alphaspirit - Fotolia
The case for continuous security monitoring
When done correctly, continuous security monitoring provides real-time visibility into an organization's IT environment. Here are the best practices for building a CSM program.
Continuous security monitoring can help refine an organization's threat detection and response. The increased visibility provided by continuous monitoring enables companies to quickly initiate investigation of potential security incidents.
A CSM program is defined by automation and provides end-to-end, real-time visibility into an organization's security environment. It constantly scans for threats, vulnerabilities and misconfigurations to alert security teams about potential breaches across the network.
Regulators are starting to take notice of continuous monitoring. The 23 NYCRR 500 standard from the New York Department of Financial Services mandates penetration tests and vulnerability assessments if continuous monitoring programs are not in place. This is not to discredit pen tests or vulnerability management. Instead, this shows the state's attempt to make the regulatory case for continuous monitoring being an essential element of cybersecurity.
Building a continuous security monitoring program
Continuous monitoring is refining processes that are in perpetual motion. To start, consider risk tolerance when building your program. If an organization doesn't have a stable understanding of the risks to its environment or where its critical assets are, it's going to be particularly difficult to define processes to avoid threats.
When creating any security program, the first step is to understand the unique risks to your environment. The same goes for continuous monitoring efforts. Define the alerting process and how threat intelligence will be escalated based on criticality, exposure and risk. This enables organizations to form a game plan when incidents arise. Otherwise, the focus is driven by the tool or analyst with limited context or understanding of the overall strategy being implemented.
All continuous security monitoring programs require tools and technology. Whether an organization standardizes on open source, proprietary software or a combination of the two doesn't matter. What matters is how data is collected from these tools in order to apply it toward your risk profile and then how it is alerted, escalated and reported. Commonly used tools for these data governance processes include SIEM, vulnerability scanners, patch management, asset discovery and network security tools.
The goal is to collect security data from all aspects of the environment for analysts and administrators to manage and monitor. A continuous security monitoring program starts to take shape when automated alerts and incident prioritization create a pool of data within these systems.
Without the ability to make quick decisions for analysts based off a tuned, correlated and orchestrated technology stack that's been refined with your risk posture, decisions are left open to human interpretation and misinterpretation. CSM systems perform the leg work to enable skilled analysts to search, query and hunt through these programs and make educated decisions. A continuous security monitoring program is not a replacement for a trained analyst, but a tool for professionals to better perform their role.
Escalation procedures
Escalation is the next phase in a continuous security monitoring program. Preconfigured escalation procedures toward management and required resources are mandatory. Security professionals who monitor the front line are often not the ones required to take action. When automation is involved, a security team can make particular decisions to isolate and contain an incident but may require escalation to other departments or roles.
The policy outlining the continuous monitoring program should delineate what company roles are notified during a security incident. Runbooks and tabletop exercises are fantastic tools to augment best practice processes with employees involved.
Continuous security monitoring programs are always adjusting and tuning their technology, procedures and risk posture to stay as agile and dynamic as possible. Attacks are fluid, and monitoring programs need to be as polished and flexible in response.