Security Monitoring and Attack Detection Planning Guide
Overview
Extensive media reporting about the spread of malicious software through the Internet has significantly raised the profile of external threats to organizations' network resources. However, some of the greatest threats to any organization's infrastructure come from attacks that originate from within the internal network. The internal attacks that have the highest potential for damage result from the activities of those people in the most trusted positions, such as network administrators. Analysis of both internal and external threats has led many organizations to investigate systems that monitor networks and detect attacks. For organizations whose operations are constrained by regulations, security monitoring is an operational requirement. Increased prescriptive requirements from numerous institutions around the world places greater demands on organizations to monitor their networks, check resource access requests, and identify users who log on and off the network. Regulatory considerations can also mandate that companies archive monitored security data for certain lengths of time. The security log facilities in Microsoft® Windows® provide the starting point for a package that can monitor security. However, security logs alone do not provide enough information to plan a response to an incident. Security logs coupled with other technologies that collect and query security logs can form a central part of a security monitoring and attack detection system. This guide describes how to plan a security monitoring system on Windows-based networks. This system can detect attacks that originate from internal and external sources. The main aim of a security monitoring system is to identify unusual events on the network that indicate malicious activity or procedural errors. On This Page
The Business ChallengeBusinesses face numerous challenges to implement effective security monitoring systems on large networks. Businesses must:
These challenges also apply to organizations that have less complex network requirements. The Business BenefitsSecurity monitoring provides two primary benefits for organizations of all sizes: the ability to identify attacks as they occur, and the ability to perform forensic analysis on the events that occurred before, during, and after an attack. With the ability to detect attacks as they occur, security departments can react quickly to reduce substantive damage to the network infrastructure. Forensic data also helps investigators identify the extent of the attack. Other benefits of security monitoring include:
For more information about these benefits, see Chapter 2, "Approaches to Security Monitoring." Who Should Read This PaperThis guide provides useful information for organizations that have strict privacy concerns, particularly those that are constrained by regulations. This guide applies to organizations of all sizes that require identity protection and control of access to data. The intended audience for this guide includes IT managers and IT specialists such as enterprise architects and enterprise security administrators. In addition, consultants who are required to plan, deploy, or operate Windows-based networks and technical decision makers should find this information useful. Reader PrerequisitesTo understand the solutions that this guide presents, readers should understand and be familiar with the security issues and risk profile of their own network. They should also be familiar with the Windows event logging service. This guide uses the Operating and Supporting quadrants of the Microsoft Operations Framework (MOF) Process Model. It also uses the MOF Security Administration and Incident Management service management functions (SMFs). For more information about MOF, see the Microsoft Operations Framework Web site at www.microsoft.com/mof. Planning Guide OverviewThis guide consists of four chapters that focus on the essential issues and concepts to plan a security monitoring and attack detection solution. These chapters are: Chapter 1: Introduction This chapter provides an executive summary, introduces the business challenges and benefits, highlights the recommended audience for the paper, lists the reader prerequisites, and provides an overview of the chapters and solution scenarios included in this guide. Chapter 2: Approaches to Security Monitoring This chapter provides an overview of the various options for the implementation of a security monitoring and attack detection solution that uses Microsoft and third-party technologies. Chapter 3: Issues and Requirements This chapter describes how to correlate the scope of security monitoring to other business requirements and to the known range of potential threats and attacks to an enterprise network. It discusses the business, technical, and security challenges of how to:
This chapter defines a policy violation as any deviation from organizational policies. Finally, this chapter lists the solution requirements for a security monitoring and attack detection system. Chapter 4: Design the Solution This chapter provides detailed information about how to use security monitoring to detect attacks and implement archives of security audits. It describes recommended configuration settings for effective security monitoring and the changes that organizations need to make to security policies. This chapter also provides detailed prescriptive guidance on how to implement advanced security monitoring in large organizations. This prescriptive guidance describes how to address the issues of audit storage for high volumes of security events and how to plan attack detection in distributed networks. Related ResourcesRead other security solutions from the Microsoft Solutions for Security and Compliance (MSSC) team. Give Us Your FeedbackThe Microsoft Solutions for Security and Compliance (MSSC) team would appreciate your thoughts about this and other security solutions. Have an opinion? Let us know on the Security Solutions Blog for the IT Professional. Or e-mail your feedback to the following address: SecWish@microsoft.com. We respond often to feedback that is sent to this mailbox. We look forward to hearing from you.
|
In This Article
|
