Chapter 14. Increasing Monitoring

The system manager has an advantage when it comes to monitoring the system. He can run processes that can watch for suspicious activities around the clock. These can be dynamic real-time alerts to an operation center or network management system to notify someone that an attack is in progress. A hacker will raise his chances of getting caught if he leaves processes running while he is not on the system. The system manager also knows what should be running on the system, while the hacker may not have this insight into the system.

All the logging, monitoring activities, log analysis software, and countermeasures do no good if someone does not review the output. It still requires time and effort for someone to monitor the system. Log analysis software will make the job easier since it reduces the volume of information to be reviewed. Expert systems that respond to specific types of attacks also reduce the amount of work. But the bottom line is that someone has to look for, or be notified about, the unexpected occurrences.

Increased monitoring enables accountability by having the information necessary to show who was responsible for a specific action. This is needed by an organization to enforce disciplinary actions and is required for criminal prosecution .

Install and enable as much logging as possible and automate log monitoring with a data reduction application to eliminate the normal events. Someone must still look at the remaining unusual events and follow policy and procedures when these events occur.

Many network management or operations center tools make it easy to forward alerts to a central site for management. These systems will allow you to set severity levels for each type of alert, and then based on the severity level, issue appropriate notification or an automated response.