In the first installment of this series, we provided a general overview of the concept of continuous security monitoring (CSM), the process of classifying assets, and outlined three general use cases. In this second article in the series, we will explain a little more about CSM in general and how it can help your organization react faster and better to an ever-evolving threat landscape.
Remember the old marketing tagline, “Get Ahead of the Threat?” It seems pretty funny now, doesn’t it? Given the kinds of attacks you face and attackers’ increasing sophistication — you never see the threats coming.
Thus your only option is to React Faster and Better. The bad news is that it won’t get easier any time soon because the attackers are getting better and the defenses are not improving at nearly the pace.
Don’t shoot the messenger, but understand this is the reality of today’s information security landscape.
The behavior of most organizations over the past decade hasn’t helped, either. Most companies spend the bulk of security budgets on preventative controls proven ineffective over and over again. Part of this is due to compliance mandates for ancient technologies, but only very forward-thinking organizations invest sufficiently in the detection and response aspects of their security programs.
Unfortunately organizations become enlightened only after cleaning up major data breaches. For the unenlightened, detection and response remain horribly under-resourced and underfunded.
At the same time the US government has been pushing a “continuous monitoring” (CM) agenda on both military and civilian agencies to provide “situational awareness,” which is really just a fancy term for understanding what the hell is happening in your environment at any given time.
In fact, the Department of Homeland Security (DHS) is now referring to this capability as “Continuous Diagnostics and Mitigation,” which sets an objective that “officials at each agency will be able to quickly identify which problems to fix first, and empower technical managers to prioritize and mitigate risks.” Uh, OK.
Ultimately regardless of what you call it (CM or CDM), the problem is that this monitoring requirement applies to a variety of operational disciplines in the public sector, and it doesn’t necessarily mean ‘continuous’. CM (or CDM) is a good first step, but as with most first steps, too many organizations take it as the destination rather than the start of a long journey.
We have always strongly advocated security monitoring, and have published a ton of research on these topics, from our philosophical foundation: Monitor Everything, to our SIEM research: (Understanding and Selecting, and SIEM Replacement).
And don’t forget our process modeling of Network Security Operations, which is all about security monitoring. We don’t need to be sold on the importance of security monitoring, but evidently the industry still needs convincing, given the continued failure of even large organizations to realize they must combine a strong set of controls with equally strong capabilities for detection, monitoring, and incident response.
To complicate matters technology continues to evolve with the advent of BYOD, increasing mobility, cloud computing, virtualization and a host of other innovations focused on making technology more accessible, scalable and effective. This also means the tools and processes for security monitoring today are different than even 18 months ago, and the tools will look different 18 months from now.
This Continuous Security Monitoring (CSM) article series will evaluate these advancements, flesh out our definition of CSM, break down the use cases for CSM, and consider the technology platforms that can provide this cornerstone of your security program.
React Faster and Better
We have gotten a lot of mileage out of our React Faster and Better concept, which really just means you need to accept and plan for the fact that you cannot stop all attacks. Even more to the point (and potentially impacting your wallet), success is heavily determined by how quickly you detect attacks and how effectively you respond to them.
We suggest you read that paper for a detailed perspective on what is involved in incident response — along with ideas on the organization, processes, and tools required to do it well.
This paper will not rehash that territory — instead it will help you assemble a toolkit (including both technology and process) to monitor your information assets to meet a variety of needs in your organization. Clearly you want to find when you’re being attacked.
If you don’t understand the importance of this aspect of security, just consider that a majority of breaches (at least according to the latest Verizon Business Data Breach Incident Report) continue to be identified by third parties, such as payment processors and law enforcement. That means organizations typically have no idea when they are compromised, and that is a big problem.
But you also can use CSM for both change control and compliance purposes, so we’ll cover those use cases as well.
We can groan all day and night about how behind-the-times the PCI-DSS remains, or how the US government has defined Continuous Monitoring. But attackers innovate and move much more quickly than regulation, and that is not going to change. So you need to understand these mandates for what they are: a low bar to get you moving toward a broader goal of continuous security monitoring.
But before we take the typical cynical approach and gripe about what’s wrong, let’s recognize the yeoman’s work already done to highlight the importance of monitoring to protecting information (data).
Without PCI and the US government mandating security data aggregation and analysis, we would still be spending most of our time evangelizing the need for even simplistic monitoring in the first place. The fact that we don’t is a testament to the industry’s ability to parlay a mandate into something productive.
That said, if you are looking to solve security problems and identify advanced attackers, you need to go well beyond mandates. This article series will also define what we call “Continuous Security Monitoring” and dig into the different sources of data you need to figure out how big your problem is.
See what we did there? You have a problem, and we won’t argue that — your success hinges on determining what has been compromised and for how long.
In the third installment of this Ten Article Series, we will examine how NIST defines Continuous Security Monitoring and the challenges involved in achieving full network visibility – stay tuned!
Editor’s Note: This post is a series of excerpts from the Continuous Security Monitoring whitepaper developed by Mike Rothman of Securosis, and was developed independently and objectively using the Securosis Totally Transparent Research process. The entire paper is available here.
About the Author: Securosis Analyst/President Mike Rothman’s bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security — such as protecting networks and endpoints, security management, and compliance. Mike is one of the most sought-after speakers and commentators in the security business, and brings a deep background in information security. After 20 years in and around security, he’s one of the guys who “knows where the bodies are buried” in the space. Mike published The Pragmatic CSO in 2007 to introduce technically oriented security professionals to the nuances of what is required to be a senior security professional. He can be reached at mrothman (at) securosis (dot) com.
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
Title image courtesy of ShutterStock