Skip to content ↓ | Skip to navigation ↓

In the first installment of this series, we provided a general overview of continuous security monitoring, and the next article explained how CSM can help your organization react better to threats. The third article discussed the challenges regarding full visibility into your environment, the fourth article looked at classifying your network assets, and the fifth article in the series examined specific attack use cases.

The sixth, seventh and eighth installments looked at the Change Control Use Case the Compliance Use Case, strategies for selecting a CSM platform, and the last article was on the evolution towards CSM. This final article in the series provides a step-by-step guide for the process of implementing CSM in your environment.

When looking at the amount of work to embrace a Continuous Security Monitoring approach, it can be a little overwhelming at first glance. We thought it would be helpful to break the work into a set of logical phases and list the tasks involved in each phase. We’ll start with the functions needed for all the use cases and then go through the specifics of each use case.

As with our Quant research, these tasks lists represent a very detailed and granular set of activities. Not all of these activities may be appropriate for your environment or makes sense with your interpretation of the use case. It’s really just a representative list to give you a place to start planning your activities.

Requirements for All Use Cases

These tasks are required for each use case. First, you need to select the technology foundation for your CSM initiative. After that you implement the technology, integrate with other systems, and the discover the assets. Regardless of what problem you are solving, you can’t monitor it unless you know it exists.


Phase 1: Compliance


Phase 2: Change Control


Phase 3: Attacks



Given that you can’t get ahead of the threat, your success at protecting critical corporate data is to react faster to imminent attacks. Yet, a bulk of security spending continues to funnel to outdated controls that neither deter the attackers nor provide enough information to clean up a compromised device.

The good news is the US Federal Government and a variety of industry-specific security mandates have gotten religion about the importance of security monitoring. In face, the industry has come around to the mentality that a point in time assessment no longer provides sufficient information to detect attacks or understand data loss.

But security monitoring means a lot of things to a lot of people, and it can be confusing to know how much monitoring is enough.

Securosis advocates a risk-based monitoring approach, involving classifying assets based on the perceived risk to the organization if compromised. Based on the asset classification, devices are monitored as frequently as they need to be.

Critical devices should be continuously monitored to alert as soon as anomalous activity or unauthorized change is detected — as those actions tend to be first indicators of a successful attack. Less critical devices can be assessed periodically, providing the ability to match the scrutiny on the device to its importance to your organization.

Additional use cases beyond detecting attacks for continuous security monitoring include monitoring for change control and monitoring for compliance. Regardless of the use case deployed initially, it’s wise to invest in a monitoring technology platform applicable to all the use cases, across your entire enterprise.

The good news is that this continuous security monitoring platform may already be installed in your environment, you just may not be not leveraging all of the capabilities in the platform. Whether you are extending the use of an existing technology, or deploying something new — planning the implementation remains a key requirement for a successful evolution to these new capabilities.

And one final note, the first set of alerts that come streaming out of your CSM platform is not the end of your journey. It’s merely the beginning. With the rapid evolution of both attack tactics and your own technology infrastructure, you’ll need to be continually adapting and evolving your monitoring capabilities to keep pace with the attackers. But given the reality that you can’t stop them, your best path to success is to detect them as early as possible.

If you have any questions on this topic, or want to discuss your situation specifically, feel free to send us a note at info (at) securosis (dot) com or ask via the Securosis Nexus.


Editor’s Note: This post is a series of excerpts from the Continuous Security Monitoring whitepaper developed by Mike Rothman of Securosis, and was developed independently and objectively using the Securosis Totally Transparent Research process. The entire paper is available here.


About the Author: Securosis Analyst/President Mike Rothman’s bold perspectives and irreverent style are invaluable as companies determine effective strategies to grapple with the dynamic security threatscape. Mike specializes in the sexy aspects of security — such as protecting networks and endpoints, security management, and compliance. Mike is one of the most sought-after speakers and commentators in the security business, and brings a deep background in information security. After 20 years in and around security, he’s one of the guys who “knows where the bodies are buried” in the space. Mike published The Pragmatic CSO in 2007 to introduce technically oriented security professionals to the nuances of what is required to be a senior security professional. He can be reached at mrothman (at) securosis (dot) com.


Related Articles:



picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock