Network and system monitoring are an important part of any well-formed security program, not to mention a requirement for some industry regulations. To understand what we mean by monitoring and how better insight can lead to a more prepared organization, I am going to break down the topic for business and system owners.
What are we monitoring?
When we speak on monitoring, we are referring to regularly reviewing system and network audit trails for suspicious activity. Depending on the industry, different log sources are a priority to be watched more closely. For instance, in HIPAA compliant organizations, a requirement is to audit authentications for any systems or software accessing Protected Health Information (PHI). This requirement is to ensure only appropriate people are accessing the health data and that the employees are only accessing the data required to fulfill their job duties. To highlight a violation of these access principles, MUSC reported 11 breaches in 2017 where employees viewed patient data that was not required to provide proper care, which is also derogatorily known as snooping to most people. Who really wants someone digging into their sensitive medical history, when there is no legitimate reason?
Businesses should also pay close attention to network logs such as internet activity. Even though users may complain that this type of monitoring is an invasion of privacy, several categories of breaches can be detected early with network information. We won’t get into acceptable use policies or privacy on corporate networks, but employees do not typically have a right to privacy on these networks and contribute significantly to breaches through poor web surfing practices. Hackers, computer viruses, and insider threats rely on ex-filtrating data by email and online file sharing (think DropBox). Unfortunately, one study found that 87% of employees in the health care industry have used non-secure email to send sensitive ePHI, a blatant violation of HIPAA. With early detection capabilities, an organization can identify a violation and retrain a user to encrypt data before large amounts of ePHI are exposed. By monitoring the right activity, organizations can get ahead of problems before they become systemic compliance issues.
How are we monitoring?
Keeping the logs is great practice but, without an easy way to review the thousands of events occurring every minute, businesses will be unable to effectively monitor activity. A piece of technology categorized as Security Information and Event Management (SIEM) software, or centralized logging platform, solves this dilemma by pulling logs from each computer system to one location. As an added benefit, the data is also easily searchable, allowing cyber investigators to quickly zero in on culprits.
As with most technology, various flavors of SIEMs and SIEM-like tools exist, ranging from free open-source tools (ELK Stack) to the expensive Cadillac of a tool by HP(ArcSight). Each tool requires a different level of effort to maintain and can handle a different number of logs per minute. Size of environments, detection capabilities, and budgets all play into the decision of choosing a SIEM. Regardless of technology chosen to manage audit logs, organizations should choose something and keep the device running like a well-oiled machine.
How does this relate to compliance?
Various regulations require monitoring and risk mitigation measures to include HIPAA and the SC Insurance Data Security Act (IDSA). Enabling and collecting logs help to meet this requirement while providing additionally cyber security benefits, such as those already discussed. Other benefits include quicker threat detection times, decreased breached costs by decreasing time of investigation, and potentially preventing a breach investigation by proving ePHI was never compromised. We have already discussed HIPAA audit log requirements so let’s now focus on the SC IDSA. As a cyber security measure, insurance companies must continuously audit security measures and plan improvements. As part of a mitigation measure, the organization could monitor important servers via audit logs to detect unauthorized access and malicious behavior, thus helping meet security best practice requirements. Although we only mentioned two industry regulations, others exist, and the requirements are always evolving. By implementing monitoring capabilities, regulatory bodies can be satisfied that organizations are taking necessary actions to protect sensitive data.
Logs are great but having a SIEM in place to centralize the overwhelming number of events can take cyber security capabilities to the next level. Throughout the next few weeks we will be covering other important aspects of monitoring environments, so stay tuned.
Comment below with other tools you use to stay compliant.