Auditing, and overall Security Monitoring, is increasingly what most people think about first when they hear “Security Operations”. In this Taxonomy, we treat Auditing / Monitoring as a secondary role for Security Operations teams, behind only the primary role of proactively managing Access Control described in earlier articles.
As Threat Actors have become more sophisticated and developed better evasion techniques, Auditing/Monitoring has become a huge and complex topic area. So, we break this operational need out into more specific capability areas, each discussed in a separate article:
At #9 on our list of “Top 20” SOC Capability Areas is Instrumentation (Sensors).
This is one of the most problematic capability areas for Security Operations. In part because of the significant assumptions often held by senior leadership regarding what is a) technically possible, b) operationally practical, c) performed automatically, d) impervious to attack and manipulation, and e) legal.
Organizations often do not invest sufficient effort into deciding on the location and configuration of the sensor capabilities they deploy to instrument their networks. Deciding what to instrument, what to watch for, including how and when, is still more artthan science because adversaries continuously change their tactics and offensive capabilities.
Further, the “set and forget” approach to sensor configurations is no longer effective – Security Operations teams need “Sensor Tuning” capabilities that allow them to dynamically reconfigure their sensors as threats evolve. Cyber Threat Intelligence (CTI) can be very helpful to informing this type of continuous sensor tuning. However, most Security Operations teams either do not or cannot invest significant resources to applying CTI. At least not until their organization experiences a significant compromise or breach.
As a starting point, MITRE’s ATT&CK framework provides a good knowledgebase describing patterns of adversary behavior, targets, tactics, techniques, etc. which can inform sensor placement, configuration, and ongoing tuning.
The range of instrumentation/sensor capabilities available to cybersecurity teams [logs, agents, probes, intrusion detection systems, network TAPs/SPANs, etc.] continues to grow and should be frequently reviewed as your Security Operations team continues to mature. And as ICS and IoT devices creep into the scope of responsibility for Security Operations, new sensors and instrumentation capabilities are rapidly emerging.
Unfortunately, there is no simple, once-and-done, “silver bullet” solution. You are being targeted and attacked by sophisticated, highly-skilled, well-resourced adversaries. It is their profession to continuously evade your monitoring capabilities; and they are good at it. To be effective, your Security Operations team needs instrumentation in your ever-evolving environment that goes beyond the static, superficial, commodity capabilities provided by commercial IT infrastructure. Adversaries own those too, and practice against them, daily.
This article barely scratches the surface of the need for Sensors/Instrumentation capabilities in contemporary Security Operations. But taken together with the other capability areas in this “Top 20” list, we hope to shine a light on the breadth, depth, and complexity of what is involved in building effective Security Operations today.
Contact us if you'd like help identifying and selecting Sensors/Instrumentation capabilities to support your own Security Operations efforts.