Security monitoring and incident response are critical for detecting and responding to security threats. This guide covers monitoring strategies, SIEM systems, intrusion detection, and effective incident response procedures.
Security Logging
What to Log
- Authentication Events: Login attempts, failures, successes, logouts
- Authorization Events: Permission denials, privilege escalations
- Data Access: Sensitive data reads, modifications, deletions
- System Events: Configuration changes, service restarts
- Network Events: Unusual traffic patterns, connection attempts
- Application Events: Errors, exceptions, suspicious activities
Structured Logging
import winston from 'winston';
const logger = winston.createLogger({
level: 'info',
format: winston.format.json(),
defaultMeta: { service: 'api' },
transports: [
new winston.transports.File({ filename: 'error.log', level: 'error' }),
new winston.transports.File({ filename: 'combined.log' }),
],
});
// Security event logging
function logSecurityEvent(event: SecurityEvent) {
logger.warn('Security Event', {
event: event.type,
severity: event.severity,
userId: event.userId,
ip: event.ip,
userAgent: event.userAgent,
details: event.details,
timestamp: new Date().toISOString(),
requestId: event.requestId,
});
}
// Usage
logSecurityEvent({
type: 'FAILED_LOGIN',
severity: 'medium',
userId: email,
ip: req.ip,
userAgent: req.get('user-agent'),
details: { attempts: 3 },
requestId: req.id,
});SIEM Systems
Security Information and Event Management (SIEM) systems aggregate and analyze security logs.
Popular SIEM Solutions
- Splunk: Enterprise-grade SIEM with powerful analytics
- ELK Stack: Elasticsearch, Logstash, Kibana - open source
- Datadog: Cloud-native monitoring and security
- Azure Sentinel: Microsoft's cloud-native SIEM
- Sumo Logic: Cloud-based log management
Intrusion Detection
Anomaly Detection
// Detect unusual login patterns
async function detectAnomalousLogin(userId: string, ip: string) {
const recentLogins = await db.logins.findMany({
where: {
userId,
createdAt: { gte: new Date(Date.now() - 24 * 60 * 60 * 1000) },
},
});
// Check for unusual IP
const uniqueIPs = new Set(recentLogins.map(l => l.ip));
if (!recentLogins.some(l => l.ip === ip)) {
// New IP address
await logSecurityEvent({
type: 'UNUSUAL_LOGIN_LOCATION',
severity: 'medium',
userId,
ip,
details: { previousIPs: Array.from(uniqueIPs) },
});
}
// Check for rapid logins
if (recentLogins.length > 10) {
await logSecurityEvent({
type: 'RAPID_LOGIN_ATTEMPTS',
severity: 'high',
userId,
ip,
details: { count: recentLogins.length },
});
}
}Security Alerts
Alert Configuration
// Alert on security events
async function checkSecurityAlerts() {
const recentEvents = await db.securityEvents.findMany({
where: {
createdAt: { gte: new Date(Date.now() - 60 * 60 * 1000) },
severity: { in: ['high', 'critical'] },
},
});
if (recentEvents.length > 5) {
await sendSecurityAlert({
type: 'MULTIPLE_HIGH_SEVERITY_EVENTS',
count: recentEvents.length,
events: recentEvents,
});
}
}
// Real-time alerting
function setupSecurityAlerts() {
// Monitor failed logins
eventEmitter.on('failed_login', async (data) => {
if (data.attempts >= 5) {
await sendSecurityAlert({
type: 'BRUTE_FORCE_ATTEMPT',
severity: 'high',
details: data,
});
}
});
// Monitor privilege escalations
eventEmitter.on('permission_denied', async (data) => {
if (data.user.role === 'admin') {
await sendSecurityAlert({
type: 'UNAUTHORIZED_ADMIN_ACCESS_ATTEMPT',
severity: 'critical',
details: data,
});
}
});
}Incident Response Plan
Response Phases
- Preparation: Tools, procedures, team training
- Identification: Detect and confirm security incident
- Containment: Isolate affected systems
- Eradication: Remove threat and vulnerabilities
- Recovery: Restore systems and services
- Lessons Learned: Post-incident review and improvements
Incident Response Team
- Incident Response Manager: Coordinates response
- Security Analysts: Investigate and analyze
- System Administrators: Technical remediation
- Legal/Compliance: Regulatory requirements
- Communications: Internal and external messaging
Automated Response
// Automated threat response
async function handleSecurityThreat(event: SecurityEvent) {
switch (event.type) {
case 'BRUTE_FORCE_ATTEMPT':
// Block IP address
await blockIP(event.ip, '1 hour');
await logSecurityEvent({
type: 'IP_BLOCKED',
severity: 'medium',
details: { ip: event.ip, reason: 'brute_force' },
});
break;
case 'SUSPICIOUS_ACTIVITY':
// Require additional authentication
await requireMFA(event.userId);
await notifyUser(event.userId, 'Suspicious activity detected');
break;
case 'DATA_BREACH_INDICATOR':
// Immediate containment
await disableAffectedAccounts(event.userIds);
await notifyIncidentResponseTeam(event);
await startForensicInvestigation(event);
break;
}
}Security Audits
Regular Audit Checklist
- Review access logs for unauthorized access
- Audit user permissions and roles
- Check for unused accounts and credentials
- Review security configurations
- Analyze failed authentication attempts
- Review data access patterns
- Check for security policy violations
- Audit third-party integrations
Forensic Investigation
When incidents occur, preserve evidence for investigation:
- Preserve logs and system state
- Document timeline of events
- Capture network traffic (if applicable)
- Take system snapshots
- Maintain chain of custody
- Work with legal team for compliance
Compliance and Reporting
- GDPR: Report breaches within 72 hours
- HIPAA: Breach notification requirements
- PCI DSS: Security monitoring requirements
- Regular security reports to management
- Document all security incidents
Real-World Implementation
Security monitoring setup for a SaaS platform:
- ELK Stack for log aggregation and analysis
- Custom dashboards for security metrics
- Automated alerts for critical events
- Daily security reports
- Weekly security reviews
- Monthly penetration testing
- Result: 90% faster threat detection, 80% reduction in incident response time
Best Practices
- Log everything relevant, but sanitize sensitive data
- Centralize logs for easier analysis
- Set up real-time alerting for critical events
- Regularly review and tune alert thresholds
- Maintain incident response playbooks
- Conduct regular security drills
- Keep audit logs for compliance requirements
- Continuously improve based on lessons learned
Conclusion
Security monitoring and incident response are essential for maintaining application security. Implement comprehensive logging, use SIEM systems for analysis, set up automated alerts, and maintain a well-defined incident response plan. Regular audits and continuous improvement help stay ahead of threats. Remember: detection and response capabilities are as important as prevention.