Monitoring and all that jazz!
By cceaica, on 31 March 2017
Hello, this is my obligatory introduction post! My name is Ian Carter and I’m the newest member of ISG, having been working in the team for just under two months.
My role within the team is to look after the monitoring aspect of Information Security. This involves trying to detect and respond to threats against UCL assets.
Some specific tasks that I have are:
- Using monitoring technology to detect and respond to attacks
- Providing metrics to our stakeholders
- Developing and maintaining the monitoring systems that we use
The role also involves a lot of liaison with other people, both within Information Services, and more widely.
We use a number of tools to collect and analyse data, but a brief description of the main ones is below.
Intrusion Detection/Prevention Systems (IDS/IPS)
The most common analogy for an IDS is that of a burglar alarm. Sensors are places at sensitive areas, such as points of entry, and if triggered an alarm is generated that needs a human to take some action.
An IPS takes this a step further by removing the human decision making and automatically taken action if an alarm is generated, such as blocking a malicious user. Obviously you need to be very sure this is not likely to be a false alarm!
Technically these systems work very much like antivirus products, they compare observed behaviour to a number of rules. This means to be effective the rules have to be constantly updated, as attacks are evolving all the time. A part of my role is ensuring the rules are effective and relevant, and don’t generate lots of false alarms.
Security Incident and Event Management (SIEM)
A SIEM is a little like a spiders web. It takes information from lots of systems, like the IDS and servers, which are like the strands in a web. All this information is correlated together and analysed. Some of the information may be suspicious, which is like the web being tugged, and if enough activity is generated an alarm occurs and the analyst, or spider, pounces. However, there is an awful lot of background noise, much like the wind blowing on a web, that needs to be filtered out so only the important information remains.
The major benefit of this system is the way alarms are prioritised so we can respond to the really important things more quickly. They also provide lots of reports that are useful for generating metrics.
I hope this is useful summary of some of the tools we use, I’ll delve into them a little deeper in future posts.