How are networks protected against attacks today, and what do SIEM, artificial intelligence, and encryption have to do with it? A panel on security monitoring featured practical experiences from integrators, vendors, and bank CISOs. The discussion showed that the key is not just to see the data, but to be able to respond to it quickly and intelligently.
From event collection to automated response
At the core of today’s security monitoring is SIEM – a tool that collects events from various sources, from operating systems and network devices to specialized security sensors. What matters is not only detecting an incident in a single system, but placing it in a broader context that reveals relationships across the infrastructure. Such correlations can confirm a threat, add detail, and determine the priority of the response. The trend is for automation to follow from these findings – systems should not only detect an incident, but also suppress it in a coordinated way.
Vendors are therefore linking monitoring with response: from sandboxing and behavioral analysis to the orchestration of other devices. Application auditing is also coming into play, especially for those running in the cloud: before deployment, static analysis and testing help; after deployment, ongoing evaluation of runtime behavior. The point is to turn outputs from network and application checks into concrete, as highly automated as possible actions. Without that, we cannot cope with today’s data volumes and the shortage of staff.
Banks vs. small businesses: same principles, different scale
Large institutions run the "heavy artillery" – a combination of IDS/IPS, advanced firewalls, SIEM, and network detection, often with microsegmentation. Smaller and mid-sized companies can help themselves significantly with simpler measures: a modern antivirus with network traffic analysis is recommended, and NDR for larger networks. It also makes sense to deploy a more capable firewall than the "basic" one from the provider, one that can handle application control. And do not underestimate the absolute basics: regular patching, strong passwords, and multi-factor authentication.
At the first deployment of monitoring, the picture is often "red" – the system reports many anomalies and some false alarms. That’s why tuning policies and suppressing known legitimate communications is part of the pilot, so that only relevant alerts remain. This tuning can take weeks, and in a changing environment you need to keep coming back to it. The result is more transparent operations and a faster response to real problems.
Encrypted traffic, WAF, and Zero Trust
For TLS/SSL inspection there are three approaches: importing internal certificates for internal communication, analyzing metadata and certificate reputation for external traffic, and finally decryption via a firewall or web proxy. Banks approach decryption cautiously; they often rely on behavioral techniques, especially for detecting command-and-control channels. For web application firewalls, however, looking into the content is necessary, otherwise they would not be able to recognize an attack. Newer versions of TLS raise the bar, so segmentation and in-line devices that stop, inspect, and safely let the communication through are also used.
The five-year outlook is marked by automation, machine learning, and Zero Trust. Identity and context will decide who gets access to what, with minimal manual administration and machine-to-machine microsegmentation. Zero Trust is also replacing classic VPNs in application access scenarios. Although adoption among smaller firms may be uneven, practice shows that SMBs are already deploying advanced XDR and streamlining their defenses – mainly because experts are scarce and a fast, accurate response is crucial.
