A while ago, we embarked on a long and tortuous journey in order to try to organize all monitoring/detection controls into a coherent whole, a framework for selecting security monitoring controls. The effort took some number of months to stew and we took a couple of detours, but there result is here.
Behold “Selecting Security Monitoring Approaches by Using the Attack Chain Model!” In paper abstract we say: “Implementing strong security monitoring requires an effective combination of technologies. This document compares monitoring approaches and technologies based on their effectiveness against malicious activities. “
Select fun quotes from the paper:
- “Timing and layering of monitoring controls — even for covering a single attack type — is generally unavoidable. No single control is 100% effective, and few controls cover more than two of the six attack phases.”
- “Clients often approach security monitoring from a specific driver, rather than from a larger perspective. This is no surprise, because they are generally trying to address a specific regulation, risk pain point or deal with an incident that just happened, and focus on what is the best and most cost-effective solution for that alone. But this path is dangerous, because it can lead to leaving large gaps in some areas and overspending in others — in part due to a focus on differences, rather than commonalities, in threats and attacks.”
- “Not all attacks execute the exfiltration phase. Sabotage needs no exfiltration, and snooping or corporate resource misuse can be done without making electronic copies of data. Merely monitoring the exfiltration of data, therefore, does not necessarily create a full “monitor of last resort,” although it is valuable to monitoring information theft. “
- “Do not buy more monitoring than you need — or can handle. Automated monitoring and response systems can be deployed widely, but many require investment in time and expertise. […] Gartner research consistently demonstrates that organizations procure much more security control functionality than they can absorb, deploy or and operationalize (this challenge applies to all controls but is rampant for SIEM and DLP, in particular). ”
- “Several types of security monitoring technology are not well-suited for immature security organizations or for those with limited security capabilities (NFT and ETDR, in particular). Enterprises should first be competent concerning basic network security technology, such as intrusion detection and prevention, network security zoning, and SIEM.”
Now, please go and read a related post from my co-author Ramon Krikken – he reveals more details on our approach and the attack chain model. And then of course go and read the paper [GTP subscription required]
P.S The paper users the word with the prefix “cyber” a grand total of 7 times. Sorry!
Related blog posts:
Others posts announcing document publication:
- My Blueprint for Designing a SIEM Deployment Publishes
- My Evaluation Criteria for Security Information and Event Management Publishes
- My Threat Intelligence and Threat Assessment Research Papers Publish
- My Updated Vulnerability Management Practices Paper Publishes
- My Security Solution Paths Published: Threats and Vulnerabilities
- All My Research Published in 2013
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.