Continuous Security Monitoring in a Continuous WorldThreats are moving quickly, so cybersecurity efforts need to keep up.

Page 2

The massive moving forces of innovation and security threats today are crushing the average enterprise IT department.

The Twin Forces of Change in IT

On one side, the evolution of network systems continues to accelerate at lightning speed. Cloud, virtualization, containerization, big data analytics, mobility, and the Internet of Things are now constantly rewriting the rules of connectivity and data governance.

On the other, attackers seek to keep enterprises on their back feet by changing their techniques just as rapidly, if not more so.

On their own, each of these dynamic forces would be painful to contend with.

Together, these parallel trends threaten the entire

enterprise’s bottom line.

The only way for IT to adapt their networks to the twin forces of change in technology is to ensure that security evolves just as quickly as the infrastructure and the threats. The only way for this kind of dynamic security to take hold is through continuous security monitoring.

Page 3

As you know, today’s enterprises are highly virtualized, with servers and applications continuously being integrated, deployed, and updated. Workloads shift from public cloud infrastructure to on-premise storage systems and back again, while your users are connecting new and more devices every day.

Couple those agile and ever-changing systems with an increased likelihood of security-related errors with skilled and persistent attackers and the risk of breached and disrupted systems increase dramatically.

With all those factors considered, it becomes undeniable to conclude that manual security measures just can’t ensure that systems and applications remain managed in line with internal security policies and hardened against attack. Additionally, modern IT environments, such as DevOps, means applications and infrastructure changes more rapidly than ever before. As fast as systems are being developed, deployed, and updated, then security checks need to be run in parallel and just as swiftly. Gone are the days of running monthly security assessments.

This is the only way that enterprises can expect to successfully defend themselves against attackers now.

Page 4

The lessons of recent cybersecurity history are also unambiguous:

Compliance-driven and reactive information security efforts will not succeed at mitigating system vulnerabilities and threats to a tolerable state.

Networked business-technology assets need to be inventoried, configured, and maintained; their vulnerabilities must be identified and mitigated; and they need to be vetted constantly for signs of malware and compromise. If these processes can’t be automated, they can’t be managed successfully.

But it can be daunting to figure out where or how to start a Continuous Security Monitoring (CSM) effort. Some enterprises try to tackle too much at once, and give up once they start. Others decide it is too overwhelming, and they don’t start at all. That’s not good, but it’s why we wrote this guide.

While CSM hasn’t necessarily taken hold of the mainstream, there are plenty of thought leaders in both private and government sectors who realize the importance of automating and monitoring as many security processes as possible. They understand that this kind of automation not only reduces data breach risks but makes it possible to identify and stop potential attacks when suspicious activities are spotted.

These folks have lead the way in developing a number of excellent resources and frameworks that can help you get going on the path to continuous monitoring.

Start Building Momentum with a Framework

Page 5

GET STARTED WITH NIST

One great place to get started is the NIST Special Publication Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. Most of the advice is applicable to all large enterprises, not just government environments and provides extremely helpful guidance.

PCI IS ALSO HELPFUL

Another area where CSM has gained traction is in the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is also a broad set of security controls, but is aimed at protecting payment cardholder data. PCI DSS also stresses the ability to understand the daily system and application changes within any aspect of the enterprise.

CDM Framework

One effort that is well underway is the U.S. government’s Continuous Diagnostics and Mitigation (CDM) program. The CDM program originated in the U.S. Department of Homeland Security and was created by Congress, CDM provides both federal departments and agencies what they need to know to put into place effective continuous security controls. CDM is a standardized way for federal entities to manage the threats and vulnerabilities that matter, based on potential and likelihood of impact.

Also, unlike FISMA, which has been widely criticized for being an exercise in security paper shuffling and check boxing, CDM aims to help U.S. federal organizations better protect users, software, networks, and infrastructure by continuously examining their information technology systems for vulnerabilities and threats.

Page 6

SOURCE: U.S. Department of Homeland Security Last Published Date: November 6, 2015

The Three Primary Phases of Continuous Diagnostics and MitigationPHASE 1: Identify and Manage Assets

PHASE 2: Least Privilege and Infrastructure Integrity

PHASE 3: Boundary Protection and Event Management for Managing the Security Lifecycle

HWAMHardware Asset Management

TRUSTAccess Control Management (Trust in People Granted Access)

PLANPlan for Events

SWAMSoftware Asset Management

BEHVSecurity-Related Behavior Management

RESPONDRespond to Events

CSMConfiguration Settings Management

CREDCredentials and Authentication Management

AUDIT/MONITORGeneric Audit/Monitoring

VULVulnerability Management

PRIVPrivileges

DOCUMENTDocument Requirements, Policy, etc.

Boundary Protection(Network, Physical, Virtual)

QMQuality Management

RISK MANAGEMENT

The government isn’t moving alone. The private sector is also embracing CSM frameworks in areas such as continuous improvement and automated testing in DevOps and the automating of the SANS 20 Critical Controls. Many enterprises are turning to the SANS 20 Critical Controls and using them to automate asset management, configuration management, vulnerability management, anti-malware, and data loss prevention, among other controls. The effort was informed by a number of international organizations and U.S. agencies and is currently managed within the SANS Institute.

SANS 20 Critical Controls

Page 7SOURCE: SANS

Inventory of Authorized

and Unauthorized Devices

Inventory of Authorized

and Unauthorized Software

Secure Configurations for Hardware and Software on

Mobile Devices, Laptops, Workstations, and Servers

Continuous Vulnerability Assessment and

Remediation

Malware DefensesApplication Software

SecurityWireless Access Control Data Recovery Capability

Security Skills Assessment and

Appropriate Training to Fill Gaps

Secure Configurations for Network Devices

such as Firewalls, Routers, and Switches

Limitation and Control of Network Ports,

Protocols, and Services

Controlled Use of Administrative

Privileges

Boundary Defense

Maintenance, Monitoring, and

Analysis of Audit Logs

Controlled Access Based on the

Need to Know

Account Monitoring and Control

Data ProtectionIncident Response and Management

Secure Network Engineering

Penetration Tests and Red Team

Exercises

Regardless of the

framework you choose,

there are typically five key

components to an effective

continuous monitoring

program. As you build out

your toolset to move toward

continuous monitoring,

keep in mind that this

doesn’t have to be a complete

transformation. In many

cases you’re probably already

using many of these tools in

your information security

program.

5 Key Components Of Continuous Security Monitoring

Page 8

Asset Management

Configuration Management

Vulnerability Management

Access Control

Incident Response

Page 9

These include simple inventory management and asset-auditing software that is used to identify all authorized hardware and is able to quickly identify unauthorized hardware.

Asset management software comprises all of the tools used to manage and inventory corporate owned and used devices and applications.

It is highly unlikely that any unauthorized devices are managed to any enterprise security policy. They are likely not only vulnerable to being breached, but already are breached. It’s imperative that they be identified and either brought to policy standard or removed from the network.

Asset Management

Page 10

Your software configuration management process is how you identify software and system configurations, and either confirm that they are being managed to policy or are deficient and need to be corrected.

Certainly, misconfigurations of IT assets need to be kept down to a minimum. Your attackers will scan your systems looking for such misconfigured assets and take advantage of them to gain a foothold on the network. Even if those vulnerable systems are not their primary target, they will infiltrate and use it as a foothold to dig deeper.

Configuration Management

Page 11

Here, you assess for software vulnerabilities within your networked devices, remedy those that are identified (especially the critical level vulnerabilities) and then test that patches and updates have been successfully applied.

Hopefully, if you run an enterprise of any size, you have a vulnerability management program in place.

Software weaknesses are a common way through which adversaries seek to try to gain entry onto networked devices.

VulnerabilityManagement

Page 12

Good access control is critical to success. The size and scope of these efforts are largely determined by the size of the enterprise, number of employees, and services they need access to. This typically includes everything from physical building and data center access to providing enterprise resources such as phones, desks, email, etc. and everything in-between.

These are the processes to automate the management of provisioning and de-provisioning of users and devices to the network, system, and enterprise resources.

This also includes the automated management and monitoring of identity access privileges (no greater authority for access than is necessary) and super user access, such as that being required for administrative rights.

Access Control

For this, enterprises need to automate the detection of breaches as much as possible, and have the response in place to respond to the degree necessary. Some breaches may require little manual response, perhaps pushing a new machine image out to an endpoint. Other breaches may require extensive forensics analysis and remediation and cleansing effort.

If an enterprise is going to be looking for indicators of breach and compromise, it needs to have effective ways to swiftly and adequately deal with those incidents.

Page 13

IncidentResponse

Page 14

This will likely be a combination of existing toolsets, some snappy API and integration work, and maybe even building new custom tools.

Pulling the technology together: Continuous Security Monitoring Platform

Enterprises that embark on the path to continuous security monitoring are going to be collecting and managing a lot of data. A lot of data. These will be coming from network monitoring tools, intrusion detection systems, management consulters, compliance and configuration management toolsets, and so forth.

You will need a way to collect this data, analyze it, visualize it, and actually respond to it.

In interviews with CISOs, many enterprises turn to their vulnerability management systems, which track a lot of system vulnerabilities, networked assets, and confirmation settings. Others have turned to the security and information management systems, configuration management systems, and log management systems. And as these programs are built out, most of these tools are used in conjunction with their outputs fed to data analysis and dashboard tools.

Realistically, as you build your CSM program out, you will have various siloed sets of information that, over time, you will pull together and build an actual real-time ability to continuously monitor and react to system conditions.

Page 15

Page 16

Where do you start automating your CSM program? There are many approaches, such as automating what you currently have the tools to automate: regular vulnerability assessments, patch and antimalware updates, reporting and alerting, and so on. Another way is to identify the most critical assets and continuously monitor those and, over time, build that program out to the rest of the organization.

Some enterprises are automating based on the federal CDM, others PCI DSS (for payment card data), and still others are looking at automating the 20 Critical Security Controls. The 20 Critical Controls was made specifically for IT security professionals and provides straightforward, risk-based, implementation guidance.

Automate everything you can, and then automate more

Focus on continuous monitoring to test and evaluate remediation

Provide common metrics that all stakeholders can understand

Automate processes

Use knowledge of actual attacks to build defenses

These controls stand on four pillars:

Page 17

That includes automating the maintenance of authorized and unauthorized device asset inventory, software, security device configurations, and continuous vulnerability assessment and remediation.

Organizations report that the 20 Critical Controls are very effective at helping them to select the right security technologies and then implement, configure, monitor, and manage a better information security program. And the critical controls of course strongly encourage automating controls enforcement wherever possible.

Page 18

So, where do you begin your continuous security monitoring efforts? When looking at your environment in its entirety, with an eye toward monitoring everything all of the time, it can appear overwhelming. And the reality is that you can’t start monitoring everything all at once. Choices need to be made about where to start: endpoints, servers, and applications need the most oversight and where a breach would cause the most damage.

This is why, when deciding where to start your continuous monitoring efforts, the first place to look could be where those who would attack you also may look first. What data or resources would attackers most likely want to target? Is it your intellectual property? The customer data you hold? Perhaps you won’t be the direct target; the attackers may be looking to infiltrate high-value partners. Your security teams need to begin monitoring your most valued assets for potential attack paths. This includes network and system logs, and traffic, looking for anomalous behavior, as well as your system configurations.

Attackers aren’t the only threat. The risks around regulatory compliance also rise in rapidly changing environments. Here, you need to take inventory of your assets and applications that touch regulated data. For compliance, you will need to consider continuously monitoring your asset configurations and event logs for any deviations from your compliance and security policy.

Getting started with CSM

The key is to focus on monitoring and protecting the most important assets and applications. You’ll need to work closely with audit and compliance teams, operations teams, business application owners, and security teams to identify these assets. Essentially, aim to identify the most critical and valuable systems and data, as well as those that fall under the purview of regulatory compliance, and start your continuous monitoring efforts there.

When implementing continuous security and regulatory compliance monitoring of your high-value assets, include their configurations, the status of security technologies such as anti-malware, network and application firewalls, data leak prevision technologies, etc.

From here, you are going to need to automate as many of your security controls as you can, while also monitoring their configurations to ensure that they are managed consistently across all environments. Are your network configurations identical from one cloud to another? Do your wireless LANs have the same security posture? Are those servers classified at the same risk levels set to similar security configurations? And so on. In this way automation will help you to attain consistency throughout your environment.

Page 19

CONCLUSION About Bitdefender

Building an effective CSM program isn’t something that will happen overnight. But, as you automate certain processes, you just need to make certain those processes remain automated and in good shape. Use the time saved to automate the next set of security processes and feed the status into a dashboard or, initially, a set of dashboards. In time, you will eventually automate your entire program.

So what will this continuous security and regulatory compliance monitoring do for you? Plenty, when it comes to building a resilient environment.

When continuously deploying new applications, you will be introducing new mistakes into the environment and by continuously monitoring your environment, you’ll be finding new security errors as they are introduced. So, while you will be moving as quickly as you can, you will be bringing your security efforts with your CSM program.

Bitdefender is a global security technology company that delivers solutions in more than 100 countries through a network of value-added alliances, distributors and reseller partners. Since 2001, Bitdefender has consistently produced award-winning business and consumer security technology, and is a leading security provider in virtualization and cloud technologies. Through R&D, alliances and partnership teams, Bitdefender has elevated the highest standards of security excellence in both its number-one-ranked technology and its strategic alliances with the world’s leading virtualization and cloud technology providers.

www.bitdefender.com

www.bitdefender.com/business

businessinsights.bitdefender.com