What level of Monitoring Does Your Company Have?
Let’s talk about monitoring, which is just ahead of patching in its ability to put someone to sleep in under 10 seconds. Both of these give you the most bang for your buck in terms of uptime and security, so you should pay attention. Don’t worry, I have kept this article mercifully short.
Most companies now accept that basic ping monitoring of their systems is a given. They expect the systems to be up, and if not, the system will send someone a page or text message. Normally that someone is a poor system administrator, who then has to do something in the middle of the night. Hopefully, if you are reading this, you have graduated to more robust monitoring. For example, testing to see if your SQL cluster is up, making sure it is responding to queries, and that the response time is adequate. As we have moved into a more connected age, uptime is expected, and any downtime is not tolerated for long. Monitoring will help you keep that downtime low.
Well, it is time to move to the next level again, which is security monitoring. This type of monitoring is getting smarter, which reduces false positives (getting notified that something is amiss, when it is actually fine) and improves your security posture. For example, if you have an employee that logs into an email from their desk as well as from Switzerland, do you get notified? You should, because this is abnormal, and unless the person is a superhero, or a system administrator (which are synonymous in my opinion), then they are doing some impossible traveling.
What about if your firewall starts logging a bunch of intrusion attempts, or if an internal server starts connecting to a WannaCry command and control server? Do you get any alerts? You should. Just like when you started monitoring SQL or Exchange specifically, it is time to start monitoring for security events also. Ignoring these events is