Continuous Monitoring

and Real Time Risk

Scoring

Erich Baumgartner, VP Federal

Q1 Labs – An IBM Company

J.R. Cunningham, Director of

Federal Strategy

Accuvant

2

Meeting the Information Requirements of

Federal Agencies

Two-phased compliance and security timeline

3

Security Intelligence for Continuous

Monitoring

Monitors network changes to detect vulnerabilities in the

network

Changes may be potential threats and policy/compliance

violations, resulting in security gaps

Compares configuration data from network security devices

with layer 7 network activity analysis

Continuously checks rule policy effectiveness and raises alerts

Provides single console view of risk exposure needed to

meet continuous monitoring requirements (risk management,

log management, SIEM, network behavior analysis)

4

Continuously Manage Risk with

Security Intelligence

Move beyond traditionally reactive security management

Multi-vendor network

configuration monitoring &

audit

Automated compliance

and risk assessment

Predictive threat modeling & simulation

Risk Indicators

Configuration/ Topology

Network Activity

Vulnerability Management

Network & vulnerability context

5

Accuvant & Q1 Labs

Traditional SVARs Technology Driven

Traditional Consulting Audit/Compliance Driven

6

J.R. Cunningham Accuvant

7

What is Continuous Monitoring?

“…determine if the

complete set of

planned, required,

and deployed

security controls

within

an information

system or

inherited by the

system continue

to be effective

over time…” NIST

SP 800-37

8

Why is Continuous Monitoring Critical? (Beyond the Obvious Answer – “It’s Required”)

Intelligent Cyber Security- Applying

countermeasures to only systems needing those

controls

Threat Intelligence – Understanding as much

about the enemy and threat vectors as possible

Acquisition excellence – find the “big ROI”

Situational Awareness – decision superiority

delivered with “speed of need”

“If an agency has $1 to spend today, where

should they spend it and why?”

9

Continuous Monitoring and Situational

Awareness

Thre

at Co

un

term

ea

sure

Malware

Insider Threat

Device/Data Theft

Leakage

DDoS

Espionage

Endpoint Protection

Network Defenses

Encryption

DLP

SIEM

RBAC

Situational

Awareness

10

Choosing Meaningful Metrics

Organizational

Data

Vulnerability & Patch

Management

Software & Data Asset

Management

Network &

Configuration

Management

Compliance & Audit

Management

Security Information &

Event Management

• Accurate

• Repeatable

• Potential for Risk Relevance

(either alone or with other

data)

• Should be known in industry

• Not Necessarily Actionable

• Can sometimes validate or

invalidate other data

11

Industry Standard Metrics (measurablesecurity.mitre.org)

12

Finding the Risk Relevant Data

Organizational

Data

Vulnerability & Patch

Management

Software & Data Asset

Management

Network &

Configuration

Management

Compliance & Audit

Management

Security Information &

Event Management

Risk Relevant

Data

• Some level of aggregation

• Also a repeatable process

• Begins to inform SA

• Not necessarily actionable

• Centrally managed

13

Security Intelligence Across the

Infrastructure – Anomaly Detection

14

Squelching the Noise

15

Informative and Actionable Output

Q1 Report Screen Here

16

Pre-built NIST reporting

17

Risk Based Decisions

* NIST SP 800-39

18

What to do next?

Watch our recent webcasts http://q1labs.com/resource-

center/media-center.aspx

Download the “Gartner SIEM Critical Capabilities” report

http://q1labs.com/resource-center/analyst-

reports/details.aspx?id=17

Download the “Continuous Monitoring for Government

Agencies” paper http://q1labs.com/resource-center/white-

papers/details.aspx?id=137

Read our blog http://blog.q1labs.com/

Follow us on Twitter: @q1labs @ibmsecurity

19

More info: info@Q1Labs.com Twitter: @q1labs @accuvant Blog: blog.q1labs.com

Thank You!