Monitoring-as-a-Service
John W. Rittinghouse and James F. Ransome
Monitoring-as-a-Service (MaaS) is the outsourced provisioning of security
primarily on business platforms that leverage the Internet to conduct business.1 MaaS has become increasingly popular over the last decade. Since the advent of cloud computing, its popularity has, grown even more. Security
monitoring involves protecting an enterprise or government client from
cyber threats. A security team plays a crucial role in securing and maintaining
the confidentiality, integrity, and availability of IT assets. However, time
and resource constraints limit security operations and their effectiveness for
most companies. This requires constant vigilance over the security infrastructure
and critical information assets.
Many industry regulations require organizations to monitor their security
environment, server logs, and other information assets to ensure the
integrity of these systems. However, conducting effective security monitoring
can be a daunting task because it requires advanced technology, skilled
security experts, and scalable processes—none of which come cheap. MaaS
security monitoring services offer real-time, 24/7 monitoring and nearly
immediate incident response across a security infrastructure—they help to
protect critical information assets of their customers. Prior to the advent of
electronic security systems, security monitoring and response were heavily
dependent on human resources and human capabilities, which also limited
the accuracy and effectiveness of monitoring efforts. Over the past two
decades, the adoption of information technology into facility security systems,
and their ability to be connected to security operations centers
(SOCs) via corporate networks, has significantly changed that picture. This
means two important things: (1) The total cost of ownership (TCO) for traditional
SOCs is much higher than for a modern-technology SOC; and (2)
achieving lower security operations costs and higher security effectiveness
means that modern SOC architecture must use security and IT technology
to address security risks.
Protection Against Internal and External Threats
SOC-based security monitoring services can improve the effectiveness of a
customer security infrastructure by actively analyzing logs and alerts from
infrastructure devices around the clock and in real time. Monitoring teams
correlate information from various security devices to provide security analysts
with the data they need to eliminate false positives2 and respond to true
threats against the enterprise. Having consistent access to the skills needed
to maintain the level of service an organization requires for enterprise-level
monitoring is a huge issue. The information security team can assess system
performance on a periodically recurring basis and provide recommendations
for improvements as needed. Typical services provided by many MaaS vendors
are described below.
Early Detection
An early detection service detects and reports new security vulnerabilities
shortly after they appear. Generally, the threats are correlated with third-party
sources, and an alert or report is issued to customers. This report is
usually sent by email to the person designated by the company. Security vulnerability
reports, aside from containing a detailed description of the vulnerability
and the platforms affected, also include information on the
impact the exploitation of this vulnerability would have on the systems or
applications previously selected by the company receiving the report. Most
often, the report also indicates specific actions to be taken to minimize the
effect of the vulnerability, if that is known.
Platform, Control, and Services Monitoring
Platform, control, and services monitoring is often implemented as a dashboard
interface3 and makes it possible to know the operational status of the
platform being monitored at any time. It is accessible from a web interface,
making remote access possible. Each operational element that is monitored
usually provides an operational status indicator, always taking into account
the critical impact of each element. This service aids in determining which
elements may be operating at or near capacity or beyond the limits of established
parameters. By detecting and identifying such problems, preventive
measures can be taken to prevent loss of service.
Intelligent Log Centralization and Analysis
Intelligent log centralization and analysis is a monitoring solution based
mainly on the correlation and matching of log entries. Such analysis helps
to establish a baseline of operational performance and provides an index of
security threat. Alarms can be raised in the event an incident moves the
established baseline parameters beyond a stipulated threshold. These types
of sophisticated tools are used by a team of security experts who are responsible
for incident response once such a threshold has been crossed and the
threat has generated an alarm or warning picked up by security analysts
monitoring the systems.
Vulnerabilities Detection and Management
Vulnerabilities detection and management enables automated verification
and management of the security level of information systems. The service
periodically performs a series of automated tests for the purpose of identifying
system weaknesses that may be exposed over the Internet, including the
possibility of unauthorized access to administrative services, the existence of
services that have not been updated, the detection of vulnerabilities such as
phishing, etc. The service performs periodic follow-up of tasks performed
by security professionals managing information systems security and provides
reports that can be used to implement a plan for continuous improvement
of the system� s security level.
Continuous System Patching/Upgrade and Fortification
Security posture is enhanced with continuous system patching and upgrading
of systems and application software. New patches, updates, and service
packs for the equipment� s operating system are necessary to maintain adequate
security levels and support new versions of installed products. Keeping
abreast of all the changes to all the software and hardware requires a
committed effort to stay informed and to communicate gaps in security that
can appear in installed systems and applications.
Intervention, Forensics, and Help Desk Services
Quick intervention when a threat is detected is crucial to mitigating the
effects of a threat. This requires security engineers with ample knowledge in
the various technologies and with the ability to support applications as well
as infrastructures on a 24/7 basis. MaaS platforms routinely provide this service
to their customers. When a detected threat is analyzed, it often requires
forensic analysis to determine what it is, how much effort it will take to fix
the problem, and what effects are likely to be seen. When problems are
encountered, the first thing customers tend to do is pick up the phone.
Help desk services provide assistance on questions or issues about the operation
of running systems. This service includes assistance in writing failure
reports, managing operating problems, etc.
Delivering Business Value
Some consider balancing the overall economic impact of any build-versusbuy
decision as a more significant measure than simply calculating a return
on investment (ROI). The key cost categories that are most often associated
with MaaS are (1) service fees for security event monitoring for all firewalls
and intrusion detection devices, servers, and routers; (2) internal account
maintenance and administration costs; and (3) preplanning and development
costs.
Based on the total cost of ownership, whenever a customer evaluates
the option of an in-house security information monitoring team and infrastructure
compared to outsourcing to a service provider, it does not take
long to realize that establishing and maintaining an in-house capability is
not as attractive as outsourcing the service to a provider with an existing
infrastructure. Having an in-house security operations center forces a company
to deal with issues such as staff attrition, scheduling, around the clock
operations, etc.
Losses incurred from external and internal incidents are extremely significant,
as evidenced by a regular stream of high-profile cases in the news.
The generally accepted method of valuing the risk of losses from external
and internal incidents is to look at the amount of a potential loss, assume a
frequency of loss, and estimate a probability for incurring the loss. Although
this method is not perfect, it provides a means for tracking information
security metrics. Risk is used as a filter to capture uncertainty about varying
cost and benefit estimates. If a risk-adjusted ROI demonstrates a compelling
business case, it raises confidence that the investment is likely to succeed
because the risks that threaten the project have been considered and quantified.
Flexibility represents an investment in additional capacity or agility
today that can be turned into future business benefits at some additional
cost. This provides an organization with the ability to engage in future initiatives,
but not the obligation to do so. The value of flexibility is unique to
each organization, and willingness to measure its value varies from company
to company.
Real-Time Log Monitoring Enables Compliance
Security monitoring services can also help customers comply with industry
regulations by automating the collection and reporting of specific events of
interest, such as log-in failures. Regulations and industry guidelines often
require log monitoring of critical servers to ensure the integrity of confidential
data. MaaS providers� security monitoring services automate this timeconsuming
process.♦
References
1http://en.wikipedia.org/wiki/Monitoring_as_a_service, retrieved January 14, 2009.
2A false positive is an event that is picked up by an intrusion detection system and perceived
as an attack but that in reality is not.
3A dashboard is a floating, semitransparent window that provides contextual access to commonly
used tools in a software program.
Read more IT Process Improvement
Certain names and logos on this page and others may constitute trademarks, servicemarks, or tradenames of
Taylor & Francis LLC. Copyright © 2008—2011 Taylor & Francis LLC. All rights reserved.
|
