Security monitoring is the success or failure of security in the enterprise. The latest breaches paint this picture clearly; each enterprise had security tools, but no one was watching. The most challenging and most significant role information security can play in an organization is keeping it safe from malicious attacks that threaten the data and sometimes the existence of the enterprise. This starts with sound security architecture, but is played out day-to-day in how well security operations are implemented through management and monitoring of security tools. In this chapter, we discussed approaches to security monitoring based on trust models, network boundaries, protected segments, and asset criticality. We then took a more detailed look at security monitoring of users, systems, applications, and the network. When this holistic approach is taken, a comprehensive enterprise monitoring program can be realized.

The next chapter will apply using security monitoring as an input to security incident management.