In today's complex and fast changing Information Technology landscape, Enterprises and Governments are constantly under the threat of a cyber attack. As attacks become more common and risks increase with organized Hacking Groups and state sponsored Hackers and Terrorists, how can IT departments understand how secure they are in a dynamic threat landscape?
To be secured means you are able to verify that the strategy and approach you've taken around securing your environment is being executed well. Most security professionals will tell you that they will take an approach where they built layers of security. They expect certain security layers could be breached and that multiple layers will ultimately provide them enough protection so that it's highly unlikely that a significant breach will occur. But to effectively execute Layered Security, one of the security strategies often deployed is continuous monitoring. Continuous monitoring is one major step in any risk framework as it pertains to Information security. However, continuous monitoring has a unique set of challenges for IT administrators. To create an effective continuous monitoring strategy, agencies need to focus on both the training of personnel and the automation of tasks. To do continuous monitoring effectively, you have to take a holistic approach to security.
Taking the holistic approach does not mean monitoring everything. Monitoring everything makes no sense in the IT realm. Since there is so much data, you literally couldn't make sense of monitoring everything unless you have big data Security analytics. The whole idea in securing your environment is making sure the people, both inside and outside the organization, aren't breaking the rules. There are always people who don't think the rules apply to them and want to do something different. At the end of the day, the continuous monitoring technology and approach ensures people don't do that by flagging activity as it happens.
Additional questions IT administrators should ask when starting a continuous monitoring plan are "What am I already monitoring and what do I want to monitor?" Once that answer is identified, then close that gap in the simplest way that you can, you don't need to buy into big security frameworks or expensive tools. A lot of organizations are already monitoring a lot. For example, you might al-ready have a configuration management tool in place that can provide the data for identifying unauthorized configuration changes on a continuous basis. For Organizations already monitoring, the challenge becomes effectively executing security policies and finding an intelligent means to correlate data. This is where agencies often turn to a Security Information & Event Management (SIEM) solution.
The focus should be on defining Intelligent Metrics with certain foundational elements as described below:
Understand Your IT security Foundation: This foundation includes hardware and software assets, including, routers, switches, physical point-to-point circuits, SANs, management tools, satellite links and wireless hubs.
Know Your Dedicated Defense Assets: These assets are designed only to provide cyber defense. These elements include enterprise virus scanning software, intrusion detection systems, firewalls and PKI.
Identify Your Unique Cyberspace Assets: These assets exist only in cyberspace. Some examples include end-user hardware clients, application servers, web servers, mobile devices, web servers, ERP systems, printers, scanners and application software.
Assets that Leverage Cyberspace: These assets utilize cyberspace, but their primary existence and function is in other domains. Some examples include platforms, support systems and infrastructure.
We have identified 19 potential metrics for Organizations to use, but be cautioned that you must tailor the metrics to meet your needs. Here are the suggested metrics:
1. Percentage of source traffic covered by foundational cyber defense assets in DMZs
2. Currency of enterprise virus signatures
3. Percentage of client systems that have current enterprise virus signatures
4. Percentage of desktops with automated patching
5. Percentage of desktops with automated integrity checking
6. Volume of traffic blocked at border router (segmented by type)
7. Blocked port scan volume at border router
8. Currency of firmware patches for foundational cyber defense assets
9. Known zero day export exposure (publicly known)
10. Uptime and availability for assets
11. Number of cyber attacks that are detected: Viruses, spam, phishing attacks, etc.
12. Assets not patched to current standard
13. Firmware not updated to enterprise standards
14. Assets failing integrity check
15. Non-standard software installations detected
16. Known zero-day exploit exposure (publicly known)
17. Currency of required administrator training
18. Vulnerability scan statistics
19. Source code scan results (where available and applicable)
Information Security is only effective when organizations can baseline and measure success. In order to do so, one must place an emphasis on defining metrics that fit organizational need, and work diligently to identify risks, assess vulnerabilities and create a robust set of metrics to measure success.
Dr. Jagan Vaman PhD CISA CGEIT C|CISO