The first principle of good security starts from putting in controls to stop bad things happening, to stop malicious individuals from doing bad things. It does not matter how secure your business is there will always be vulnerabilities. In your home you can put locks on the doors and windows but if someone is determined enough they will get in; the only way to guarantee that the house continues to be safe is to keep checking the locks. In your business it is the same. For a safeguard or protection to be effective, it must be monitored and checked. Vulnerabilities that are not seen cannot be protected.
So monitoring and reporting is about having situational awareness of what is going on so that you can quickly spot signs of suspicious activity fast enough to respond, in order to avoid material damage to your business.
Think of it as your burglar alarm, cctv and security guards for your office, the things that will alert you to anything untoward going on and enable you to deal with it. It sounds simple but it is large and challenging in reality. Buildings have walls, are well bounded and you can imagine the motivations of individuals that might want to break in and therefore make preparations to deal with them. IT systems are massively more complex and need to be monitored to an intense level of detail to spot something anomalous - while it is relatively easy to understand it is very challenging to do it well, which is why it is an area where companies often outsource to third parties.
Let’s start small and talk about how to build up capability. There is no point even thinking about it if critical systems do not have logs switched on and are not gathering information about what is going on, when people log on and off, when they access particular systems, network logs to describe flows of traffic. If you haven't got logs switched on then you cannot monitor and assess incidents.
Many times I have gone in after an incident and found it impossible to find out what has happened as there is no information available. There are about 7 key logs that are the basic ones: active directory, email, proxies, firewalls, sources that can provide a lot of info. Once those are switched on it is a good start but on their own they won't tell you enough.
You could get a security guy to run daily queries to find things that you believe are suspicious but in reality this is unscalable and challenging due to the volume of records and logs available. If you think of the number of times an employee interacts with systems there challenge is the nature of thereastas doc instantly evolving, needles in the haystack changing regularly. That's why techs SIEMs essentially think of it as a large database and query engine that you pout your logs in, employed to ingest the logs, manage and maintain standard sets of queries to turn logs into suspected alerts, events quite possibly related to security incident. Again sods simple but SIEMS handling a wide variety of information and logs all of which need to be understood, not a task for the fainthearted. I can't check all my logs on a regular basis, that's when orgs go and discuss with outsourced service providers MSSPs whereby the mss is sent all your logs, process run security alert rules and does initial investigation when an alert is raised. Outcompetes, you are looking for is to get early notification of when something bad is happening. You might collect the logs but the first time you are ware is when it impacts your business which is toto late or your business is on the front page of the papers because of a data breach. Soi the aim is to get the advance warning, monitoring and reporting is the way to do it but getting to the right place is challenging. The suppliers we do assessments of often struggle with implementing these controls. Sounds depressing but just because it I shard does not mean that it does not need to be done. Can be done in steps and the value of it is that it doesn't just give information risk security but also shows more about IT such as Shadow IT, CIO rather than the CISO sometimes sees greater value as he can see the services hanging off tis network and therefor opportunities to rationalise and save money - grade; and productive approach and focus on assets that present the greatest risk. No point sorting the post room roster if breach is not going to have an impact. Putting tripwires around critical sets and building out is the most pragmatic approach
What are their responsibilities?
If your business is handling highly sensitive data and you are not taking care of it then that is a good place to start. if the impact on your brand of a breach f customer data or the impact on your customers bands is sufficiently large to be existential then that os a good place to start in shining alight, collecting the logs of that stuff and sensitive data from consumers and business customers so that you can build confidence in your customers that you are taking care for he tis data.