Security Data Analytics and Reporting: Monitoring and reporting domains
In every organization, internal and external stakeholders expect their cybersecurity to protect the information systems, high level monitoring and reporting. Part 5 of this series explored this in detail. This article will further explore the topic, focusing on the types of domains that support organizations' monitoring and reporting systems.
Monitoring and reporting domains
A typical organization’s monitoring and reporting requirements can be categorized into three main domains: (i) Physical, (ii) Logical or Architectural and (iii) Management. All three domains analyze the same information from the systems, but differ in the types of reporting they facilitate.
Physical domain
This domain includes the information technology components such as servers, network components and software applications. They are tangible objects in the sense that they can be seen by the IT team and, to an extent, the business through e-mails, productivity software and so on. Analysts and administrators prefer reports at this level since they provide the granular level of information required for investigations and analysis. The physical domain can be divided into 12 categories, which together provide foundational information to the SDAR system.
Figure 01: Physical domain consists of infrastructure components that underlie application services that are consumed by the business
Identity, directory and access control services are technologies that provide identities to the users and devices in an organization. This is often treated as an afterthought, despite being critical in an organization. Some vendors bundle it with a suite of applications to enforce corporate policies that govern identity lifecycle and control access to information or information systems.
Email and messaging services are central to the business as they provide people internal and external to the organization to communicate and collaborate via email.
Servers are part of the underlying critical infrastructure component to host all IT and business services.
End user computing refers to the workstations, desktops, laptops, mobile devices and VDI used by the end user.
File share (also known as shared drive) has been replaced by document management systems in most organizations, but the former is not completely obsolete even in the organizations that have made the transition and remains useful for collaboration.
Document management systems are critical storage for the information produced and consumed by the organization. Some organizations use mature document management systems (or enterprise content management systems) to automate simple workflows related to the documents.
Networks are one of the backbones of IT Infrastructure, comprising both hardware and software used to facilitate interconnection between end user computing and application services.
Storage refers to the underlying infrastructure which houses most of the business information through the application services and other infrastructure services such as file sharing or database servers.
Security systems include security control and monitoring systems such as IPS, IDS, endpoint protection, server protection and others. They enforce security controls on the infrastructure components and most of the time report effectiveness of such controls in silos.
Databases are used to store, process and retrieve structured data, often through an application service which is web based or thick client based. Often, due to its nature of hosting information that is critical to the business transactions, stringent security measures are implemented to ensure a threat actor does not access the database directly.
Web servers are specialized software that host browser-based applications or middleware services that are consumed by other applications. They sit in the IT infrastructure, often in their own network zone, protected by a firewall and other security controls to retain confidentiality, integrity and availability of the information used by the application.
Logical domain
This can also be called an architectural or security governance domain. This domain interprets the information and measures the maturity or risks present; this is vital since there is very little reporting done on these aspects of the security programs. The domains are:
Figure 02: Logical domains are conceptual or architectural. They are an interpretation of a physical domain represented in a conceptual or architectural view.
Identity and Access Management is one of the backbones of IT Infrastructure and usually an area of interest for cybercriminals.This domain deals with management of identities, relationships between the identities and identifiers, and managing access to the information or information systems to ensure access to each information resource is identified and segregation of duties is enforced.
Network architecture is another backbone of IT infrastructure, however, it is architectural and very closely aligned to the design of the corporate networks, including the security controls.
Vulnerability management deals with identifying, classifying, risk analyzing, patching and review of the information systems.
Data leakage prevention is considered to be the holy grail of security programs and refers to the identification, classification, safeguarding and protection of organizational information This domain must be accompanied with information management to fully realize its benefits.
Data loss prevention is often used interchangeably with data leakage prevention, this domain prevents information from getting destroyed accidentally or purposely.
Standards compliance forms a significant part of SDAR, but is a mature area since most of the compliance requirements are based on an international standard such as ISO 27k or NIST-CSF. However, when an organization has its own standard which is a hybrid of many other standards, that is another area where SDAR can help automate technical compliance monitoring and reporting.
Management domain
This domain comprises the stakeholders that were discussed in SDAR Part 4: Stakeholders. The reporting requirements for the individuals or group(s) in this domain are determined by their strategic business function or role in the organization.
Figure 03: Stakeholders are part of the Management domain
The management domain usually wants to see consolidated reports such as the overall health of the servers,rather than individual servers. Additionally, the Board of Directors and Business leaders do not directly consume the SDAR reports, but they are presented to them in management reports.
Conclusion
Segregating reporting into domains helps organizations design reporting suited to each of recipients. In this article, we looked at the physical, logical and management domains at a high level. Future articles will detail the reporting viewpoints and then map stakeholders and their requirements with the reporting domains to design and deliver an SDAR system.