Normalcy is boring, or is it?
Something that I have been working on is helping to come up with a baseline security plan for an IT team and their infrastructure. What I have ran into is that having a basic template and starting point really helps. Fantastic right? Well, when I start off by giving them credit for monitoring they look peculiar at me as in why would monitoring be a starting point? To be fair and accurate a few high five me as they are like SAWEETNESS (meant to be spelled wrong as that literally is how I speak, ok back to the blog ) check that off the list of things to come! Today, I'm going to go over this one portion of the plan and show why "knowing normal" is actually a starting point for a great security best practices and policies.
First things first,my favorite quote "If you don't know what's normal how the heck do you know when something's wrong?". Baseline and accurate monitoring history will show you whats normal. This also will show you how your infrastructure handles new applications and loads when you are monitoring so its not just for up down that is just a side perk honestly.
Ok, now once you know what normal is the following will help you to see issues easier and be aware. So remember the below is once you have monitored and understand your normalcy of your devices your monitoring.
Monitoring security features
- Node - up/down
- This will show you if there is a DoS happening or a configuration error with no ability to ping a device.
- Will show you areas within your monitoring that are being possibly attacked.
- Allows you to have a clear audit of the event that are taking place so you can use for management and your team for assessments.
- Node - CPU/Memory/Volume
- CPU will show you if there is an increase spike as that will help to show where to look for what increased or caused this spike that never went away.
- Memory allows you to know if there is a spike obviously something is holding it hostage and you need to address this and prevent or resolve.
- Volume if you see a drive increase its capacity OR decrease quickly and are alerted to this you may be able to stop things like ransom ware quickly. The trick is to be monitoring AND have alerts setup to make you aware of drastic changes.
- Interface - utilization
- Utilization will show you if a sudden increase of data is transferring into or out of an interface.
- Log File monitoring
- Know when AD attempts are failing.
- This is something I see a lot of times and the person monitoring just states "yes, but its just an old app making the request no biggy". Ok, to me I'm like fix the old application so this is no longer NOISE and when you have these coming in from outside this app you are more inclined to investigate and stop the whole.
- Encryption know if files are being encrypted on your volumes
- Directory changes if directory/file changes are happening you need to beware period
- Know when AD attempts are failing.
- Configuration monitoring
- Real-time change notification that compares to the baseline config is vital to make sure no one is changing configurations outside of your team. Period end OF STORY. (I preach this a lot I know. #SorryNotSorry)
- Port monitoring
- rogue devices plugging into your network needs to be known when and who immediately
This is obviously not all the reasons you can use against normalcy but its once again a start. Understanding normal is vital to set up accurate alerts, reports, and monitoring features. As you hone in your skills on assessing what you are monitoring and alerting you'll see things drop off while others will increase within your environment.
Don't be shy to ask questions like, why is this important? I seen this article on an attack, how can we be alerted in the future if this happens to us? Some of the best monitoring I've seen is due to looking through THWACK and reading articles on what's going on in mainstream. Bring this knowledge to your monitoring environment and begin crafting an awesome arsenal against, well, the WORLD.