If preventing measures are installed in a system landscape, further controls to detect attacks while they occur is required. Those further controls always involve monitoring of the system.
Incomming messages can be monitored by Platform Providers and Security Architectsfor a wide variety of characteristics:
- Port scans for open ports
- Repeated login attempts
- Velocity of page fetching requests
Application Auditing can be monitored by all security roles for business reasons, e.g. not ordered goods, and forensic reasons like identifying the damage an attacker did. The gathered Audit Trail must be protected, by encryption, storing independently of the systems that are being audited and have protected access. These audit trails are stored for months or years, have a legal standing and are designed for security purpose. Therefore they must not be confused with logs, which are stored for days and designed to support operational and development needs. The following entities can be audited:
- Account creation
- Account modification
- Override of access control mechanism
- Utilization of privileged functions
- Creation or deletion of security attributes
- Connections from internal and external sources
- Changes to software or configuration