We have all heard excuses about continuous monitoring being impractical, and while that may be true for a few devices in your security framework, the same cannot be said for all of them. Intermittent analysis often creates a window for attackers, a window most organizations can’t afford. Given that each and every attack on your servers cannot be prevented, what you can do is ensure that these threats are detected and mitigated as swiftly as possible.
The concept of continuous network monitoring has been gradually gaining momentum, which is driven by compliance mandates, notably the PCI-DSS, and the US’ Federal guidance on Continuous Diagnostic and Mitigation. Not to mention the protection and preservation of sensitive data on individual organizational servers to move past periodic assessment to a proactive approach against cyber threats. This trend is a sensible one we’re seeing as these attacks can rapidly proliferate within your network’s environment.
What Cyber Security Experts Mean by Continuous Monitoring
Considering all the different definitions there are of monitoring security protocols, the ideal approach is risk-based assessment and monitoring of critical devices. This entails that all critical assets are being monitored continuously, and “continuous” in this instance means uninterrupted.
Classification of Assets
Now that you’ve grasped that continuous monitoring is required for critical devices while for others periodic assessment may be sufficient, you need to determine which falls into which category.
This includes having the resources to conduct an ongoing discovery process that detects new assets in your network, because as a cyber security manager, you cannot monitor, let alone protect, the assets you aren’t aware of. This can be achieved by actively scanning the network space to discover new devices, essentially passive monitoring of your network’s traffic.
A likely scenario involves both approaches. Either way, total awareness of a network’s topology is critical to successful continuous monitoring. The second crucial factor is a consistent yet objective approach when it comes to classification of these assets. Although, there are many ways to do so, it’s usually prioritized based on the criticality of a business or organizational function.
Situations that Demand Continuous Monitoring
Only by digging into specific cases, essentially driving continuous system monitoring, can we understand why it’s demanded by leading organizations. The bulk of the projects you’ll discover will either be aiming to meet federal compliance standards for document submission, tracking the changes made to sensitive systems, or most importantly, detecting threats and attacks.
The preventing attacks case is bigger, broader, and far more difficult than monitoring and managing change; compliance being the least sophisticated of them all.
The director of CERT Coordination Center, Richard Pethia at the University of Carnegie Mellon, recently stated, "Nowadays, commercial cyber security software’s technologies are riddled with loopholes. The sheer numbers of vulnerabilities cyber criminals can exploit are overwhelming." Referring to several lessons from the not too distant past, these vulnerabilities enabled worms and viruses as well as other automated and manual attacks that inflicted damages amounting to hundreds of millions of dollars.
To be more specific, US federal agencies have suffered dozens of network intrusions or major data breaches since 2007. The infamous attack on eBay caused the loss of personal data of 233 million users at the hand of cyber criminals. Others were Distributed Denial of Service or DDOS attacks, while less serious in terms of the scale of the damage wrought, but damaging nonetheless, if not financially, these attacks can still ruin the reputation of many well established organizations, examples of these include Feedly and even Dominos Pizza. Here, the breadth of the scope of the problem becomes quite clear.
Every organization needs a proactive approach in order to protect sensitive data, pertaining first to the privacy of their clients and customers, and then their survival. One must realize that reactive and continuous monitoring aren’t opposing forces. Rather, an appropriate balance of both approaches needs to be achieved; the resources you can devote to proactive deterrence of attacks and how much of it you can devote for reacting to intrusion.
However, when trying to find this balance, it’s highly recommended that your organization keeps in place an effective patching process as well as having the networks scanned through vulnerability assessment programs. These two are perhaps the most crucial components of continuous security monitoring.
Shift from passive to active; how long till one of these cyber criminal or criminals realize your organization’s hack value? Be CyberActive and cover your bases, swiftly responding to business-disrupting threats.
About the Author
Giles Witherspoon-Boyd is a certified PCI Professional (PCIP) with years of experience in helping companies secure there critical IT assets and comply with mandatory security compliance requirements. Giles is also the President of Kaizen Data Security Group and the strategic security consultant for Paladion’s Enterprise Security Services.