Tips & Tricks 1: What to monitor in ICS ?

Are you a SOC or a security analyst , with a mission to monitor security at your organization, but are overwhelmed with the huge bulk of information or you even don’t know how and what to monitor? This is a common issue for most organizations . Even if you are equipped with the best tools and technologies, you will face challenges if you don’t know what I’m going to explain in this article.

Information security is what we are after. The goal is explained by NIST 800-137: “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions”. So we can’t be aware and make good decisions if we don’t have the right information. In order to get the right information, it is important to know what type of information is required for analysis. The type of information is based on security metrics and frequency. Metrics are designed based on your security program strategy. Frequency is how often you monitor those metrics.We are looking for information about events, assets, applications, users and behaviors. Whats relevant is related to your defined risk and risk tolerance. So it is important to monitor what can cause risk to your orgnization.

The information that should be on your monitoring screen often:

  1. Metrics: Things you keep track of like number of vulnerabilities , severity of vulnerabilities or authorized IPs ..etc.
  2. Volatile security controls such as configurations, that are prone to change and can introduce a vulnerability in the system.
  3. Security controls on high impact systems.
  4. Security controls that provide critical security functions such as log management , firewall or intrusion detections ..etc.
  5. Security controls with a weakness, until this weakness is removed or minimized.
  6. Low organizational risk tolerance : This score is determined by the organization and it should reflect whats important .
  7. Current threat information such as exploits and attack patterns.
  8. Current vulnerability and patching information.
  9. Critical/High Risk assessment results such as potential threats and vulnerabilities that have high impact on the system.

The list is not exclusive and is subjective, and the purpose is to make a point of view that only information that affects security and risk should be on the radar. The monitoring task has to be simple. Simplicity is efficient, by tracking the right information. Information hoarding isn’t.


Comments are closed.