Security monitoring can help your IT security team find threats hiding in plain sight among your legitimate network activity. In fact, you can even automate your security monitoring to alert you when it recognizes a threat without direct threat hunting required.
However, do you know what to look for with your security monitoring? What threats require constant vigilance? Importantly, what constitutes the tale-tell signs on these digital threats?
1. Platform Misconfiguration
No one can overstress the dangers of platform misconfiguration. Indeed, platform misconfiguration represents one of the most consistent dangers for enterprises of any size on the cloud.
For those unaware, platform misconfiguration occurs in hybrid or cloud environments. In these cases, the configurations of the storage or computation of the cloud server instances leave them vulnerable to breaches.
A classic example: if any user can access your AWS S3 bucket from their browser, that demonstrates Platform Misconfiguration. Unfortunately, this problem remains ubiquitous among enterprises undergoing cloud migration.
Your security monitoring should look for any sign of misconfiguration, either on the cloud itself or by examining its access parameters.
Speaking of which…
2. Unauthorized Access
With unauthorized access, SIEM, security monitoring, and identity management collaborate to help keep your business secure. Above all, remember this: it doesn’t matter what kind of security protocols you have in place if a hacker has stolen credentials. If you don’t watch for unauthorized access or stolen credentials, hackers win every time.
Moreover, stolen credentials and unauthorized access can end up creating more lasting and more devastating damage long term. It could lead to financial theft, intellectual property theft, and even network destruction,
Therefore, your security monitoring should look for unauthorized access. In particular, it should look for multiple failed login attempts, unusual access request times or locations, and unusual behaviors when logged in.
3. Insecure APIs
Fundamentally, APIs allow for automated data transfers and usage among disparate services. In a cloud environment, APIs help with digital scalability and efficiency over cloud and hybrid environments.
However, APIs can suffer the same issue faced by S3 buckets: misconfigurations. Specifically, a misconfigured API can result in data traffic moving to more vulnerable network areas, to unauthorized users, or into hackers’ hands.
Thus your security monitoring solution should look for any discrepancy in data traffic result from APIs. Additionally, it should look for any user changing the configuration rules of your APIs; anyone doing so without permission poses a threat to your organization.
4. Dangerous Administrator Actions
Of course, any privileged users’ activities should receive strict security monitoring at all times. No exceptions. Any discrepancies in behaviors or in access requests should trigger security protocols to ensure the users’ authenticity and good intentions.
Privileged users’ accounts can do far more than regular users’. They can completely change your business processes, access proprietary information, and potentially steal your finances from you without your legacy solutions noticing. Imagine what a hacker or insider threat could do with this power.
As such, your security monitoring should look for any privilege escalation attempts, role changes, and access rights alterations; these constitute serious red flags. Also, your security monitoring should alert you if it detects new user creations, repeated user deletions, and configuration changes.
In particular, notice how configuration changes continue to reemerge as a major warning sign of threats.
5. File Access and Sharing
File sharing doesn’t just occur through APIs. They occur through everyday business processes and there are so many most people couldn’t keep track of them all. However, your security monitoring solution must. Imagine how easily hackers could interrupt or disrupt your file sharing protocols; they could obtain sensitive assets with relatively little effort.
Therefore, your security monitoring solution should keep a lookout for major or minor policy changes to your infrastructure or network components. Also, it should watch for changes in user access to files, deleted files, as well as any configuration changes.
6. Malicious Actors or Malware
As we come to the end of our list, we have to acknowledge an oft-neglected truth in modern cybersecurity. Sometimes, the thing you need to look out for is, in fact, the obvious villain.
Absolutely access based attacks continue to rise. However, traditional malware such as ransomware continues to see employment. Additionally, less traditional digital threats like fileless malware are enjoying an increase in popularity. Finally, known bad actors still use old school communication techniques to exploit business networks.
Your enterprise’s security monitoring should keep an eye out for the signs of known bad actors and send immediate alerts if it discovers any evidence. Of course, this may seem simple. Yet the simplest things often end up the most neglected.
Thanks to the AT&T Cybersecurity whitepapers on Office 365 and AWS security monitoring for helping with this article. If you would like to learn more, see our own resources on SIEM: the Buyer’s Guide and Vendor Map!
Latest posts by Ben Canner (see all)
- Revisiting Whether SOAR Will Replace SIEM in Business Cybersecurity - May 29, 2020
- Changing SIEM From Reactive to Proactive with Threat Hunting - May 27, 2020
- Top-Down SIEM: An Interview with Avi Chesla of Empow - May 21, 2020