As Threat Actors have become more sophisticated and developed better evasion techniques, Auditing/Monitoring has become a huge and complex topic area. So, we break this operational need out into more specific capability areas, each discussed in a separate article:
At #9 on our list of “Top 20” SOC Capability Areas is Instrumentation (Sensors).
This is one of the most problematic capability areas for Security Operations. In part because of the significant assumptions often held by senior leadership regarding what is a) technically possible, b) operationally practical, c) performed automatically, d) impervious to attack and manipulation, and e) legal.
Organizations often do not invest sufficient effort into deciding on the location and configuration of the sensor capabilities they deploy to instrument their networks. Deciding what to instrument, what to watch for, including how and when, is still more art than science because adversaries continuously change their tactics and offensive capabilities.
Further, the “set and forget” approach to sensor configurations is no longer effective – Security Operations teams need “Sensor Tuning” capabilities that allow them to dynamically reconfigure their sensors as threats evolve. Cyber Threat Intelligence (CTI) can be very helpful to informing this type of continuous sensor tuning. However, most Security Operations teams either do not or cannot invest significant resources to applying CTI. At least not until their organization experiences a significant compromise or breach.
As a starting point, MITRE’s ATT&CK framework provides a good knowledgebase describing patterns of adversary behavior, targets, tactics, techniques, etc. which can inform sensor placement, configuration, and ongoing tuning.
The range of instrumentation/sensor capabilities available to cybersecurity teams [logs, agents, probes, intrusion detection systems, network TAPs/SPANs, etc.] continues to grow and should be frequently reviewed as your Security Operations team continues to mature. And as ICS and IoT devices creep into the scope of responsibility for Security Operations, new sensors and instrumentation capabilities are rapidly emerging.
Unfortunately, there is no simple, once-and-done, “silver bullet” solution. You are being targeted and attacked by sophisticated, highly-skilled, well-resourced adversaries. It is their profession to continuously evade your monitoring capabilities; and they are good at it. To be effective, your Security Operations team needs instrumentation in your ever-evolving environment that goes beyond the static, superficial, commodity capabilities provided by commercial IT infrastructure. Adversaries own those too, and practice against them, daily.