Network security

How to build a successful continuous monitoring (CM) program

Mahwish Khan
January 4, 2019 by
Mahwish Khan

For years, continuous monitoring has been serving the IT industry regardless of the size of the businesses utilizing it. Historically, the ITIL programs featured this aspect, but now continuous monitoring has become essential to ensure the provision of added security.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

What Is continuous monitoring?

ConMon, Continuous Control Monitoring (CCM) and Continuous Monitoring (CM) are different terms relating to the same concept.

“Continuous Monitoring is the formal process of defining an agency’s IT systems, categorizing each of these systems by the level of risk, application of the controls, continuous monitoring of the applied controls, and the assessment of the effectiveness of these controls against security threats.” Ken Durbin (Cyber & Continuous Monitoring Practice Manager, Symantec)

The National Institute of Standards and Technology introduced a six-step process for the Risk Management Framework (RMF), and Continuous Monitoring is one of those 6 steps. Continuous Monitoring (CM) helps management to review business processes 24/7 to see if the performance, effectiveness and efficiency are achieving the anticipated targets, or if there is something deviating from the intended targets.

Why is continuous monitoring essential for your business?

Technology today has become an integral part of all business processes, but the ever-increasing threats to cybersecurity have given rise to the importance of a foolproof Continuous Monitoring Program.

Talking about IT, things happen, and changes occur in the blink of an eye. Companies have to continuously work on implementing updated security measures and identify the loopholes in the existing measures which may occur because of some unexpected changes to firmware, software and even hardware.

Continuous monitoring is important because the process is skeptical about potential threats. A good continuous monitoring program is the one that is flexible and features highly reliable, relevant and effective controls to deal with the potential threats.

Is continuous monitoring really complex?

The rumors about the undue complexity of continuous monitoring implementation are actually based on misunderstandings of the NIST’s mention of over 800 controls. There is a need to have a better understanding of the implementation and use of these controls, rather than worrying about the number of them.

Dr. Ron Ross from the National Institute of Standards and Technology is of the view that no system on earth is 100% safe from potential security threats. Companies need to consider the “when” factor rather than the “if” factor. In other words, it’s almost certain that your IT system or a part of the system is going to be compromised someday.

Therefore, it is important for the Continuous Monitoring Program to prepare for the quick recovery to help the system back on track while ensuring the minimum loss of information or data. Dr. Ross suggests that it is going to happen, no matter how secure your system. In addition to focusing on eliminating the loopholes, you also need to focus on the ability of the Continuous Monitoring Program to recover the system as quickly as possible.

Finding the right tools for a continuous monitoring program

It was a tough task to find the right tools for a CM program in the past, but things have improved these days, suggests Voodoo Security Founder and Principal Consultant Dave Shackleford. More and more vendors are now developing the tools to support the continuous monitoring strategy. This provides relief for the security teams who are looking to implement more secure methods for data collection and information sharing.

  • At a network configuration level, the management platforms serve with better centralization, policies and change management
  • In addition, there are scanning tools for the evaluation of vulnerability at the enterprise level
  • These scanning tools serve with both unauthenticated and authenticated scans. In addition, there are scanning tools to check database issues and the coding of the websites and database
  • Even some minor modifications to the already-installed antimalware tools support the continuous monitoring program

Make sure that:

  • The program supports central data collection as well as the ability to integrate GRC and SIEM tools
  • The program includes SCAP from MITRE and NIST

System configuration management tools for continuous monitoring

Today, there are exceptional tools that serve with the provision of dashboard management, risk reporting, real-time system-state analysis and scheduling to facilitate the central policy.

Networking configuration management tools for continuous monitoring

These tools mainly deal with the network configuration assessment, including the scripts, networking policies and inventories, in addition to auditing and changes in network monitoring processes.

Authenticated versus unauthenticated vulnerability scanners

Unauthenticated scans probe the system and tell you about the operating system in general: for instance, the difference between XP and NT4. But the accuracy level is low. The problem is that the unauthenticated scan identifies a number of vulnerabilities but doesn’t hit the target with 100% accuracy.

Authenticated scans require credentials, but the data accurately shows how well the patch CM program is working against the potential vulnerabilities. It is much more customized.

These scans highlight the vulnerabilities mainly in the following areas:

  • OS policy
  • Installed patches
  • Missing patches
  • User accounts
  • Group accounts
  • Existing configuration items
  • Missing configuration items
  • Vulnerabilities to the local systems
  • Service policies
  • Service banners
  • Ports
  • Protocols
  • Known threats

These tools not only update you about the working networking systems, but they also update you about the available and running services and detected vulnerabilities.

Risk management for a successful CM strategy

When building a successful Continuous Monitoring Program, the tools and strategies are useless in the absence of an effective risk management analysis. This is why it is important for developers to empower a CM program with a flawless assessment of compliance systems, governance and risk. For instance, SCAP is a promising format which allows the program to perform risk analysis by analyzing the information collected by analytic engines.

The selection of the correct tools and strategies is the real challenge, because the importance of each tool and its specific effectiveness is different for each company. For government organizations, risk management is very different from that of a private company.

This is why the security teams have to work hard on defining the right metrics for the evaluation of risk. For example:

  • To what extent your company can tolerate a certain risk?
  • What are the important risk-scoring values?
  • How confidential is the information that your company collects?
  • What are the consequences if particular information is compromised?

You need to ask all these questions of your company’s security team when building a CM program.

[Free Trial] Email Reporting and Threat Analysis

Sign up for a SecurityIQ free trial and try PhishNotify email reporting and PhishHunter threat analysis today!

Learn More


Running a business has become different from conventional practices. The threat is invisible yet anticipated at the same time. It is coming, for sure. It is just a matter of “when” and asking your security team this question: “How quickly and efficiently can your CM program recover the compromised system?”

A reliable Continuous Monitoring Program is that one that not only evaluates the threats and vulnerabilities, but also remains alert for a timely action and quick recovery before it gets too late.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.


Mahwish Khan
Mahwish Khan

Mahwish Khan is a Pharm-D graduate from The University of Faisalabad. She is experienced in technical writing. She currently works for a university as a technical trainer and documentation specialist. In the past, she has taught university writing courses and worked in two university writing centers, both as a consultant and administrator.