Applied Collection Framework: A Risk-Driven Approach to Cybersecurity Monitoring

Muneeb Imran Shaikh
Author: Muneeb Imran Shaikh, Privacy & Information Security Consultant
Date Published: 18 August 2020

Cybersecurity or network security monitoring is incumbent upon organizations through various regulations or laws prevalent in respective countries or regions. The purpose of network security monitoring is to establish and maintain a command and control center that monitors the security hygiene of the entire organizational IT infrastructure and act upon any anomalous observations.

Network security monitoring comprises three distinct phases including collection, detection and analysis.

  1. COLLECTION – Identification of network entities from which logs are collected
  2. DETECTION – Examination of detected events and logs
  3. ANALYSIS – Interpretation and investigation of alerts by human analysts

However, it is often the case that the security analysts are unable to fully understand the data on which they are supposed to perform their analysis and subsequently differentiate between anomalous behavior and normal behavior.

This problem primarily stems from two major factors:

  1. Lack of understanding of threats to the organization
  2. Inappropriate planning of collection and detection phase

I conducted a webinar on the challenges that impair security operations teams and discussed how lack of structured approach in collection and detection planning can limit the efficacy of cybersecurity operations.

One of the common myths prevailing around security monitoring is that the more data you collect, the bigger your horizon is. However, the truth is that the overabundance of data (particularly that which is inconsequential) is detrimental. It involves more operational costs either in terms of alert fatigue to the security analysts, IT resources required for processing the data and retention or restoration of the data to guard against any disaster.

These problems can be effectively dealt with by incorporating the Applied Collection Framework (ACF). The high-level steps involved in ACF are highlighted below.

Applied Collection Framework: A Risk-Driven Approach to Cybersecurity Monitoring

1. Define threats
In order to enable the security analysts to effectively and efficiently monitor network security, it is critical to adopt a threat-centric approach. The threat-centric approach to network security monitoring keeps the team abreast of potential methods of attack, motivations of threat actors and cyber criminals and the actors or criminals targeting the industry vertical and the specific region.

Adoption of a threat-centric approach begins with understanding the mission, objectives and the goals of the organization. It is then proceeded by identifying the assets which are critical in the attainment of business mission. Once the mission and the associated assets are identified, it is necessary to identify and define the threats to those assets (tangible or intangible). It is critical that all this planning by information security personnel is done in close coordination with security leadership.

2. Qualify risk
Risk assessment should be preceded by the phase of threat identification where associated risks are identified and assessed. Remember that these threats are associated with the confidentiality, integrity and availability of the assets tied to organization’s mission, goals or objectives. It is therefore important that the risk scenarios associated to threats are identified and assessed, and their risk levels are determined.

Based on the risk levels determined, the organization decides to implement network security monitoring.

3. Identify potential data sources
Once the risk is qualified, then you have to review the network architecture and IT assets placement in the broader architecture. The purpose is to identify the path through which the data traverses across the network to carry out its objective and the personnel who have access to the IT assets.

Going through this process, you will be able to develop a broader list of network or host based sources from which you may need to collect the logs, traffic data, session data, etc.

4. Narrow focus
I mentioned in the beginning that the overabundance of data has an operational cost and can create further technical risks. This phase requires you to refine your coarse-grained data sources and identify the data source and specific logs, packet data, etc., which will provide you the most value in performing network security monitoring.

This phase involves assessing the needs related to storage, processing and management of data gathered from disparate sources along with the collection frequency. It also involves consideration of human resource required to maintain the IT assets and to perform network security monitoring.

The Applied Collection Framework allows for the adoption of a risk-based approach toward network security monitoring by identifying threats, qualifying risks and performing a cost/benefit analysis. It enables the security leadership to justify their collection needs and investments by tying them to threats to the business mission.

Remember that network security monitoring is a cyclical process in which you need to assess existing collection sources on an ongoing basis to enhance the effectiveness and efficiency of network security monitoring.