Continuous monitoring has become a major focus area in
cybersecurity. From customers to experts to standards bodies, they claim that
continuous monitoring will vastly improve the security of our networks and
critical infrastructure.
So what is it?!
We can provide a simple explanation by using a physical
security example. Let’s suppose that you want to protect the perimeter of your
building or compound, but you only have single-shot cameras to monitor who’s
going in and out. You set them up to take photographs every 15 minutes, and you
analyze them at the end of the day to look for breaches or irregularities. Of
course, you miss a lot of activity!
To start implementing continuous monitoring in our example,
you swap out the single-shot cameras for video cameras. Now you have a
continuous view, in real time, of what’s occurring in and around your physical
enterprise. You have all the information you need to secure your compound, but
do you have the resources to monitor and analyze the information in real time?
That’s the same issue with monitoring the security of cyberspace,
except the amount of information you collected can be significantly greater. A
typical enterprise can collect logs and events from firewalls, routers,
servers, PCs, and more. You can also
include physical security data – video, badge machines, motion detectors, etc. In
addition, you have to know, and continually update, your asset inventory – both
hardware and software. Based on that inventory, the next step is to evaluate
the configuration of each asset to ensure it complies to secure configuration
standards and guidelines. That inventory also needs to be continually scanned
against known vulnerabilities and threats. Vulnerabilities can be based on the
asset configuration or the network upon which it resides. As you can see,
continuous monitoring is a complex process with a lot of moving parts – and
that’s just deploying a basic capability! The eventual goals of developing this
capability are to:
- · Put in place a better (defined, repeatable) process for detecting and remediating security issues
- · Create a way to score an organization’s security risk
- · Leverage the insight gained to institute a process of continual improvement towards a more secure enterprise
Regardless of the size of an enterprise, collecting and
analyzing this information is daunting. You must first determine what sensors
(products) you have and what data are you collecting. There are a wide variety
of products in the market that perform the functions described above. The heavy lifting for continuous monitoring
is in the integration of the products and information into a stable
infrastructure that ensures the continuous flow of data and analysis that represents
the overall security posture of an organization.
In following blog posts, I’ll delve into the other
functional areas that define a full continuous monitoring solution and how that
aligns with a comprehensive enterprise security reference architecture.
