Blog

Why. Continuous. Security. Monitoring? [New Series]

By Mike Rothman

Remember the old marketing tagline, “Get Ahead of the Threat?” It seems pretty funny now, doesn’t it? Given the kinds of attacks we are facing and attackers’ increasing sophistication, we never see the threats coming and being even marginally reactive seems like a pipe dream. The bad news is that it will not get easier any time soon. Don’t shoot the messenger, but understand that is the reality of today’s information security landscape.

The behavior of most organizations over the past decade hasn’t helped, either. Most companies spend the bulk of their security budget on protective controls that have been proven over and over again to be ineffective. Part of this is due to compliance mandates for ancient technologies, but only very forward-thinking organizations have invested sufficiently in the detection and response aspects of their security programs. Unfortunately organizations become enlightened only after cleaning up major data breaches. For the unenlightened detection and response remain horribly under-resourced and underfunded.

At the same time the US government has been pushing a “continuous monitoring” (CM) agenda on both military and civilian agencies to provide “situational awareness,” which is really just a fancy term for understanding what the hell is happening in your environment at any given time. The problem is that CM applies to a variety of operations disciplines in the public sector, and it doesn’t really mean ‘continuous’. CM is a good first step, but as with most first steps, too many organizations take it for the destination rather than the first step of a long journey.

We have always strongly advocated security monitoring, and have published a ton of research on these topics, from our philosophical foundation: Monitor Everything, to our SIEM research: (Understanding and Selecting, SIEM Replacement). And don’t forget our process modeling of Network Security Operations, which is all about security monitoring. So we don’t need to be sold on the importance of security monitoring, but evidently the industry still needs to be convinced, given the continued failure of even large organizations to realize they must combine a strong set of controls with (at least) equally strong capabilities for detection, monitoring, and incident response.

To complicate matters technology continues to evolve, which means the tools and processes for a comprehensive security monitoring look different than even 18 months ago, and they will look different again 18 months from now. So we are spinning up a series called Continuous Security Monitoring (CSM) to evaluate these advancements, fleshing out our definition of CSM and breaking down the decision points and technology platforms to provide this cornerstone of your security program.

React Faster and Better

We have gotten a lot of mileage from our React Faster and Better concept, which really just means you need to accept and plan for the reality that you cannot stop all attacks. Even more to the point (and potentially impacting your wallet), success is heavily determined by how quickly you detect attacks and how effectively you respond to them. We suggest you read that paper for a detailed perspective on what is involved in incident response – along with ideas on the organization, processes, and tools required to do it well.

This series is not a rehash of that territory – instead it will help you assemble a toolkit (including both technology and process) to monitor your information assets to detect attacks more quickly and effectively. If you don’t understand the importance of this aspect of security, just consider that a majority of breaches (at least according to the latest Verizon Business Data Breach Report) continue to be identified by third parties, such as payment processors and law enforcement.

That means organizations have no idea when they are compromised. And that is a big problem.

Why CSM?

We can groan all day and night about how behind the times the PCI-DSS remains, or how the US government has defined Continuous Monitoring. But attackers innovate and move much more quickly than regulation, and that is not going to change. So you need to understand these mandates for what they are: a low bar to get you moving toward a broader goal of continuous security monitoring.

But before we take the security cynical approach and gripe about what’s wrong, let’s recognize the yeoman’s work already done to highlight the importance of monitoring to protecting information (data). Without PCI and the US government mandating security data aggregation and analysis we would still be spending most of our time evangelizing the need for even simplistic monitoring in the first place. The fact that we don’t is a testament to the industry’s ability to parlay a mandate into something productive.

That said, if you are looking to solve security problems and identify advanced attackers, you need to go well beyond the mandates. This series will introduce what we call “Continuous Security Monitoring” and dig into the different sources of data you need to figure out how big your problem is. See what we did there? You have a problem and we won’t argue that – your success hinges on determining what has been compromised and for how long.

As with all our research we will focus on tangible solutions that can be implemented now, while positioning yourself for future advances. We will make sure to discuss the technologies that enable Continuous Security Monitoring, and identify pitfalls to avoid as you progress. As a reminder, we develop our research using our Totally Transparent Research methodology to make sure that you all have an opportunity to let us know when we are right – and more importantly when we are wrong.

Finally, we would like to thank Qualys, Tenable, and Tripwire for agreeing to potentially license the paper at the end of this process.

After the July 4th holiday we will get going fast and furious. But no race cars will be harmed in the production of this series…

No Related Posts
Comments

I personally believe in contious monitoring as there are so many tools that can really provide it. For example, Anturis, Nagios and others. As for security I think the tools are ready enough to give alerts and you are aware how to react in cases of some emergency.

By Carla


@mike So, yes, exactly!  *All* security monitoring is continuous since monitoring is kinda a continuous process.

So, yes, I agree that the FISMA crowd poisoned the well and we need to unpoison it.

By Anton Chuvakin


@anton, really? I guess you missed the next post where I define CONTINUOUS.

con.tin.u.ous: adjective \kən-ˈtin-yue-əs\ – marked by uninterrupted extension in space, time, or sequence

UNINTERUPPTED. What about any kind of event aggregation is really continuous? You are sending the events to a separate place for parsing and analysis, maybe. That’s not interrupted because the network could be down or any other such disturbance. What about any kind of vulnerability scan is continuous? Just the general act of needing to kick off/schedule a scan indicates that it’s not continuous.

To be a little less testy, I believe we (as an industry) need to redefine the FISMA-based definition of continuous because it doesn’t reflect the needs of the market, given the kinds of attacks we see today.

As you’ll see through the series, there are assets where you need to truly monitor continuously, and that will require some kind of presence and analysis on the device; and others that don’t and a periodic approach would work just fine. That’s @dwayne’s point above.

By Mike Rothman


@matthew, that’s a good point. Protect and Prevent tend to be used synonymously, but that’s not necessarily right. Preventative definitely draws a clearer contrast to the detection provided by CSM.

By Mike Rothman


Please describe monitoring that is NOT continuous. Even daily polling is in some way continuous. Why add this extra label and thus trigger the nasty FISMA-istic thoughts?

By Anton Chuvakin


Right on Mike.  Looks like this research series is right on the money (which is another way of saying you are saying what I/we say at RSA).  My only minor nit is that “protective controls” should be “preventive controls”.  This turn of phrase better position CSM in the detective controls space….which leads into the importance of leveraging the monitoring system for faster investigations and ultimately more automated remediation.  As in Prevent/Detect/Remediate being the 3 major phases of a security program.

By Matthew Gardiner


Really looking forward to this series.  All “continuous” is not created equal, and I’ve seen a lot of people get frustrated by trying to apply equal rigor to all things. It’s important (IMHO) to build a risk-based approach to CSM so you don’t use all your energy playing whack-a-mole.

By Dwayne Melancon


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.