Continuous monitoring is fast becoming a security buzzword, but it is a way for security professionals to regain lost ground, according to Bill Hargenrader, information assurance manager at Booz Allen Hamilton.
“It’s the only way to take back some of what we have lost to attackers who have too many tools at their disposal,” he told information security professionals at the (ISC)2 Security Congress 2013 in Chicago.
According to the US National Institute of Standards and Technology (Nist), the aim of continuous monitoring is ongoing awareness of information security, vulnerabilities and threats to support risk management decisions.
But to Hargenrader, it is about having an advanced, persistent monitoring system to identify the security gaps and hit back at advanced, persistent attackers.
However, he admits up front that it is impossible for any organisation to monitor everything all the time due to a lack of time and resources.
Like most security, this requires choices to be made based on risk, which determines whether to include internal as well as public-facing web servers, the sample size and the frequency of checks.
A good place to start when aiming to achieve continuous monitoring is a risk management framework that will set the strategy and risk tolerances for the organisation, said Hargenrader.
Continuous monitoring promises more effective management of information security risk and up-to-the-minute risk posture awareness for better decision-making
Continuous monitoring promises more effective management of information security risk. “The more you know, the more you can manage,” he said.
It also promises up-to-the-minute risk posture awareness for better decision-making, especially if all the information can be fed into a single dashboard.
The overall result should be improved protection of all information assets, with the potential added bonus of eliminating accreditation cycles common in military environments.
“Because assessment and authorisation are ongoing, there is no need for annual accreditation cycles, which saves money, time and resources,” said Hargenrader.
However, he also admits that achieving continuous monitoring is not without its challenges. First, integrating monitoring of all controls into a single dashboard can result in an information overload. Second, integrating physical and manual checks can be difficult, and not all systems are interoperable. Third, implementing a continuous monitoring framework organisation-wide can be a challenge because the larger the organisation, the greater the number of likely complications.
The first step is to define a continuous monitoring strategy and establishing a programme that will support that strategy. Next is putting systems in place, and once they are up and running, analysing the data to identify where the gaps are and where things are not performing up to requirement.
More on advanced persistent threats
- Opinion: The APT1 aftermath and information sharing
- Privileged accounts key to most APT attacks, says Cyber-Ark
- AT&T takes APTs seriously
- Conducting APT detection when Elirks, other backdoors hide traffic
- Half of UK networks vulnerable to APTs
- APTs: Are they really a concern for all businesses?
- Hardening the network against targeted APT attacks
- Surviving cyber war: Preparing for APTs, Stuxnet malware-style attacks
“Additionally, organisations should monitor their continuous monitoring programme so that it can be updated and improved so that it will mature as it goes,” said Hargenrader.
He recommends that organisations use a reference model, such as the continuous monitoring framework published by Nist.
“Don’t try to reinvent the wheel, and use existing automated systems wherever possible, only buying new systems where absolutely necessary,” said Hargenrader.
For the ultimate implementation of continuous monitoring, organisations will require an underlying aggregate framework to pull all the information together.
“This is neither easy, nor is it inexpensive,” said Hargenrader.
For operational controls that require manual logging, such as backups for multiple remote sites, a spreadsheet on a SharePoint site can be used. “It’s not pretty, but it works,” he said.
Hargenrader admitted that continuous monitoring as it is now will not solve every problem, but he believes it can be a big step forward.
He said organisations should look to the medical and physical security industries that have a well-established history in continuous monitoring for methodologies that could help them leap forward.
“The challenge is strong, but the promise is great, which makes continuous monitoring worth pursuing,” said Hargenrader.
He also believes that as more organisations pursue the goal of continuous monitoring, it will provide enough incentive for security suppliers to develop the necessary tools to make it a reality.