We had a scare the other day with a critical cross-site scripting (XSS) attack that seemed to be entirely contained — source and destination — on our own network. Tracking it down and resolving the issue were fairly routine procedures, but it’s worth noting how it’s possible to spot potential security problems when you don’t have a world-class security operations center (SOC) that’s staffed with skilled analysts and stuffed with large-screen monitors and all the bells and whistles.
When you work for a smaller organization, you don’t have the luxury of a 24/7 SOC. In my company, we compensate by building automation into the monitoring of our logs and cherry-picking events that will generate email notifications. Other events get our attention when we can carve out time to monitor the threat logs generated by our advanced firewalls and the security logs produced by a multitude of other devices: web and database servers, load balancers, proxies, file integrity monitoring software, etc. We collect the logs in a centralized server, and a few filters help identify logs that meet certain criteria. I and a couple of analysts take turns monitoring the filtered logs. We don’t get 24/7 coverage, but it’s pretty close.