Blog / Is There Such A Thing As Too Much Monitoring?

Effective Monitoring is Efficient Monitoring

One of the cornerstones of good cybersecurity is monitoring devices and their activity on your network. After all, you need to keep an eye on what’s happening with your organization’s machines if you hope to detect and defeat threats that have slipped by your defenses, and doing that means monitoring all the activity in whatever system you’re concerned with. There are a couple of ways to monitor and review a machine’s activity, the most obvious being to login to each device and monitor its activity directly

As you can imagine, such an approach quickly becomes unmanageable, the biggest problem being the volume of data produced and how hard it is to scale up. Directly monitoring a device can generate piles upon piles of logs filled with details about mundane, everyday activity, that need to be reviewed. Moreover, the volume of data to be reviewed grows enormously with each device to be monitored. Taking a direct approach like this is quickly going to result in mental fatigue; even though cybercrime seems to be running rampant, no device in your organization should be coming under attack every day, and watching logs of regular activity will put even the most enthusiastic cybersecurity watchdog into a deep boredom coma.  They’re neither mentally stimulating, interesting to look at, and there aren’t even any tools to help read them.  The direct approach may seem like a good idea at first, but will likely just result in important events and activities getting lost in the pile or just plain overlooked.

Activity log monitoring tools

A simpler approach is to implement a system gather logs from multiple locations, so you only need to access one in order to keep tabs on the rest, and unlike assistants for reading activity logs, plenty of tools exist for gathering them from machines on your network. In fact, many don’t just gather logs but also send email or text alerts if some event (or combination of events) occurs. However, it’s important to temper expectations. Such tools help deal with mental fatigue and burnout, but still don’t solve how to detect dangerous events in progress. For example, you don’t want to be warned whenever the occasional password typo results in a failed login event, but 15 failed login attempts in just three seconds definitely requires attention. Despite the rapid deployment of AI, many of these monitoring tools still aren’t smart enough to tell the difference. They may lock an account after five failed attempts to log in, but do they know to raise an alarm and immediately notify your IT lead if it happens in under a second, including the relevant details? Are they smart enough to know what the relevant details even are? Plus, we’ve only spoken about failed logins so far; are there programs smart enough to know what the relevant details are for all the other potential events you need to be monitoring for as well? We’ve yet to encounter one.

If you’re not actively looking for problems, you likely won’t find out anything’s wrong with your machines until it’s too late. That’s why identifying areas of importance and potential attack surfaces, then properly monitoring them, is vital to good cybersecurity for every organization. Efficient and effective monitoring not only helps defend against attacks in real-time, but also helps identify areas of your system that need reinforcing, while also helping to properly focus on where additional defenses may need to be deployed.

To learn more about identifying key resources and properly monitoring activity logs, contact a TRINUS cybersecurity professional. We’ll be happy to help alleviate any misgivings you may have about monitoring your machines as part of our commitment to providing exceptional stress-free IT.

This quote comes from Measure for Measure; “Some rise by sin, and some by virtue fall.”

Be kind to one another, courtesy your friendly neighbourhood Cyberman.