Business never sleeps. That’s what we experience in the digital economy, as customers can take advantage of the company’s services anytime and anywhere (think of e-commerce and other 24×7 available services), and employees may also be asked to access corporate systems outside traditional office hours. The same applies to cybercrime: independent studies proved that cyberattacks are more likely to happen during weekends or festive periods when surveillance and responsiveness might be lower.
IT security consequently needs a more systemic approach, and watchful businesses are strengthening their Security Operation Centers (SOC) to implement stricter, non-stop monitoring processes. Existing tools and technologies should be leveraged, if possible, to mitigate costs and complexity, but an in-depth assessment might reveal gaps requesting specific investments. Taking the cue from some recent analysis by Italian IT security association Clusit, we could describe key features of continuous monitoring using three keywords: heterogeneity, extension and correlation.
Continuous monitoring activities should first of all be heterogeneous, this means they do not limit to network devices, but collect and scrutinize logs generated by any corporate IT system, both on server and client sides. Service directories and access interfaces should also be integrated, as they are critical components of user authentication and identity management routines. Continuous monitoring should also be extensive, covering on-premise and local IT resources as well as cloud-based services and applications. Companies allowing BYOD (bring-your-own-device) policies should also consider broadening SOC surveillance to unsanctioned systems. Although not officially approved or inventoried, they contribute to increase risks and vulnerabilities.
The need for correlating data should not be underestimated. All systems we have mentioned produce a quantity of data, which might not be easy to natively compare as logs generated by each source might contain different information in different formats. Nevertheless, to detect a possible cyberattack and effectively respond it might necessary to correlate events such as a network access request, an authentication request to a service directory, an anomalous application or database activity, blending all these data with system and account details. Advanced analysis capabilities are therefore needed, and IT Events and Correlation Management solutions (like KRIU 4ITO) will increasingly integrate machine-learning and Artificial Intelligence to further improve security monitoring reliability and accuracy.