Skip to content ↓ | Skip to navigation ↓

Given that you can’t prevent all attacks, you need to ensure you detect attacks as quickly as possible. The concept of continuous monitoring has been gaining momentum, driven by both compliance mandates (notably PCI-DSS) and the US Federal Government’s guidance on Continuous Diagnostics and Mitigation, as a means to move beyond periodic assessment.

This makes sense given the speed that attacks can proliferate within your environment. In this paper, Securosis will help you assemble a toolkit (including both technology and process) to implement our definition of Continuous Security Monitoring (CSM) to monitor your information assets to meet a variety of needs in your organization.

Defining CSM

Given the different definitions of security monitoring, we advocate a risk-based approach to monitoring and assessing critical devices. That means ensuring the most critical assets are truly monitored continuously, and by “continuous” we mean uninterrupted.

We’ve heard all the excuses about why it’s not practical to monitor everything continuously, and for a majority of devices in your environment, you probably don’t need continuous monitoring. Yet for those devices that are very critical, intermittent assessment leaves a window of exposure for the attackers. A window that you can’t afford.

Classifying Assets

Now that you understand there are some devices that you need to monitor continuously, and others where periodic assessment is sufficient, you’ve got to do the work to determine which devices fall into which category.

This involves having a means for ongoing discovery of new assets in your environment, because you can’t monitor (or protect) devices you don’t know about.

You can achieve this discovery via either active scanning of your network address space or passively monitoring network traffic looking for new devices. Or more likely both. Either way, awareness of your network topology is a critical success factor for CSM.

Next you need a consistent and objective way to classify those assets based on criticality. There are many ways to classify assets, and we tend to favor one based on business criticality.

Basically devices that have access to information that could result in significant losses to the organization are necessarily more critical and warrant more frequent monitoring/assessment. Another key aspect of classification is gaining internal consensus, especially when most senior managers have the opinion that systems supporting their business are the most important systems.

Not everything can be an absolutely critical device, so tough choices need to be made, and everyone must agree with those choices.

Use Cases

As we dig into the specific use cases driving CSM, we see a bulk of the projects aiming to meet either generating compliance documentation, tracking changes on the monitored devices, and/or detecting attacks. To understand each use case a little better, here is a short description:

  • Attacks: This is using security monitoring to identify potential attacks and/or compromise of systems. This is the general concept we have described in our monitoring-centric research for years. It also involves both an outside-in (attacker’s view) and an inside-out (insider’s view) of the IT environment to ensure all attack surface is sufficiently monitored.
  • Change control: An operations-centric use case is to monitor for changes, both to detect unplanned (possibly malicious or dangerous) changes, and to verify that planned changes
    complete successfully.
  • Compliance: Finally, there is the checkbox use case, where a mandate or guidance requires monitoring and/or scanning technology; less sophisticated organizations have no choice but to do something. But keep in mind that the mandated product of this initiative is documentation that you are doing something — not necessarily an improved security posture, identification of security issues, or confirmation of activity.

The attack use case is bigger, broader, and more difficult than change management; compliance is the least sophisticated. Obviously you can define more granular use cases, but these three cover most of what people expect from security monitoring.

This is a reversal of the order in which most organizations adopt security technologies. Many start with a demand to achieve compliance, then move to an internal control process to deal with changes — typically internal — and finally are ready to address potential attacks by analyzing aggregated data. Of course there are many paths to security and many organizations jump right to the attack use case, especially those under immediate or perpetual attack.

Selecting the CSM Platform

To implement CSM you’ll need to decide on the technology platform to aggregate your data sources and perform the CSM analysis. You have a bunch of candidates, and probably a few already operational in your environment — though likely underutilized.

These include your SIEM and also your Vulnerability Management platform. Not to spoil the ending, but shockingly enough, the platform you choose will depend on your use case.

Be wary of any platform without a scalable data model that can evolve to handle additional data sources over time. Again, depending on your use case, you may not need those capabilities immediately, but don’t let a short-sighted technology choice sacrifice your ability to grow into the attack use case someday.

Evolving to CSM

Depending on which platform you choose on which to build your CSM capability, you may be simply adding capabilities to an existing in-house product, or you could be facing a rip and replace of existing technology.

Either way, you’ll need to go through a structured planning effort involving identifying the new data sources to provide the raw materials for the analysis needed for the use case. Then you’ll need to document the visualizations, alerts and reports need to achieve the desired results.

Finally you’ll then need to apply solid project management discipline to make sure the evolution happens on time and within budget. Once you get to the implementation phase, then you make your plan into reality by importing the new data and installing the policies and dashboards. Testing and verification of the accuracy of the new capabilities comes next, and then you are ready to take the new use cases into production.

At this point your new use case is operational and you are benefiting from continuous security monitoring. But attaining CSM is only the first part of your journey. New technology deployments and capabilities such as cloud computing, as well as emerging attacks, will require you to continuously evolve your security monitoring environment to keep pace.


In the second installment of this Ten Article Series, we will examine how Continuous Security Monitoring can help your organization react faster and better to threats and security events – stay tuned!


Editor’s Note: This post is a series of excerpts from the Continuous Security Monitoring whitepaper developed by Mike Rothman of Securosis, and was developed independently and objectively using the Securosis Totally Transparent Research process. The entire paper is available here.

About the Author: Securosis Analyst/President Mike Rothman’s bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security — such as protecting networks and endpoints, security management, and compliance. Mike is one of the most sought-after speakers and commentators in the security business, and brings a deep background in information security. After 20 years in and around security, he’s one of the guys who “knows where the bodies are buried” in the space. Mike published The Pragmatic CSO in 2007 to introduce technically oriented security professionals to the nuances of what is required to be a senior security professional. He can be reached at mrothman (at) securosis (dot) com.


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has also compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].

This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.

The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.

Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.


Definitive Guide to Attack Surface Analytics

picAlso: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.

* Show how security activities are enabling the business

* Balance security risk with business needs

* Continuously improve your extended enterprise security posture


Title image courtesy of ShutterStock