IS

Monitoring, Detection and

Logging
Information Security A y t e k i n G u ze l i s , C I S A , C R I S C
 Monitoring, Detection and Logging IS
Monitoring, detection and logging are the
integral parts of information security.

You have to monitor your network and endpoints

to detect the attacks and data losses (breaches).
There are a number of methods and tools an
organization can use to detect and log potential
problems.

It is not enough to concentrate on the attacks /

intrusions into the systems coming from
external. You have to consider the vectors/paths
used to remove data from organization systems.
So DLP-Data Loss Prevention software is helpful
to protect the company data. 2
Monitoring, Detection and Logging IS

3
 IS
DLP-Data Loss Prevention
A successful Data Loss Prevention program (not only technology) helps an
organization to protect its information and prevent the exfiltration of sensitive data.

Strong DLP solutions cover three primary states of information:

- Data at rest (stored data)
- Data in motion (data travelling through network)
- Data in use (data movement at user workstation level)

DLP solutions should be able to search the various file types that are stored and log
where they are. Then explore the information on these files searching for sensitive
data like social security numbers, credit card information or personal identifiable
information.
4
 IS
DLP-Data Loss Prevention
DLP solutions can analyze the data traveling through the network for sensitive
content. Depending on the defined rules/controls; DLP solutions can alert
management, block, quarantine or encrypt the sensitive information that is in
motion.

Good DLP solutions should manage the data in use, which is data movement at the
user workstation level (sending information to printers, removable drives or even the
copy-and-paste clipboard). DLP solutions use agent software to set rules for data use.

All three information types; data in store, data in motion and data in use must be
addressed to create an effective DLP solution.

5
DLP Example IS

6
 IS
Antivirus and Anti-Malware Systems
Malicious software is one of the most common attack vectors used by adversaries to
compromise systems. Therefore, controls are required for its detection and prevention.

Historically, anti-malware controls, often referred to as virus checkers, were host-based

applications that scanned incoming traffic or files and looked for patterns (signatures) that
identified known problems. While this can be effective for known threats, it cannot detect
malicious code that has yet to be identified.

Heuristic-based methods of detecting unknown malware use specific techniques to identify

common malicious code behaviors and flag them as suspicious.

Multiple layers of anti-malware software using a combination of signature identification and

heuristic analysis to identify possible malicious code. (Layered security approach)
7
 The Generations of Attacks and Security IS

Add a footer 8
 SOC-Security Operation Center IS

A Security Operation
Center (SOC) is a
centralized function
within an organization
employing people,
processes, and
technology to
continuously monitor
and improve an
organization's security
posture while
preventing, detecting,
analyzing, and
responding to
cybersecurity incidents.

Add a footer 9