Challenges to Monitoring
Product limitations, the realities of operational monitoring, event volumes, and the necessity of privacy protection are challenges faced by security professionals when constructing a monitoring approach.
Vendor Promises
“Just plug it in; it will sort out everything for you!” This advice on setting up vendor XYZ’s Security Information Manager (SIM) system to “automagically” correlate security events may work in small, strict, well-maintained environments. However, utopian environments such as these are rare in our experience and in talking with our customers. Security monitoring is not like a Ron Popeil Showtime Rotisserie; you can’t “set it and forget it.”
Security technology cannot automatically provide the contextual information necessary for you to prioritize and focus your security monitoring. Every environment is unique, but the methods we discuss in Chapter 3 will enable you to build this critical contextual information into all of your security tools. “But wait, there’s more!”
Operational Realities
“Turn on auditing for all your database tables.” Database operations in a busy enterprise environment prioritize performance and stability, which gave us pause when considering such advice. What are the potential performance impacts? What risks does this introduce to business operations, change controls, stability, and uptime? We began to discuss these concepts through email with an IT database administrator. He stopped replying to our emails after we relayed ...