Cybersecurity monitoring: the what, why and how explained

Cyber security monitoring

High street sports fashion retailer JD Sports’ latest newsletter wasn’t about the season’s best looks, as most of their subscribers had probably expected. Rather it cautioned them to stay vigilant against potential scams in the wake of a successful cyberattack that had compromised the data of some 10 million customers. Think full name, delivery and billing address, email address, phone number, and order details.

In other words, everything scammers need to launch a large-scale and highly-targeted phishing campaign.

John Davis, the UK and Ireland director at premier cybersecurity training organization SANS Institute, told Forbes: “[Cybercriminals’] attacks are more prevalent, more sophisticated and harder to detect. Brand reputations and relationships with customers are on the line. Customers will reward businesses who can persuade them they are best equipped to manage their data.”

When it comes to cybersecurity, prevention is the best defense. In this article, we’ll go over what part cybersecurity monitoring plays in all this, including what it means, how it works and some of the best practices you should follow to bulletproof your IT infrastructure against cyber threats.

What is cyber security monitoring? Definition and key facts

Cyber monitoring refers to the real-time or near-real-time monitoring of events and activities taking place across your network at all times. It enables organizations to ensure that security controls to protect the integrity, confidentiality, and availability of your data assets aren’t compromised as well as to detect and address any threats or vulnerabilities before they turn into a data security incident.

It’s key to remember that information security is a dynamic process, the National Institute of Standards and Technology (NIST) warns. This means that it must be effectively and proactively managed for an organization to keep up with a fast-evolving cyber risk landscape on the one hand and with constant changes in their own enterprise architecture and operational environment on the other.

The US federal agency also points out that ongoing monitoring is a critical part of enterprise risk management frameworks and calls for the implementation of information security continuous monitoring, or ISCM for short. That is, the maintenance of “ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions.”

How does network security monitoring work? Here’s an example

Continuous network monitoring is in fact a circular process. “Organizations increase situational awareness through enhanced monitoring capabilities and subsequently increase insight into and control of the processes used to manage organizational security. Increased insight into and control of security processes in turn enhances situational awareness,” NIST explains in Special Publication 800-137, providing the following example.

Security information about a system component inventory is used to confirm compliance with CM-8 Information System Component Inventory. First, information is assessed to find out whether or not the control is effective (that is, if the inventory is accurate). If it turns out not to be, an analysis is initiated to identify the root cause of the problem. It might be something innocuous, like an outdated process for connecting components to the network, or something far more concerning, like a cyber attack. Based on the analysis, responses are initiated as appropriate, for example, the responsible parties update the inventory, relevant organizational processes get updated, employees receive training, or errant devices get disconnected.

The security-related information about the system component inventory can also be used to support predefined metrics. More accurate system component inventories can help organizations improve the effectiveness of other security domains, such as patch management or vulnerability management. In other words, data collected in assessing a security control can be leveraged to calculate a metric and provide input into a range of organizational processes. Not to mention that a problem, once detected, can prompt the assessment of other controls across the organization, updates to relevant security-related information and improve compliance with security programs.

IT security monitoring in the workplace: why it’s more important than ever

According to Gartner, 91% of businesses are engaged in some form of digital initiative, and 87% of senior leaders see digitalization as a company priority. Almost every business today uses customer relationship management, resource planning, project management, marketing automation or content management software.

On top of that, the coronavirus pandemic has given a tremendous boost to the adoption of technologies for remote working, including video conferencing, project tracking, file sharing and collaboration tools. As of May 2020, three-quarters of UK office workers had to use at least two new types of technology for work, Deloitte found.

This level of remote connectivity among organizations and outside collaborators, be they employees or vendors, is bound to create network and endpoint security gaps. And with them comes a stronger need for continuous monitoring of data assets, users, devices, data, and activities within corporate networks.

3 key challenges in information security monitoring

Endpoint monitoring aside, continuous monitoring brings quite a few challenges for security teams. Let’s see some of the most pressing ones, courtesy of Cisco and Enterprise Strategy Group (ESG).

  • Increasing number and sophistication level of cyber attacks
  • In 2021, the FBI received a record number of cyber crime complaints from the public (847,376 to be exact) with potential losses exceeding $6.9 billion. Besides the “usual suspects,” such as ransomware and business email compromise schemes, cryptocurrency-related scams are now among the most-reported incidents.

  • Rapidly growing network traffic to keep a close eye on
  • According to global telecommunications market research firm TeleGeography, internet bandwidth was up by 28% in 2022 and is now standing at 997 terabits per second. Meaning that global internet bandwidth has almost tripled since 2018, pushing us ever-so-close to the era of networking measured in petabits per second.

  • Network blindspots created by internal and external factors
  • Seventy-three percent of IT and security professionals think network security has become more difficult due to a lack of visibility into public cloud traffic, user behavior, networks residing in remote locations as well as traffic from non-corporate devices, between the organization and its business partners and on the internal wireless network.

The 6 steps of building a cyber security threat monitoring program

NIST prescribes the following steps in developing and implementing your ISCM strategy.

  1. Assess your organization’s risk tolerance and devise your strategy accordingly. Make sure that it gives you ample visibility into assets, vulnerabilities as well as up-to-date information on potential threats and their impact.
  2. Devise an ISCM program that lays out metrics, status monitoring frequencies, and control assessment frequencies as well as an ISCM technical architecture, including tools, technologies, and methodologies, manual or automated.
  3. Implement an ISCM program and gather the security-related information required for predefined metrics, assessments, and reporting from people, processes, technologies, as well as any existing relevant security control assessment reports.
  4. Analyze the data collected and report findings so relevant personnel can make a decision on how to handle potential risks. It may be necessary to gather additional information to clarify or supplement existing monitoring data.
  5. Respond to findings at all tiers in line with your organization’s risk tolerance. Responses may include risk mitigation, risk acceptance, risk avoidance or rejection, or risk sharing or transfer.
  6. Remember: continuous monitoring in cyber security is anything but static. Review and update your ISCM program and tweak your ISCM strategy to maintain visibility into assets and vulnerabilities and boost organizational resilience.

3 cyber security monitoring best practices for 2023

  1. Automate, automate, and automate some more
  2. Wherever possible, look for automated solutions to make your cybersecurity threat monitoring efforts more effective, reliable, and cost-efficient. These tools can easily spot trends, patterns, and correlations that human analysts might miss, especially when vast volumes of security-related information need to be collected, analyzed and made sense of (for example,when checking technical settings on individual network endpoints).

  3. Turn employees into your strongest allies
  4. People are just as vital to a well-oiled continuous cyber security monitoring strategy as tools and processes. A workforce that understands cybersecurity risks and how they can affect them and the entire organization is more likely to install system and application updates on a regular basis, stay alert to suspicious network activity and know exactly what steps to take in response to a potential attack.

  5. Mind your metrics – and their frequencies
  6. Make sure that the metrics used to assess and manage risk to your business are selected based on specific objectives that will maintain or improve your security posture. It’s also important to define monitoring frequencies at which metrics should be refreshed. For example, logical asset information can change from one day to another, while network connectivity policies and procedures are usually subject to annual review only.