Late last year @taosecurity wrote an article that questioned spending resources on a “pen test and fix” cycle rather than monitoring for intruders that may already be in your networks. The last sentence of the post not only emphasized his theme well but also alluded to an article written by Bruce Schneier that originally stressed “monitoring first.”
I still believe that the two best words ever uttered by Bruce Schneier were “monitor first,” and I worry that organizations like those in this article are patching holes while intruders maneuver around them within the compromised network.
I searched around a bit for this statement and found a copy in an old edition of Cryptogram from way back in 2001. You can find the original article here but the first few paragraphs alone make the case of monitoring first.
You have a safe in a dilapidated building, and you need to secure it. What’s the first thing you do? Inventory the safe? Assess the security of the building? Install better locks on the doors and bars on the windows? Probably not. The first thing you do, as quickly as possible, is alarm the safe. Once the safe is being monitored, you can then afford the time and attention needed to inventory the stock, analyze the environment, and improve the security. Without monitoring, you’re vulnerable until your security is perfect. If you monitor first, you’re immediately more secure.
Network security has this backwards. Companies see monitoring as something to do after they have their security products in place. First they develop a security policy. Then they do a vulnerability analysis. Then they install a firewall, and maybe an intrusion detection system. And finally they think about monitoring. Rationally, this makes no sense.
Monitoring should be the first step in any network security plan. It’s something that a network administrator can do today to provide immediate value. Policy analysis and vulnerability assessments take time, and don’t actually improve a network’s security until they’re acted upon. Installing security products improves security, but only if they are installed correctly and in the right places. How does a CIO know what products to install, and whether they are actually working — in the actual corporate environment, not as they worked in the lab? The only way he can know is to monitor. Monitoring ensures that security products are working properly.
Monitoring first is just common sense. This practice not only allows organizations to find the threats lurking in their networks sooner but it also permits them to establish baseline metrics from which they can measure improvements in their security posture as further investments are made. And per Schneier “monitoring” does not even necessarily mean going out a buying anything initially. Start simple with logs and other data you already have (e.g., from DNS, servers, proxies, and network devices) and grow out from there.
(Note: As part of a campaign to bring forward some of our older posts that we feel still benefit the community, we’ve added this article to our Best Of category that will periodically get tweeted out. Please mention it to me on Twitter or contact us if there are any other posts you feel we should include in this category. This post was previously categorized under Infosec Blogs/Podcasts. -@grecs)