The Core Components of Continuous Monitoring
Continuous monitoring changes the security point of view entirely, yielding a moment-by-moment look into the effectiveness of risk management. It differs from an infinite series of audits performed back to back because it includes three components:
-
Automated measurement of the effectiveness of security controls and systems on a continuous basis, including as many metrics as possible;
-
Reporting tools and dashboards that can give both instantaneous and trending information on security status to IT technical staff and management; and
-
Alerting and tracking tools that indicate when security controls aren’t effective.
The value of continuous monitoring as an integral part of risk management is recognized in those same standards that have outlined compliance strategies.
For example, NIST Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations, explains how continuous monitoring should be implemented as part of the security lifecycle. The Office of Management and Budget (OMB), in Memorandum M-11-33, has made continuous monitoring essentially a requirement for FISMA compliance so that executives can make “credible, risk-based decisions ... on an ongoing basis.”
Effective continuous monitoring programs entail more than reading intrusion detection system (IDS), intrusion prevention system (IPS) or data loss prevention (DLP) logs more frequently. They can fundamentally change the playing field of traditional security processes by shifting security monitoring from a synchronous activity to an asynchronous and reactive activity.
To understand the change in paradigm that continuous monitoring enables, consider this example. A typical enterprise security policy might call for break-in evasion: If someone tries a password three or five or 30 times and gets it wrong, then the account should be locked until someone manually unlocks it.
Mature applications and operating systems support this policy easily. When the monthly or quarterly compliance report is produced, it’s also easy to report on who got locked out of which applications and how often.
Continuous monitoring changes the timeframe when a break-in attempt occurs. By watching logs and system status information, a security team knows immediately how many users are being locked out and of which applications.
With intelligent continuous monitoring, an alert can be raised when the rate of break-ins deviates from historical averages. And with reactive continuous monitoring, a user trying to break into an application can be banned not just from that system or that application, but from the entire network.