Security Monitoring: Security Group vs. System Owner Responsibilities
/Role of Information System Owner in Security Monitoring
In small companies and even some medium-sized companies, depending on your definition of medium and the functional divisions in the company, it is possible for a single group of information security workers to monitor for indicators of compromise. This is possible because the infrastructure is small enough, and there are few enough people in the organization, for the information security group to understand everyone's roles and understand what actions are unauthorized and inappropriate across the entire infrastructure. As soon as the organization starts to grow, introducing more roles within the IT infrastructure and more functional divides between groups, it becomes difficult or impossible for a single security group to understand what everyone should be doing everywhere at all times.
Of course, some actions are clearly unauthorized at all times, such as sending sensitive corporate information to an unknown IP address in Myanmar. Other actions, such as an administrator accessing a system during non-business hours, are more difficult for a central security team to assess in large organizations because the separate business units in the company may operate very differently.
With this in mind, it should be clear that the business owners of individual information systems, especially in large organizations, have a responsibility to uphold the security of their systems. Information system owners must be responsible for monitoring for certain security events, detecting indicators of compromise, and activating incident response plans when necessary. Information system owners can especially provide value by monitoring their systems for actions they know to be unusual due to unique characteristics of their systems. For instance, a user known to only need access to a certain dataset suddenly starts querying and downloading other datasets. Outside of the clear access control issues with this scenario, the point is that a central security group would not know which users access which application data for a specific application within a large enterprise. Therefore, the system owner would be responsible for monitoring for this type of unusual behavior.
Examples of Monitoring Responsibilities
The following list provides examples of events for which central information security groups, such as a Security Operations Center (SOC), should be capable of detecting versus events that system owners should be responsible for detecting, with the assumption that the SOC has access to all logs from every information system:
Security Operations Centers should be able to detect:
- DNS requests for suspicious or known-malicious domains
- Corporate data exfiltration
- Network traffic patterns that do not match baseline activity
- Common application layer attacks, such as SQL injection attempts
Information system owners should be able to detect:
- Unauthorized actions on individual systems
- onfiguration changes, especially to critical settings
- Access attempts, especially successful accesses by authorized administrators but at unauthorized time
- Unauthorized assignment or elevation of privileges within a system or application
- Unusual or unauthorized usages of the information system