Monitor and analyze

The desired security controls should be in place after following the steps described in How to establish security controls. However, the attack surface might change over time (new vulnerabilities arise, ciphers are not secure anymore, etc.) or new best practices are established. Therefore, it is important to constantly monitor and analyze your environment and adjust the configuration dynamically.

  • Insights from this task may influence the following artifacts:
  • Templates – If new settings must be enabled by default, they should be part of the templates.
  • Enforce policies – Some settings may become deprecated or even prohibited. That could be enforced by a policy.
  • Assess the active configuration – The active configuration must conform to the desired settings.
  • Education and guidelines – Make sure that best practices and training material is always up-to-date.
  • Blueprints – In certain cases, even the blueprint may be reconsidered.

Monitor

Some elements should be considered for constant monitoring.

  1. Watch the allowed and blocked requests.
    • Keep an eye on the following:
    • Amount of requests
    • Originating geo-locations
    • Kind of requests (GET, POST, ...)
    • Request paths
    • User agents (Firefox, Chrome, ...)

    High numbers of blocked requests may indicate ongoing attacks, misconfiguration or application errors.

    Deviation of allowed requests from normal patterns may indicate user behavior change, new types of clients or application errors.

  2. Watch for errors in your logs.
  3. An increase of errors could be caused by misconfiguration, issues in a particular component or an attack.

Analyze

Security controls allow for the enforcement of established policies. However, to improve the current policies, a deep dive analysis should be performed from time to time.

  • Deep dive analysis tasks, recommended from time to time:
  • Run a penetration test by a specialized security company.
  • Check the rating of your domains with SSL Labs. Trigger the according action if there are suggestions.
  • Check the rating of your domain with Security Headers. The website Can I use informs about adoption of specific security headers. Guidelines on user agents that must be supported may help prioritize changes.
  • Evalute new or currently unused features provided by Airlock. Think about how they could increase security.

Depending on who is terminating the TLS connection and modifying HTTP headers, actions must be taken in different infrastructure components.