What is Protective Monitoring anyway?

Author: Dave Parnaby

Date: 7th July 2020 

For many years I’ve heard organisations tell me that they have protective monitoring in place, but more often than not, what they mean is that they have a tool which ticks a compliance box that no-one really knows how to set up, configure or even use.

Their fundamental error was not understanding what they needed from a protective monitoring solution and perhaps more importantly, not really understanding what protective monitoring actually means.

Security breaches are commonplace, and not a day seems to go by without another high profile organisation being subject to a ransomware attack or data theft, and one must ask the question; did these organisations have any form of protective monitoring in place? My view is that the vast majority of them thought that they did, but weaknesses in implementation, configuration or lack of understanding of the solutions that they did have installed was a contributory factor to the breach.

Depending upon who you talk to, protective monitoring can mean data loss prevention, intrusion detection, intrusion prevention, SIEM (Security Incident and Event Management), user auditing, system health monitoring, and the list goes on.

The complexities of effective protective monitoring should not be underestimated, even from the shortlist in the previous paragraph, we can split intrusion detection into HIDS and NIDS – Host-based intrusion detection and Network-based intrusion detection. Then there is the consideration of where to place the detectors or sensors and what they are configured to collect and forward the data on to, is it a SIEM, or is it a SOC?

Another significant consideration is that any protective monitoring solution is never a fit and forget approach. Monitoring must be tuned over a period of months and organisation must be prepared to resource this and develop a good understanding of what they’re looking for, what would be important enough to trigger an alert and what the thresholds are, for example, would three unsuccessful login attempts trigger an alert, or would it be four or five? 

As part of the tuning process, consideration needs to be taken of how often the monitoring rules are reviewed, taking into account false positives in order to get the balance right between the volume of logs stored and the effectiveness of the solution.

Just Ten Steps to a more secure organisation

The NCSC 10 steps to cybersecurity is an excellent starting point for any organisation looking to improve its cybersecurity posture, but in particular, the step relating to monitoring is useful in this discussion. The monitoring section of the ten steps talks about system monitoring providing a capability that aims to detect actual or attempted attacks on systems and business services.

Good monitoring is essential in order to effectively respond to attacks. In addition, monitoring allows you to ensure that systems are being used appropriately in accordance with organisational policies. Monitoring is often a key capability needed to comply with legal or regulatory requirements.

Without effective monitoring, how can any organisation know what is going on inside their network, what attacks are being targeted at them from outside their network and what their user community are doing while connected.

So, as an organisation, what can you do to meet the NCSC guidance and get some effective monitoring in place, especially where resources may be limited? Managed Detection and Response is an option which should be seriously considered as part of your security toolkit. The Gartner report “”Market Guide for Managed Detection and Response Services””” defines the goal of a managed detection and response service as “”to rapidly identify and limit the impact of security incidents to customers””””.

One of the most significant benefits of MDR services is that they provide the required capability for threat detection and incident response in a cost-effective manner. This is particularly important for ‘ ‘SME’s where providing in-house protective monitoring capability would be beyond reach.

Conclusion

I believe that a protective monitoring solution must be based on individual organisation requirements, with a clear understanding of what their asset value is, what it is they need to protect and who they need to protect it from, together with an eye on any relevant compliance regime. Your goal should never simply be compliance, but a genuine desire to protect your organisation’s assets in support of your business objectives. If this goal is implemented effectively, it will tick any compliance box that’s required.

The implementation of a protective monitoring solution is predicated on having good cybersecurity health in your organisation to begin with, otherwise monitoring will not help. Monitoring should be seen as part of an effective suite of controls to help reduce the likelihood and the impact of a cyber-attack on your organisation.