Add Security Events to Your Monitoring Tools

Real-time monitoring is important in every organization because it enables stakeholders to understand what is happening at any given time and react quickly. There are a lot of systems and devices we can and should monitor using tools such as application performance monitoring, digital performance management, synthetic monitoring, and more. In this post, we will explore website traffic monitoring, how security information can enrich it, and the benefits of adding security events to your monitoring tools.

When we discuss monitoring online traffic in real time at Akamai, we are talking about DataStream (or Cloud Monitor for our customers that are still using this solution). The current version of DataStream provides you not only with raw data, but also aggregated information that is very useful in time-series dashboards created with tools like Grafana and Kibana.

To understand the cause of a traffic spike on your website, you need to be able to correlate the data from your security information and event management (SIEM) system with the traffic at the edge in real time. DataStream makes it possible to create a single dashboard with aggregated traffic data combined with security events from SIEM Integration, so that the security operations center staff has all the intelligence they need in one place.

We prepared a simple dashboard using a graphics library in JavaScript (Chart.js) that consumes the data provided by DataStream and SIEM Integration from a Node.js server. You can create the same dashboard with commercial tools, such as Grafana, but we wanted to keep this example simple and agnostic.

SecurityMonitoringBlog1_7Dec.pngHaving a combination of traffic and security data in the same place can be useful for many teams:

  • From a security perspective, the InfoSec organization needs as much information as possible, in real time, to understand if the organization is under attack, as well as what type of attack it is and which assets are being targeted. A dashboard showing a spike in security events happening at the same time traffic is growing can help a lot — especially if nobody told the security team there is a new campaign on the air, for instance.
  • From a performance perspective, even a small degradation in page load time can drive website visitors elsewhere. Key performance indicator metrics like conversion and bounce rate also help you understand real user experiences. Akamai mPulse provides real user monitoring and lets you see how malicious traffic to the origin affects user experience. A credential stuffing attack trying to validate hundreds of thousands of credentials against the login page, malicious requests trying to exhaust databases, or a DDoS attack can all cause slowdowns and service outages that negatively impact real users. A traffic and security data dashboard next to mPulse measurements over time provides this insight.
  • From an IT perspective, the ability to correlate traffic data, security events, and the load on servers — even the number of sessions or connections — makes it easier to find the cause of any anomaly detected.

There are many use cases for a combined set of dashboard data that provides visibility into website activity. Code and instructions for creating the dashboard are available on GitHub — you only need Node.js and a couple of valid Akamai {OPEN} credentials (one to access DataStream API and another for SIEM Integration API) to get started.

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Angel Nogueras Palomar. Read the original post at: