Monitor and Respond

Once the environment is secure, the next step in the Cisco Security Wheel is realization of comprehensive monitoring and response techniques. This means the use of documented and policy-directed software and human practices to ensure full awareness of potential security events.

Software systems include well-tuned alert thresholds and logging mechanisms on the devices used to secure the network, such as firewalls, IDS, and AAA servers. It is absolutely critical that the reporting mechanisms are properly configured, however. Otherwise, security administrators will be overwhelmed with false-positive data and will be rendered ineffective in actual security situations. Furthermore, in large enterprise environments, it is quite impossible for humans to keep pace with copious logs and alert messages, even with well-configured devices; there is simply too much data to analyze. In these situations, additional software to perform event aggregation and correlation proves necessary to alleviate data overload.

In addition to well-constructed software mechanisms, security administrators must practice proper and methodical monitoring techniques. Administrators should baseline and understand the normal attributes of the network so as to recognize anomalous events. Regular and repeated practices in log and alert monitoring can reduce the chances of missing the precursory events of security attacks and stave off damaging situations before they occur.

With good human and software monitoring techniques, most security issues can be detected. It is at the point of detection that defined and practiced response measures must be implemented. Some responses may be automated, such as automatic shunning or filtering based on an IDS signature detection. Most responses will likely be manual, however. In these situations, administrators should have clear roles and responsibilities to mitigate the effects of an attack and alert upstream authorities, both inside and outside of the organization. Well-developed security policies are often helpful in delineating such roles, responsibilities, and actions.

Finally, administrators should also be prepared to react dynamically in atypical and new security situations. Again, security policy can aid in these situations by defining the realm of the administrators' authority and obligation.