As organisations start to quantify the threats to their networks, data and assets, protective monitoring is becoming a commonly used buzz word as the saviour in the cyber arms race. Many organisations now fear that without these controls, their networks simply aren’t secure enough to function without the imminent threat of compromise, resulting in potentially catastrophic events. With cyber security newsfeeds reporting a regular occurrence of data breaches, Government snooping and the continuous threat of fines from the Information Commissioners Office, protective monitoring is an area that organisations really need to get right in order to secure their networks and data effectively.

However, far too many times we are seeing organisations applying protective monitoring controls in a blanket like approach – throwing an Intrusion Detection System (IDS) here, or tightening firewall rule sets there for no apparent justified reason. Sure, you will more than likely require the use of a number of technologies to fortify your boundary; however, there is no need to be frivolous in your approach. Protective monitoring controls should be proportionate to the identified risk.

What we mean by this is, monitoring controls should be directly applied in response to a risk that the business has identified. A common example would be a malicious insider leaking data. The organisation identifies this as a significant risk to their business, it is therefore necessary to implement appropriate controls to reduce this risk. These controls will not focus just on protective monitoring but may also include strong access control mechanisms – locking down subsidiaries to prevent users from accessing all files. This may also include ensuring that employees have least privileges required to perform their role, reducing the impact of a rogue insider.

In this scenario, however, protective monitoring controls will also help to reduce the risk, or minimise the impact, of a potential malicious insider. Controls may be selected that monitor user activity by username or the workstation that they log on to. This may include alerting critical events that fall outside of a predetermined behavioural pattern that has been identified for the user. The organisation may then wish to consider monitoring the boundary for business traffic crossing it that again falls out of the expected norm. In this case, the controls would be supportive technologies such as IDS/IPS and account monitoring controls; however, these will need to be supported by an effective monitoring framework.

Organisations need to start thinking in a holistic manner; an IDS box brought off the shelf and stuck in a corner of the office is not going to prevent the levels of sophistication attacks possess in the current climate. Effective monitoring controls require tuning, an understanding of the network and, most importantly, expert personnel to execute this. The end to end process involves expertise in network analysis, followed by time to understand, map and analyse the network. Behavioural patterns cannot be established immediately and the business needs to understand this.

In conclusion, establishing a baseline of protective monitoring controls will help to protect organisations in the short term. However, as a long term solution, organisations should look to identify risks in their network and apply extra controls appropriately. The framework of controls should be supported by technical expertise, policies and procedures.

Author Bio: Lee Hazell is an information security advisor and owner of Cyber Security News, a site dedicated to providing the best cyber security news feeds, articles, jobs and resources.