Continuous Monitoring 101
Introduction
What if there was a concept that would allow you insight into your IT and information security environment, showing you near real-time events and changes to your environment coupled with the knowledge of how it would impact your systems? There is, and it is called continuous monitoring (CM). This article will detail what you need to know about the basics of CM and will leave you with a better understanding of the underlying concepts.
What Is Continuous Monitoring?
Continuous monitoring (CM) is a powerful concept that will give you better situational awareness of your IT and information security systems. At the macro level, CM is an essential part of a robust information security plan integral to the Risk Management Framework (RMF) process. At the much more interesting micro level, CM give up-to-date, detailed insight into the compliance and network status of your environment. This comes by way of reporting and can include internal control inconsistencies, information security events and system changes. You can even set your CM system to inform you how your environment will be affected by what is shown in reporting.
Learn Network Security Fundamentals
While all of this sounds good, this is a bit of a simplified presentation of CM. Proper implementation of CM solutions can become quite complex, because that implementation really depends on the organization using it. The larger and more complex an organization’s IT environment is, the more complex the CM solution will tend to be. For example: In a large enterprise, a CM will need to understand the context of what happened, not just that something happened. After data has been collected and digested, it can then be used to create an information security risk assessment.
Elements of Continuous Monitoring
Data Collection
The most elemental part CM is data collection. Data collection can be performed by many tools available today, and according to National Institute of Standards and Technology (NIST) Special Publication 800-53, certain types of fundamental data must be collected.
Vulnerability Scanning
The simplest category of data that you need to collect is vulnerability scanning information. This includes both authenticated and unauthenticated scans and should collect:
- Network inventory including IP addresses and hostnames
- System attributes
- Services running on network systems, ports and protocols
- Recognizable vulnerabilities and their severity, both system and application vulnerabilities
System and Network Configuration
Another important category of data you need to collect is your system and network configuration. Focus is given to your critical systems for these configurations and this data includes:
- Network system inventory, including IP addresses and computer names
- Different network device types, including routers, switches, firewalls and platform versions
- Network access controls
- Firewall rules
- Current configuration controls compared to published industry standard guidelines
- Current configuration controls compared to best practices
- Current configuration controls compared to known vulnerable configurations
Identification and Authentication
While this category is less dynamic than the others (unless your organization frequently hires new employees), this data is critical because it allows the CM solution to know whether users accessing data or network resources have the appropriate rights to do so. The pertinent data you will want to collect is:
- User identification and authentication
- Policies and procedures
- Network device identification and authentication
- Authenticator management
- Identifier management
- Authenticator feedback
Anti-Malware Tools (Patch and Update Status)
Anti-malware tools can provide a profound amount of relevant data for your CM solution. When incorporating these controls into your data collection scheme, they should include:
- A current list of installed agents, including signature file dates and versions
- Enabled capabilities on each agent, including whitelisting, antivirus, file integrity monitoring and host IDS/IPS
- Critical alerts and corresponding actions taken, including quarantine and deletion
Vulnerability Scans of Web Applications, Platforms and Database Servers
The last basic category of data to be collected is that of Web application and platforms vulnerability scans. Your data collection tools should pick up the following data:
- Inventory data, including IP addresses, for Web servers and database servers
- Vulnerability data for well-known Web application flaws, including cross-site scripting (XSS) and SQL injection
- Web server and application platform configuration details
- Database configuration issues and flaws
- Database server version and OS
Continuous Monitoring Analysis Intervals
So now you have (or at least begun to) collected data from at least the basic data categories discussed above. The next thing to do is to define your continuous monitoring analysis intervals. What this does is make you CM solution collect the appropriate data at the right times.
Analysis interval can be quite powerful, and this power increases as the size of your information security environment increases. The larger the environment, the more demand your CM solution will place upon your network.
Size is not the only consideration here – the risk associated with your systems will dictate your interval. For example, it is recommended that high-risk systems have a scan interval of between every five and 15 minutes. Systems designated as low-risk can be scanned only once every 24 hours. For further analysis interval guidelines, consult NIST SP 800-92.
The Endpoint Conundrum
Endpoints can make things sticky because they are often added to a network frequently and without a real-time updating of your network inventory, these new endpoints can be overlooked. The best way to deal with this is to combine passive monitoring with an active scanner that is “always on.” This will effectively detect the new endpoints and give you the most accurate insight to your environment.
Overlapping, Conflicting and Non-Integrated Data
CM solutions often piece together data sets from multiple, disparate systems. This can lead to conflicting or overlapping data. This problem is exacerbated by low-quality or immature tools that may perform inaccurate scans.
A good way to get around this is to apply Master Data Management (MDM) platform principles. For example, by using MDM cross-referencing you can determine master identifiers for devices as well as the different sensor identifiers – including server name, IP addresses and MAC addresses.
How Do I Correlate My Data?
Your CM has successfully collected a massive amount of data, but you may be wondering how you correlate it all. This is where you will want to invest in a powerful SIEM tool. A SIEM tool can be configured to take the data you have collected about (for example) data related to a security breach that your CM solution collected, and the SIEM will correlate threat vectors from all of the events that your data collection picked up. This will give you the advanced insight into your information security environment that you have been thirsting for.
Conclusion
Continuous monitoring (CM) is a method by which you can gain deeper insight into your IT and information security environment. While implementation of a CM solution is different for every organization, it may be required for you to meet your respective compliance requirements or simply for a greater understanding of your specific environment. Regardless of your reason for implementation, you will be richer for this enhanced understanding and you will have a better handle on your information security landscape.
Learn Network Security Fundamentals