A protective monitoring solution essentially requires you to invest in a Security Information & Event Management Solution (SIEM).
Most SIEM tools will be able to implement a successful Protective Monitoring solution, however there are some considerations that should be taken in to account, as described below:
* Does your SIEM have built in reports and alerts for GPG 13
While not compulsory, if your SIEM does not have these out-of-the-box, then you will need to recreate them manually, which will require a level of professional services for implementation.
* Does your SIEM do both Log Management& Event Management
Log Management allows you to ensure you can conduct a forensic audit of your enterprise as part of a post breach analysis. Once you get breached you will need to analyze the audit logs from ALL of your network devices, if you have not centralized these logs, that would require you to manually visit each device to check the auditing logs. Which is just not very realistic and will be an expensive task in man hours.
A Log Management solution allows you to centralise the logs and investigate them from a single location; much more scalable and leads to a faster time to resolution.
Security Event Management allows you to constantly monitor your environment, 24/7, for suspicious activity, alerting you up if anything is found.
Note: Some solutions do Log Management well and have attempted to bolt on Event Management to mitigate their weaknesses. While this is not the end of the world, it typically means their analysis engine is poor compared to the pure SIEM tools, which can be an issue, as the 24/7 monitoring analysis is the most critical component of a protective monitoring solution.
If your SIEM tool does not do the clever analysis, then it becomes a manual task for your team, which is an issue of man power and scalability.
* Are there options for outsourcing the protective monitoring?
The challenge with a lot of protective monitoring solutions is that it requires specific security/hacking domain knowledge to understand WHAT to look for with in the audit logs. This would typically require expertise in threat research and threat researchers are expensive.
An alternative is to outsource protective monitoring to a third party where those threat research resources can be spread across a number of customers, thereby making the overall solution more affordable.
Check out the below solutions being offered by vendors offering GPG 13/Protective Monitoring solutions for both technology and out source options.
LogRhythm Protective Monitoring Solution
If you are a vendor or an out source company that would like to share information about your solution to the community reach out to us on the following email address : email@example.com