Eyeballs on security monitoring – rods and cones


A few weeks ago I attended a summit on advanced persistent threats (APTs)[1] run by on of the major security vendors. So that people could speak freely there it used Chatham House Rules, so sadly I can’t attribute the piece of insight that I’m going to share here.

About five or six years ago I wrote a security monitoring baseline, in which I started out with a statement along the lines of:

All security controls should be monitored, and such monitoring should be aggregated and analysed so that appropriate action can be taken.

The lead point here is that if you have a security control that isn’t properly monitored then at best it will give you a forensic record to be analysed after something so bad has happened that it’s obvious. Most likely that control is useless. If the control got put there to satisfy an auditor then a) they’re too easily satisfied and b) they’ll be back later when they realise the rror of their ways, sooner if something bad happens.

Since then it feels like the practice of security monitoring has matured. Most sufficiently large organisations now have security operations centres (SOCs) that employ some sort of security information/event management tool(s). In many cases organisations have discovered that running a SOC on their own isn’t a good use of highly specialised resource, and have engaged some sort of managed security service provider (MSSP) to do the heavy lifting for them.

Getting back to APTs – the whole point is that they’re different. This type of attacker isn’t generically after anything of value – they want something specific, and they want to take it from you. A different discipline is needed to identify and deal with such attackers, and this is where the eyeball analogy comes in – for the eyeballs on security monitoring we need both rods and cones:

  • Rods – this is the picture you get from a traditional SOC. Monochrome, but works in low light. You can probably outsource much of this to an MSSP. Whoever does this will be reacting to a near real time environment.
  • Cones – these add the colour. You may need to shine a light into the nether regions of your network to discern what’s going on. You need people that understand the business context of what an attacker is going after – the self awareness of knowing where the crown jewels are secured. Those people will have to actively search for the low and slow threats – matching the patience and technical subtlety of the attacker

[1] I actually prefer Josh Corman’s label of Adaptive Persistent Adversaries, but Schneier is right that we need a label to rally around, and APT seems to be the one that’s stuck.

One Response to “Eyeballs on security monitoring – rods and cones”

  1. Thanks for the nod of Adaptive Persistent Adversaries. I must point out that Nick Selby (@nselby) and Scott Crawford (@s_crawford) initially suggested the trailing “A” for Adversaries – which is SPOT ON. I later Changed the less useful “Advanced” to Adaptive as well – and added the definition you’ve linked to

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: