ISACA Journal Author Blog

ISACA > Journal > Practically Speaking Blog > Posts > Practical Considerations in Planning an Open-source Security Monitoring Infrastructure

Practical Considerations in Planning an Open-source Security Monitoring Infrastructure

Furkan Caliskan, CISA
| Published: 10/17/2016 3:13 PM | Permalink | Email this Post | Comments (0)

It is not a trivial job to deploy a large-scale, open-source security monitoring infrastructure. Although you can use an easy-to-install open source solution, e.g., Security Onion, planning and knowing what to do is still an essential part of the project.

There are several considerations that need to go into this planning:

  • Storage planning—Saving all the network traffic for incident analysis purpose is a big challenge. Setting a log retention policy is essential. This decision should be made with management approval.
  • Secure Sockets Layer (SSL) traffic and privacy—Since SSL-using malware poses significant risk, inspecting SSL traffic is becoming more important every day. On the other hand, decrypting and recording SSL connections is a risk for privacy. There must be exceptions, especially for finance and health-related resources.
  • Visibility—Establishing the right visibility through the network is key for a good security monitoring infrastructure. This process should start by determining the crown jewels of the company, and sensors should be placed as near as possible to those jewels through their switches. Without doing this, analyzing network address translation traffic will be hard for the analyst.
  • Open source risk—Maintaining an open-source software is not an easy job. It needs skilled personnel. It is also a risk the organization should consider. To mitigate this risk, consultancy may be an alternative.

With all of these considerations, monitoring efforts should be carefully planned and executed. For example, all traffic will be visible to the security operations center. If background checks of these personnel are not carefully done this may be a risk for the company. Also all changes done on the monitoring system should be audited and recorded.

Read Furkan Caliskan’s recent ISACA Journal article:
An Integrated Approach for Cyberthreat Monitoring Using Open-source Software,” ISACA Journal, volume 5, 2016.


There are no comments yet for this post.