Agencies that conduct continuous monitoring audit the security of one or more information systems or networks at all times to detect security and operational problems, including attacks and violations of agency policies. Before the advent of continuous monitoring technologies, the full security of systems was often reviewed infrequently, perhaps yearly, as part of periodic system audits. Reviewing security so rarely meant that systems were often insecure or even compromised for long periods of time before problems were detected and could be mitigated.
Attacks can occur so quickly that many agencies have moved to continuous monitoring solutions in an effort to keep up. Federal regulations also require agencies to implement continuous monitoring to better maintain awareness of the security posture of their systems.
1. Make continuous monitoring more than just a compliance effort.
Establishing a basic continuous monitoring capability does not automatically make an agency’s systems secure. Agencies should strive to do more than just “check the box” for having continuous monitoring in place and technically meeting the minimum requirement. Truly implementing and utilizing a continuous monitoring capability requires considerable effort, but also provides considerable payback.
Continuous monitoring is necessary for an agency to be able to focus on the variety of threats they face today and will face in the future. Without continuous monitoring, agencies don’t have much chance of detecting attacks in their early phases and stopping them before major damage occurs. Continuous monitoring is not just another security technology to be deployed and ignored; it’s truly beneficial to the security of the entire enterprise.
2. Know where to look.
More Information @
For more information, see the National Institute of Standards and Technology’s publication Information Security Continuous Monitoring for Federal Information Systems and Organizations here.
An effective continuous monitoring solution will pull information from a variety of systems. Of course, these will include major security systems, such as incident response technologies (intrusion detection systems, and the like), antivirus servers and security logging solutions. But they should also include several systems not directly involved in security, such as inventory management, help desk/trouble ticketing and configuration management systems. Interoperability with a wide variety of security and operational systems is key to the success of a continuous monitoring solution.
If an agency has implemented continuous monitoring but fails to detect new security problems and incidents quickly, then perhaps the continuous monitoring solution is not watching all of the data sources that it should be. The agency should conduct a review of the available data sources and carefully consider which additional sources should be integrated into the overall continuous monitoring solution.
3. Know what to look for.
A continuous monitoring solution won’t help an agency much if the data pouring into it from across the organization isn’t being analyzed effectively. It’s critical that the continuous monitoring solution have robust analytical capabilities to “crunch” in real time the massive amounts of data that may be entering it and condense that information down to a manageable amount. It’s also important that the analysis be customized for each agency. An effective security posture will take into account the context of what risk the agency will tolerate and what the potential impact of a specific vulnerability may be on the agency’s systems.
Ultimately, the continuous monitoring solution should enable both automated technologies and administrators to make better, faster decisions regarding an agency’s security posture. This gives the agency the agility it needs to keep up with the latest attacks, vulnerabilities and threats.