With the biggest sales event of the year coming to US retailers this week, there is also increased concern about the possibility of additional data breach incidents.

This week and next week, many organizations are consumed with keeping the lights on and making sure e-commerce platforms keep up with the anticipated spike in demand due to the big sale event. We are days away from Black Friday and many are crying foul before the whistle blows to start the game.

Justified or unjustified fear? I can tell you with certainty, coupled with many years of experience, that some of that fear is justified. American holidays such as Thanksgiving, Christmas and the Super Bowl are days when security operation center monitors go up, up, up in events volume.

So, make no mistake, Black Friday and Cyber Monday will not only attract shoppers, they will also attract hackers.

Unfortunately, most organizations do not have the resources to keep a fully staffed 24/7 network event monitoring effort, especially around non-working days such as weekends and holidays. Is it really necessary? My answer will bother some, but yes, it is necessary.

Why?

Well, is your network important to you? Are those assets important to you? Will your brand be affected by unauthorized access? Are there legal ramifications in the event of a data breach? The answer to all of these is most likely yes. However, the most important question is will a data breach negatively affect your clients? This is a yes/no question. If the answer is yes then, unequivocally, your organization must find ways to monitor your networks twenty-four hours a day seven days a week.

In that effort, I’d like to offer some insights:

• Monitor both external and internal events.
• Aggregate and analyze your logs to establish a baseline.
• If outsourcing is not possible, combine automatic alerting with on-call designations, or staff a 24/7 security operations center. A minimum of nine analysts with one manager should suffice. In terms of technologies, the options are plenty and varied.
• Reduce unnecessary noise without ignoring relevant events.
• Address the alerts generated, otherwise members of the organization will soon treat these alerts the same way they treat spam email.
• Define your incident response and apply the priority that the risk deserves. Not all threats are equal.
• Do not overlook access control related events such as failed logon attempts, even if it painful due to the volume.

In terms of commercial tools, there are many out there and some could be very pricey. In terms of open source tools, there are also plenty of options; icinga, snort, logstash, etc.

Is it possible to combine open source tools with commercial tools? Absolutely. It requires a solid architecture design and strategic planning, but very possible.