The security industry is one that’s never short of buzzwords. And recently there’s certainly been a lot of buzz around the “continuous monitoring” of business-technology systems and how continuous monitoring can improve security, compliance, and even operations. But what does “continuous” really mean, and what really needs to be monitored so closely?
Last week, at the Qualys Security Conference 2013, Securosis president and analyst Mike Rothman tried to provide some answers, and offer attendees pragmatic advice on how they can incorporate continuous monitoring into their IT management and security efforts.
“It’s one of these things that when you drive down and really examine all the stuff that you could possibly monitor it quickly becomes overwhelming,” said Rothman. “Especially when people look at everything that they’re supposed to try to do,” he said.
To help make certain that security manager’s focus on the right things when they try to vet what events and data they should continuously monitor, Rothman went through a number of specific use cases where continuous monitoring and continuous security monitoring really makes sense.
Rothman broke down the following use cases:
The attack use case: In the attack use case, teams are monitoring assets for potential attack paths. This includes logs, network topology and traffic for anomalous behavior, as well as asset vulnerability and configuration posture.
The change control use case: Continuous monitoring is used to help better manage operational change, understand who made changes, and were the changes made within policy, or did they add any faults into the infrastructure. In this use case, configuration and vulnerability levels are also tracked.
The compliance use case: In many ways, the regulatory compliance continuous monitoring use case is the easiest use case to sell and obtain budget for, said Rothman. This would be monitoring assets, configuration and vulnerably management posture, event logs with an eye for staying within policy to any number of industry and government regulations depending on the nature of the organization’s industry.
The first thing enterprises must do is identify their core goals, or what continuous compliance use cases they’re going to focus upon. “It’s about identifying the problems you are going to try to solve. Is it a compliance problem? Are you trying to get a better operational handle on your environment? Are you trying to deal with attacks? Obviously those aren’t mutually exclusive, but they do tend to build toward the broadest, deepest, and ultimate goal of monitoring and that’s to deal with advanced attacks,” Rothman said.
Of course organizations can’t start to monitor every bit of data and every asset in their organization. They key is to focus on monitoring and protecting the data that would cause “blood to flow in the streets” should there be a breach and that data be compromised. “Go through a period of asset and data classification,” advises Rothman. “Identify what assets you are worried about, then determine how important each of those assets are,” he said.
The most critical are the ones where the continuous monitoring efforts should start.
Once assets are being monitored at a steady frequency, the alerts are going to start rolling in. That’s both good news, and bad news, Rothman explained. “There’s always going to be an aspect of false positives. Ultimately you want to minimize those. And as you’re monitoring and you mature the program, you get better at isolating the root cause of what happened around attacks. But I would say, even more important than that, is that you’re able to narrow down focus on a select set of alerts that are more likely to be problematic,” he said.
One way to help minimize those false positives is to get your security monitoring technologies working together properly, such as Security Information and Event Monitoring and Vulnerability Management applications , he said. Doing so will help tune the proper signal from all of the day-to-day noise.
Finally, how can enterprises gauge the success of their continuous monitoring programs? Rothman said in a chat outside of his talk that success comes when “you’re a lot more responsive and focusing on incidents and situations that actually create risk and can result in breaches. That’s when you know you’re making progress: when you’re not spending a lot of time in dark holes chasing down stuff that ultimately becomes inconsequential.”