Why. Continuous. Security. Monitoring? [New Series]By Mike Rothman
Remember the old marketing tagline, “Get Ahead of the Threat?” It seems pretty funny now, doesn’t it? Given the kinds of attacks we are facing and attackers’ increasing sophistication, we never see the threats coming and being even marginally reactive seems like a pipe dream. The bad news is that it will not get easier any time soon. Don’t shoot the messenger, but understand that is the reality of today’s information security landscape.
The behavior of most organizations over the past decade hasn’t helped, either. Most companies spend the bulk of their security budget on protective controls that have been proven over and over again to be ineffective. Part of this is due to compliance mandates for ancient technologies, but only very forward-thinking organizations have invested sufficiently in the detection and response aspects of their security programs. Unfortunately organizations become enlightened only after cleaning up major data breaches. For the unenlightened detection and response remain horribly under-resourced and underfunded.
At the same time the US government has been pushing a “continuous monitoring” (CM) agenda on both military and civilian agencies to provide “situational awareness,” which is really just a fancy term for understanding what the hell is happening in your environment at any given time. The problem is that CM applies to a variety of operations disciplines in the public sector, and it doesn’t really mean ‘continuous’. CM is a good first step, but as with most first steps, too many organizations take it for the destination rather than the first step of a long journey.
We have always strongly advocated security monitoring, and have published a ton of research on these topics, from our philosophical foundation: Monitor Everything, to our SIEM research: (Understanding and Selecting, SIEM Replacement). And don’t forget our process modeling of Network Security Operations, which is all about security monitoring. So we don’t need to be sold on the importance of security monitoring, but evidently the industry still needs to be convinced, given the continued failure of even large organizations to realize they must combine a strong set of controls with (at least) equally strong capabilities for detection, monitoring, and incident response.
To complicate matters technology continues to evolve, which means the tools and processes for a comprehensive security monitoring look different than even 18 months ago, and they will look different again 18 months from now. So we are spinning up a series called Continuous Security Monitoring (CSM) to evaluate these advancements, fleshing out our definition of CSM and breaking down the decision points and technology platforms to provide this cornerstone of your security program.
React Faster and Better
We have gotten a lot of mileage from our React Faster and Better concept, which really just means you need to accept and plan for the reality that you cannot stop all attacks. Even more to the point (and potentially impacting your wallet), success is heavily determined by how quickly you detect attacks and how effectively you respond to them. We suggest you read that paper for a detailed perspective on what is involved in incident response – along with ideas on the organization, processes, and tools required to do it well.
This series is not a rehash of that territory – instead it will help you assemble a toolkit (including both technology and process) to monitor your information assets to detect attacks more quickly and effectively. If you don’t understand the importance of this aspect of security, just consider that a majority of breaches (at least according to the latest Verizon Business Data Breach Report) continue to be identified by third parties, such as payment processors and law enforcement.
That means organizations have no idea when they are compromised. And that is a big problem.
We can groan all day and night about how behind the times the PCI-DSS remains, or how the US government has defined Continuous Monitoring. But attackers innovate and move much more quickly than regulation, and that is not going to change. So you need to understand these mandates for what they are: a low bar to get you moving toward a broader goal of continuous security monitoring.
But before we take the security cynical approach and gripe about what’s wrong, let’s recognize the yeoman’s work already done to highlight the importance of monitoring to protecting information (data). Without PCI and the US government mandating security data aggregation and analysis we would still be spending most of our time evangelizing the need for even simplistic monitoring in the first place. The fact that we don’t is a testament to the industry’s ability to parlay a mandate into something productive.
That said, if you are looking to solve security problems and identify advanced attackers, you need to go well beyond the mandates. This series will introduce what we call “Continuous Security Monitoring” and dig into the different sources of data you need to figure out how big your problem is. See what we did there? You have a problem and we won’t argue that – your success hinges on determining what has been compromised and for how long.
As with all our research we will focus on tangible solutions that can be implemented now, while positioning yourself for future advances. We will make sure to discuss the technologies that enable Continuous Security Monitoring, and identify pitfalls to avoid as you progress. As a reminder, we develop our research using our Totally Transparent Research methodology to make sure that you all have an opportunity to let us know when we are right – and more importantly when we are wrong.
After the July 4th holiday we will get going fast and furious. But no race cars will be harmed in the production of this series…