Monitoring is a key part of a cyber security approach, but look at what could be achieved with protective monitoring.
Speaking at the Government IT Security and risk management conference in London, Pankaj Mistry, head of IT Security and IT security office at the Department of Work and Pensions, said that while monitoring is one of the “ten steps to cyber security”, what should be done is proactive monitoring.
“Monitoring is about looking at network traffic to detect unusual activity and attacks, and if you design and develop it well, it will help in other areas too,” he said. “You can monitor remote workers and it may help to understand and get data you may have missed and help prevent incidents happening again in future.
“From a malware protection point of view, you can make sure it is doing what it is supposed to do and, with the information you get, it can help with information risk management and understand what you are working on as often we are too focused on alerts and events and not the underlying risk.”
However Mistry said that with the evolution of threats, monitoring is often not enough. “It is based on signatures so it will not tell you when authorised users do unusual activity, so we looked at protective monitoring,” he said.
“You may be able to pool information and see what else you can find out from it. I am sure you understand threats and vulnerabilities and you can look to CERTs for advice, but if you bring it all together and look at it together than in isolation, and by putting it all together you will see the information.”
Mistry said that putting a monitoring system in is important, but it is what you do with alerts that is crucial, and where you get the value.
“Protective monitoring gets wrapped into the security operations centre which is based on a military model with their eyes on the glass, and where you aim is down to you; but we try to do it in small steps to get confidence in the way we are doing it as with hundreds of systems it could end up as a data bunker,” he said.
“You need a sound base and we do need to change the data model as we are accountable for assurance. You need to say to your business that you are well protected.”
Mistry said that upon implementing protective monitoring, it was able to find changes being made that were not harmful, but had visibility of what was being done. He said: “We are improving our security posture and where does monitoring stop and start? Once you in the cloud, how do you get access to the logs you want and if you leave it to them [cloud provider], you will not get a full picture.
“We do think we need to embrace Big Data from an analytics point of view and we cannot afford to get some data on what going on in new infrastructure when it is not owned by us.”