Continuous Monitoring

To quote Shakespeare, “What’s in a name?”


Take the word continuous. By any other name, it would seem to mean uninterrupted or constant. Yet, the National Institute of Standards and Technology defines continuous as potentially far less rigorous, requiring only that information systems and assets be monitored at “discrete intervals.” Given this mandate, the question for practitioners is whether discrete interval monitoring is enough.

Let’s start with the rationale for offering cybersecurity programs so much leeway under the NIST Framework. Simply put, it’s all about enterprise risk management. Organizations are expected to make risk-based decisions as to the frequency of their efforts. Stronger guidance, however, exists regarding what should be monitored more than how often. Although there is no single standard, what follows are eight core areas.

The Network. Information systems should be monitored for a full range of activities starting with nothing (for example, inactive accounts), to something (actual security incidents), and a lot in between (baseline anomalies and indicators of attack). It is equally important to check that protective measures actually are working. Unfortunately, organizations often fall short in these efforts because they lack the foundational ability to map, no less monitor, an increasingly distributed infrastructure or to inventory their assets. Those are important starting places.

The Physical Environment. Many companies log physical access and use security cameras in their day-to-day operations. It makes sense to extend this approach to restricted technology areas such as communications and server rooms. Asset tracking technologies also are available to monitor the location of high-value computer equipment should it decide to walk.

Personnel Activity. Particular attention should be paid to user-installed software (perhaps prohibiting it altogether), excessive downloading to removable media, and lateral network movement.

Malicious Code. Consider anti-malware solutions that focus more on how malicious code acts when executed and less on how malicious code looks when dormant.

Mobile Code. In this context, mobile does not refer to phones. Rather, code is considered mobile if it is transmitted across a network from one computer to be executed on another one. Examples include JavaScript, Flash, and ActiveX which, depending on your endpoint approach, can be dis- abled altogether, prevented from running automatically, sandboxed, or shut down if they exhibit known or suspected malicious activity.

External Service Providers. Although less likely to be accomplished through automation, companies should review vendor services, consider exercising audit rights if the provider does not have independent audits, and ensure contract language includes breach notification provisions.

Unauthorized Activities. Enforce your information security policy by looking for unauthorized personnel, connections, devices, and software.

Vulnerabilities. Organizations should routinely check whether their software and firmware are updated with the latest patches, and ensure that user and device configurations follow least privilege and least functionality principles.

The holy grail of automated, perpetual, context-aware monitoring and response is beginning to emerge with today’s network security solutions. That’s good news. After all, you can’t manage what you can’t measure. And in cyber, you can’t measure what you can’t or don’t monitor.