how do you define continuous monitoring?
TRANSCRIPT
How Do You Define Continuous Monitoring?
Continuous Monitoring is the buzz of the town these days, especially since
the Office of Management and Budget (OMB) issued memorandum M-14-
03 last November requiring agencies to establish an information security
continuous monitoring program and the Department of Homeland
Security (DHS) dangles a $6 billion carrot to implement its Continuous
Diagnostics and Mitigation (CDM) program across all of the .gov
networks.
As a result, everyone is slapping the continuous monitoring moniker on their product and
service offerings in hopes of being able to get a piece of the action. If you ask a dozen people
what they mean by continuous monitoring, you’ll get a dozen different answers. While the
National Institute of Standards and Technology (NIST) has done a decent job of coming up with
an official definition, even they have slightly different definitions in different publications. In
NIST Special Publication 800-137, they define it as “Information security continuous
monitoring is defined as maintaining ongoing awareness of information security,
vulnerabilities, and threats to support organizational risk management decisions”, while in
NIST Interagency Report 7756 they define it as “Continuous security monitoring is a risk
management approach to Cybersecurity that maintains an accurate picture of an
organization’s security risk posture, provides visibility into assets, and leverages use of
automated data feeds to measure security, ensure effectiveness of security controls, and enable
prioritization of remedies.” All of this adds confusion to an already complex landscape and
makes it very difficult for agency heads to understand what they need to do to implement
continuous monitoring within their organizations.
Based on our experience working with the Department of Defense and
other agencies to implement their continuous monitoring solutions, we’ve
distilled all of this complexity into a simple operational reference model
that we use to concisely describe continuous monitoring to our clients,
depicted in the figure below.
1. POLICY MANAGEMENT
To measure security and effectiveness of controls, an organization first needs to define what
needs to be secured as well as how to secure them. Thus, a continuous monitoring program
needs to include policy management capabilities to create, import and manage security policies
to define what needs to be secured across the enterprise and the specific controls to secure them.
2. DATA INTEGRATION, CONSUMPTION, AND CORRELATION
To maintain ongoing awareness and provide visibility into assets, data integration,
consumption, and correlation capabilities are needed to gather information about an
enterprise’s IT assets that often reside in a variety of disparate systems—this is the technical
foundation of any continuous monitoring program.
3. ASSET INVENTORY AND CONFIGURATION MANAGEMENT
A continuous monitoring program needs to provide asset inventory and configuration
management capabilities that utilize all the data that has been gathered to present an accurate
and up-to-date understanding of what’s deployed on the network, e.g. devices, installed
software, how things are configured, and who’s using them for what purpose.
4. COMPLIANCE ASSESSMENT
To ensure that security policies and controls are correctly and effectively implemented, a
continuous monitoring program should provide compliance assessment capabilities that utilize
asset inventory and configuration management data as well as other audit and scan data to
evaluate the compliance of the enterprise IT assets against these policies and controls.
5. VULNERABILITY MANAGEMENT
Every day organizations are flooded with a deluge of vulnerability alerts. A continuous
monitoring program should provide capabilities to analyze these vulnerabilities, assess which
assets are exposed, and help to prioritize which ones to fix based on their potential impact to the
enterprise.
6. REMEDIATION AND EXCEPTION MANAGEMENT
As non-compliant items and vulnerabilities are discovered, a continuous monitoring program
needs to be able to direct actions and guidance to remediate and mitigate those findings. Not all
findings can be fixed or some may need more time to be fixed so exception management
capabilities are also needed to define exceptions on certain findings or defer fix actions.
7. RISK MANAGEMENT
Finally, a continuous monitoring program needs to take all of the collected data, compliance and
vulnerability assessment results, residual findings, and operational impact information and feed
that into standard risk scoring algorithms to generate a set of quantitative risk scores that paint
an accurate picture of the organization’s security risk posture.
For more information on the PanOptesTM Continuous Monitoring Platform or how SuprTEK
can assist you with your Continuous Monitoring program, contact us at:
Phone: (703) 564-2012 | Email: [email protected]