Continuous Monitoring for Your Network in an Increasingly Complex Threat Environment
It is well known and widely publicized: cyber criminals and cyber warfare are real threats. These attacks are sophisticated, they are targeted, and unfortunately for the victim, they are often successful. One of the reasons for attackers’ success is that their methods have outpaced generally-accepted security practices. Cyber criminals know that at any point in time, every enterprise has vulnerabilities and/or configuration gaps, including zero day vulnerabilities. Even regular scanning and patching – whether quarterly, monthly, or weekly – leaves an enterprise vulnerable to hacker penetration. Hence, organizations are adopting continuous monitoring to provide real-time insight into the network’s vulnerabilities, configuration errors and potential threat vectors.
When sophisticated and risk-sensitive enterprises such as RSA, Lockheed Martin, and the Department of Defense get hacked, it should be a wake-up call to everyone. Enterprises need to step up their security countermeasures. Converging technologies such as virtualization and cloud computing, increase demand on enterprises to support mobile and BYOD device connectivity, this in addition to escalating cyber threats, create a progressively complex environment.
Consequently, periodic, static vulnerability and configuration security assessments are no longer sufficient to address today’s security and compliance environment. Periodic assessments result in knowledge gaps and have limited value when an incident occurs – gaps during which there is no automatic discovery of new assets that might be vulnerable, no certainty that remediation efforts were successfully applied and no correlation of vulnerable assets to actual events happening within the network to detect a cyber threat. During those gaps new assets may be added, countermeasures turned off or vulnerabilities introduced.
Continuous network monitoring has proven to be an essential countermeasure to eliminate those gaps to address today’s threats, technology risks and changing regulatory requirements.
So what is continuous monitoring?
Continuous monitoring is the process of constantly and persistently monitoring technological assets, vulnerabilities, configurations and (importantly) current network events to discover new assets that may be vulnerable and detect anomalies or other suspicious activities.
Continuous network monitoring requires the integration of core technologies with applied intelligence that, when combined, give an enterprise the ability to implement and maintain an effective and efficient continuous monitoring and assessment program.
By orchestrating internal processes with core technologies, organizations can create the baseline operational and technical capabilities to support real-time asset discovery, real-time situational awareness of vulnerabilities and events and real-time incident response.
Because no single technology can deliver comprehensive and continuous monitoring, it is imperative to integrate the following core technologies:
- Vulnerability and configuration assessment or scanning to establish a baseline of assets and scan for vulnerabilities and configuration information
- Network span port to capture network events in real-time
- Log Correlation Engine (LCE) or Security Information and Event Management (SIEM) technology to store, correlate and analyze current network events and any system and/or IPS/IDS logs against vulnerability and configuration assessment results
- Centralized management console to visualize, analyze and review the current state of assets, vulnerabilities, configurations and events. This console will help develop correlation and other anomaly-based rules, manage remediation workflow and incident response and generate alerts on the discovery of new assets or vulnerabilities.
Integrating vulnerability assessment processes with log correlation and network event monitoring gives the technical foundation for a continuous monitoring program. This integrated platform should discover and maintain an up-to-date inventory of assets; classify any new assets within the environment, perform or execute ongoing vulnerability assessments of existing and new assets; execute configuration or policy security compliance assessments of all assets; capture and monitor network events; and correlate and analyze events to identity and prioritize any anomaly for effective remediation and real-time actionable incident response.
A continuous monitoring program will also provide advanced threat detection – having the operational capabilities to identify and combat new cyber threats, such as advanced persistent threats (APTs), and very importantly, strengthening compliance posture to meet escalating regulatory requirements. The Department of Homeland Security’s Continuous Diagnostic and Mitigation Program supports establishment of a continuous monitoring approach.
Additionally, continuous monitoring transforms your staff efforts from a reactive to a proactive posture. Continuous monitoring eliminates the ‘fog of war’ predicament during crisis because you have real-time or near real-time visibility of all your assets, vulnerabilities, and risks based on current events and information.