Server Monitoring is Not Security Monitoring…

Almost every managed services provider includes server monitoring with their support offering. Server monitoring is a good thing, however it is just part of the “table stakes” for calling yourself a MSP. Unfortunately, this level of monitoring is not enough to fully protect even small businesses anymore.

Many managed IT services providers and IT support companies use software such as Kaseya, Labtech, SolarWinds, or N-Able to monitor their client’s servers. These software packages will notify your technology consultants that a server has either generated a critical alert, or that some utilization threshold has been crossed. Thresholds for disk space, processor, and memory utilization are very common. The monitoring tools will also tell you if your router or firewall are offline. These alerts and alarms are typically monitored by a Network Operations Center or NOC.

What these tools do not tell you, is how your network is being used, and if your network security has been breached. These tools do not tell you if a cybercriminal has accessed the network and is in the process of exfiltrating your data. They also do not tell you if your webcams, conference room displays, or security system are listening in on your conversations. This means that the average monitoring package is only “alerting” your IT support company about a fraction of the things that can go wrong on your network.

Washington, DC-based Businesses Are At Greater Risk

Businesses in the Washington, D.C. area, especially small to mid-sized businesses, have greater risks than businesses located in other parts of the county.

For example, a small law firm in Alexandria, VA might have documents on their network that pertain to contracts that a defense contractor has with the Pentagon. While the Pentagon theoretically has network defenses that cybercriminals from say Russia or China cannot easily breach, the smaller law firm may present less of a challenge. If a cybercriminal were to access the law firm’s server, standard network monitoring software would not tell the lawyers, firm administrator, or the IT consulting company that the criminals were uploading copies of the contracts to their own servers or to the cloud.

In another scenario, if a government affairs consultant on Capitol Hill was using a hosted email server, and their mailbox contained thousands of messages sent to their trade association client, this mailbox would be a very attractive target for an organization that had a mission that was counter to that of the trade association and their members. If a state sponsored cybercriminal in Europe were to use a social engineering or a spear phishing email to capture the credentials for one of the lobbyists, there would be no way for that individual or the firm to know that the hosted Microsoft Exchange mailbox was being accessed by a computer in a coffee shop somewhere across the Atlantic.

Our point is that network and server monitoring tools are not security monitoring tools. They can detect errors and events, but they don’t detect unauthorized access to a network.

The Pentagon and government agencies have enterprise class tools and Security Operations Centers (SOC) to monitor for data breach. Small and mid-sized businesses typically do not have access to these tools or qualified personnel that know how to use them. Essentially, just because a business has someone monitoring the IT network, it does not mean that they are monitoring for data breach, cybercriminals, or other malicious activity.

To properly protect a business network, IT consultants and MSP’s need to monitor the servers and the IT network. They also need to use tools such as a Security Incident and Event Management Tool. If you are responsible for managing your IT vendor, make sure that they know the difference between monitoring events and alerts, and monitoring for data breach and other malicious activities.