themselves, or through vendors. Figure 1 is a screenshot of the configuration tab in our portal, where our clients go in order to continually update what we monitor for.
These four considerations can be all neatly tied together with the help of the intelligence cycle: planning (what are you looking for), collection (where are your sources), analysis and dissemination (how do you consume the information). This should flow into many cycles, constantly updating what you are looking for. Timely information is important, but the speed at which you gain this information must be balanced against these other important considerations.