This article covers logging and monitoring.
- Intrusion detection and prevention. There are two technologies that you can use to detect and prevent
intrusions. You should use both. Some solutions combine them into a single software package or appliance.
- An intrusion detection system (IDS) is a technology (typically software or an appliance) that attempts to
identify malicious activity in your environment. Solutions often rely on patterns, signatures, or anomalies.
There are multiple types of IDS solutions. For example, there are solutions specific to the network (network IDS or NIDS) and others specific to computers (host-based IDS or HIDS).
- An intrusion prevention system (IPS) can help block an attack before it gets inside your network. In the
worst case, it can identify an attack in progress. Like an IDS, an IPS is often a software or appliance. However, an IPS is typically placed in line on the network so it can analyze traffic coming into or leaving the network, whereas an IDS typically sees intrusions after they’ve occurred.
- Security information and event management (SIEM). Companies have security information stored in logs across multiple computers and appliances. Often, the information captured in the logs is so extensive that it can quickly become hard to manage and use. Many companies deploy a security information and event management (SIEM) solution to centralize the log data and make it simpler to work with. For example, if you need to find all failed logon attempts on your web servers, you could look through the logs on each web server individually. But if you have a SIEM solution, you can go to a portal and search across all web servers with a single query. A SIEM is a critical technology in large and security-conscious organizations.
- Continuous monitoring. Continuous monitoring is the process of streaming information related to the security of the computing environment in real time (or close to real time). Some SIEM solutions offer continuous monitoring or at least some features of continuous monitoring.
- Egress monitoring. Egress monitoring is the monitoring of data as it leaves your network. One reason is to ensure that malicious traffic doesn’t leave the network (for example, in a situation in which a computer is infected and trying to spread malware to hosts on the internet). Another reason is to ensure that sensitive data (such as customer information or HR information) does not leave the network unless authorized. The following strategies can help with egress monitoring:
- Data loss prevention (DLP) solutions focus on reducing or eliminating sensitive data leaving the network.
- Steganography is the art of hiding data inside another file or message. For example, steganography
enables a text message to be hidden inside a picture file (such as a .jpg). Because the file appears innocuous, it can be difficult to detect.
- Watermarking is the act of embedding an identifying marker in a file. For example, you can embed a
company name in a customer database file or add a watermark to a picture file with copyright information.