There are some things that the best CIOs and IT managers can’t prevent entirely as they depend on other people. An example of this is the employee who leaves a laptop open in a coffee shop and walks away “just for a few minutes.” There are some things which every CIO has control over, however. When these are overlooked, and a breach occurs, I have to shake my head at how easy it would have been to prevent. Here are four things I wish every CIO would make into a habit.
Centralized Log Monitoring
Centralized log monitoring consists of a log collector or centralized server on which all logs are sent to and archived. Each client or server that sends logs to the collector is configured in such a way that it maintains local logs but also forwards a copy to the centralized collector. In most instances, this doesn’t even require a client installed on the server. This provides a few key benefits that can make a huge difference in the company’s security.
1. Log monitoring and review becomes efficient. Centralized log collection provides an efficient way to spot network-wide security anomalies by being able to quickly review logs from multiple sources. Some log monitoring suites allow you to write alert criteria for certain events, or even certain number of events. For instance, a system administrator could quickly be alerted to multiple failed logins on a system, or multiple systems with proper alerts setup.
2. Correlation becomes possible. By collecting all your logs in a central location, a security analyst is now able to quickly correlate events over multiple systems to either detect an attack, or reconstruct one. Some log monitoring suites or SIEMs can automatically correlate this data for you on predefined or custom rules providing a great deal of insight into your organization’s network.
3. Log integrity is preserved. In the event of a breach or security incident, any attacker worth their salt will at least take a few moments to try and cover their tracks. The most trivial of which can be modifying logs. With centralized log monitoring, logs are forwarded in parallel and the attackers tracks are “immortalized” on the log collector. Without proper log management, this can become a forensic nightmare.
Heed Industry-Wide Security Best Practices or Guidelines
Organizations like The National Institute of Standards and Technology (NIST) and The Center for Internet Security (CIS) have developed security baselines for various operating systems. No organization large or small is above these standards. Companies should use these as a baseline or develop their own baselines and adapt them for their unique environments, and they should be reviewed and updated. Unfortunately security is not stagnant, neither are attacker’s methods. As new types of attacks and attack vectors are introduced, system security configuration baselines should be modified to take these into account.
Work to Instill Security as A Culture
Security should be a culture. Leaving security in the hands of a few individuals will always fail. As with most other business decisions, security has to be approached from a top down mentality – without executive and managerial buy-in, a good security program cannot exist. It needs to be part of the company culture and every employee’s responsibility. (More on this in my last column of the year.)
Empower the IT Staff
A trap that companies often fall into, is putting their trust into software instead of the IT staff that deploys and maintains it. This leads to stagnant security programs and management oversight issues. Your IT team is the easiest place to start in reducing errors because that is their focus and skill set. Empower them with monitoring, on staying on top of updates, and task them with keeping up with new solutions and solutions in the evolving area of security technology. Happily provide continual education including certifications, and consider peer challenges to keep them at the top of their game. Remember, technology can fail too. What will act as backup when that happens? Humans.
Chris Hinkley is a Senior Security Engineer at FireHost where he maintains and configures network security devices, and develops policies and procedures to secure customer servers and websites. Hinkley has been with FireHost since the company’s inception. In his various roles within the organization, he’s serviced hundreds of customer servers, including Windows and Linux, and overseen the security of hosting environments to meet PCI, HIPAA and other compliance guidelines.