Chapter 23. Security Monitoring

Even though most resources have been spent on protection, detection is the most important part of computer security. Without detection, you will be unable to tell when you have had a security incident, and, even worse , you will be unable to determine when a security incident began . Without this information, you will be unable to rebuild your system with confidence in the integrity of the restored information.

Detection is a key component of system security. No matter how well you protect a system, there is always someone who will attempt to find a way to compromise the system. Companies can rarely afford to completely secure a system, so detection is the only way of knowing when the system has been compromised. Even worse than having a security incident is having one and not knowing it.

Detection is composed of monitoring the system and detecting anomalies or a series of activities that indicate that a break-in is occurring and reporting it. It is important that tools notify not just known attacks, but also new scenarios. Detection tools must look for the unusual and the unexpected.

Detection requires a commitment. Even though monitoring software and data reduction models can reduce the amount of information that the administrator is required to process manually, he must still look at the reports and assess the seriousness of the information.