In order to effectively protect a company's IT, cybersecurity teams and security operations centers (SOC) must monitor it closely - for this they need data and metrics.
Which metrics are particularly valuable at the user, endpoint and network level is explained Ontinue, leading expert in Managed Extended Detection and Response (MXDR). EDR (Endpoint Detection and Response) tools and SIEM (Security Information and Event Management) platforms provide cybersecurity professionals with security-relevant information from the endpoint level to the user and network levels. MXDR expert Ontinue gives examples of essential metrics of the respective security level that companies must keep an eye on in any case.
1. User level
Monitor attack point user ID
At the user level, the user ID represents the most tempting and at the same time the simplest entry point for attacks. Phishing is therefore one of the greatest threats to IT security. Using fake emails and websites that look deceptively real, cybercriminals trick users into revealing sensitive information such as their login data.
To find out whether they were successful, security experts need the IP addresses of the users - at every login. They can read from them whether the user is in an unusual position or is using an unauthorized proxy. Most companies also keep a blacklist of IPs that they can assign to hackers and other cybercriminals.
Login failures can be attacks
Security professionals also need data on whether users have successfully performed multi-factor authentication (MFA). If MFA is not active and a successful login takes place from a conspicuous IP address, the user must be blocked as soon as possible. If everything but the IP address looks fine and MFA is active, IT departments should investigate the reason at the endpoint or network level - cybercriminals may have found another route onto the device.
Data on whether there were failed login attempts also helps: A large number of unsuccessful login attempts indicate a brute force attack in which hackers tried a series of passwords via a bot. In addition, companies should also track device information when logging in: If the user always logs in with a Windows device, a login via MacOS is already suspicious.
2. Endpoint level
EDR tools help identify threats early
At the endpoint level, EDR tools are the best allies for cybersecurity teams. They create a set of spreadsheets that they submit to the SIEM platform. This includes data on certain processes on the end device, i.e. events. This information is valuable on its own, but EDR tools and SIEM platforms are able to correlate it. In this way, they enable early detection of dangers and offer an even deeper insight.
The classic events that an EDR tool logs include, for example, file events that indicate whether and when files were opened, deleted, changed, moved, closed or sent on a device. Valuable information is also provided on how processes behave, which sub-processes they open, which data, IP addresses or commands they access.
Log-on dates are also important
Log-on events are also important for security experts, i.e. information about which user IDs logged on to the end device with which data and when, and whether the log-on happened locally or remotely via a network. The tool of choice should also record whether applications without a valid certificate access files, as well as registry changes. EDR tools and SIEM platforms analyze these events and processes for specific patterns that indicate a cyber attack and issue alerts. These tools also make manual threat hunting easier because they provide all the necessary data.
3. Network level
Record network communication
At the network level, there are often legacy network environments that organizations need to monitor, many of them in the operational technology space. For these segments that are not visible from the user and endpoint level, companies ideally install sensors that record network communication and allow a baseline to be defined.
If there is a communicative deviation from the baseline, the system sounds an alarm. Warnings should also be triggered if there are indications of the spread of malware or if there is conspicuous access to internal or external systems. Because such networks typically contain many third-party components that companies do not or only partially manage, it is all the more important to correlate the alarms from the network layer with additional log data from managed endpoints and perimeters: This process gives security experts precise clues as to what happened and allows them to block affected systems.
And finally ...
“It is no longer enough to just monitor the network - most attacks can initially be detected at the user and endpoint level,” explains Jochen Koehler, VP EMEA Sales at Ontinue. “Therefore, companies should use EDR and SIEM tools to collect as much data as possible from different potential attack layers. However, analyzing them can quickly overload IT departments, making it easy for hackers. In this case, MXDR providers help enforce data-based security measures. They provide companies with a complete and tailored security operations center as a service that supports internal experts in protecting the IT infrastructure.”
More at Ontinue.com
About Ontinue
Ontinue, the Managed Extended Detection and Response (MXDR) expert, is a XNUMX/XNUMX security partner headquartered in Zurich. In order to continuously protect its customers' IT environments, assess their security status and continuously improve them, combined Ontinue AI-driven automation and human expertise with the Microsoft security product portfolio.
Matching articles on the topic