The security of your environment shouldn’t depend on whether you’re looking in the right place at the right time. While active visual means such as dashboards, emails, tickets, and chat messages are a vital part of security event monitoring, they might not get your attention if your eyes are elsewhere.
Even when you’re focused on the right screen, important events can easily get buried in an overload of information, delaying their processing – or allowing them to be overlooked entirely. Your website needs a way to speak up when it’s under attack.
Now, imagine if potential website attacks or blocked requests announced themselves as clearly and recognizably as your phone’s custom text-tone for your best friend. As you go about your busy day, you’re always aware of the events you care about as they happen. Even if your attention was momentarily diverted from your screen, you’d get alerted in real time and could still respond quickly, saving valuable time.
To be clear, this passive, auditory type of event monitoring is currently only a theoretical capability – and will by no means replace active, visual means any time soon. Rather, auditory delivery of security events will evolve to become a valuable complement to the tools most security teams already rely on, adding a real-time, eyes-free dimension to the rich information and workflows currently in use, and targeting specific events so that only the most urgent or important ones trigger a sound.
When your SOC can hear hackers coming
Once proven, auditory monitoring promises valuable benefits for security teams. To begin with, new events and changes in event patterns will be identified more quickly. On an organizational level, auditory monitoring will help companies deal with the chronic talent shortage facing most security organizations. Passive alerts also make it possible to scale event monitoring coverage among analysts, while ensuring that nothing falls through the cracks.
In addition, auditory monitoring has the potential to expand cybersecurity careers for people with visual impairments. Finally, non-analysts such as senior security personnel, who don’t ordinarily participate in monitoring, will be able to keep their ears open to the most critical events. In fact, passive monitoring may even be delegated beyond the confines of the security operations center and its teams, enabling operations teams, developers, and management to play an “if you hear something, say something”-type role in security.
What would this approach look like—or sound like—in practice? Here are a few examples of the many ways companies could leverage audible alerts for their Web apps:
- SOC analysts trolling through system logs in Splunk could be alerted with a buzzard sound if there’s an increase of injection attack activity, such as XSS, SQLi, Code Injection, and so on.
- Managers tied up in meetings throughout the day could hear a chime from their laptop if a new round of credential stuffing attacks begins.
- DevOps teams concerned about new deployments running smoothly could hear a chirp if application errors occur.
In some scenarios, the sound alone might be all the information they need; for others, the nearest screen could fill in additional details. For added certainty, alerts could be configured to repeat periodically at intervals that correspond to their urgency, until cleared manually. However you implement it, auditory monitoring brings an entirely new sensory realm into play that helps cut through the overload of visual information found in many IT settings.
A handful of open source projects are already experimenting with audible monitoring. Specific to cybersecurity, one project uses sound to identify network traffic patterns such as ICMP pings and UDP/TCP port scans, and another uses sounds to identify specific events from web application firewall event logs.
Beyond the screen
Computing has centered on visual displays for so long, screens can seem like the definitive way to present monitoring information – but this is far from true. Voice assistants and other non-visual media are transforming the way consumers interact with their apps and devices, and it’s easy to imagine a future where sound-based interaction is the norm for many use cases.
There will always be a need for the kind of detail, drill-down interactivity, and at-a-glance historical depth that only a display can provide, but as technologists increasingly think beyond the pixel, there’s tremendous potential for new ways to deliver timely information in auditory form. The simplest, briefest sound can be highly effective for capturing attention – even in the hectic setting of a SOC – in situations where every minute counts.
If not applied appropriately, though, the auditory approach could become ineffective. Just as analysts can be overloaded with standard alerts, they could be overloaded with audible alerts. Perhaps not just overloaded, but even irritated to the point of disabling alerts altogether. To avoid the possible irritation overload, audible alerting should be targeted for meaningful or high valued events. In addition, ensure the sounds you select are not obnoxious to your office neighbors.
For now, auditory security event monitoring remains an experimental concept to be explored—but it’s worth paying close attention to the projects and pilots it spawns. As the speed, intensity, and stakes of cybersecurity continue to grow, the ability to hear your website’s cries for help could make all the difference.
Security
via https://www.aiupnow.com
Help Net Security, Khareem Sudlow