How Do You Define Continuous Monitoring?

Continuous Monitoring is the buzz of the town these days, especially since

the Office of Management and Budget (OMB) issued memorandum M-14-

03 last November requiring agencies to establish an information security

continuous monitoring program and the Department of Homeland

Security (DHS) dangles a $6 billion carrot to implement its Continuous

Diagnostics and Mitigation (CDM) program across all of the .gov

networks.

As a result, everyone is slapping the continuous monitoring moniker on their product and

service offerings in hopes of being able to get a piece of the action. If you ask a dozen people

what they mean by continuous monitoring, you’ll get a dozen different answers. While the

National Institute of Standards and Technology (NIST) has done a decent job of coming up with

an official definition, even they have slightly different definitions in different publications. In

NIST Special Publication 800-137, they define it as “Information security continuous

monitoring is defined as maintaining ongoing awareness of information security,

vulnerabilities, and threats to support organizational risk management decisions”, while in

NIST Interagency Report 7756 they define it as “Continuous security monitoring is a risk

management approach to Cybersecurity that maintains an accurate picture of an

organization’s security risk posture, provides visibility into assets, and leverages use of

automated data feeds to measure security, ensure effectiveness of security controls, and enable

prioritization of remedies.” All of this adds confusion to an already complex landscape and

makes it very difficult for agency heads to understand what they need to do to implement

continuous monitoring within their organizations.

Based on our experience working with the Department of Defense and

other agencies to implement their continuous monitoring solutions, we’ve

distilled all of this complexity into a simple operational reference model

that we use to concisely describe continuous monitoring to our clients,

depicted in the figure below.

Continuous Monitoring Reference Model

1. POLICY MANAGEMENT

To measure security and effectiveness of controls, an organization first needs to define what

needs to be secured as well as how to secure them. Thus, a continuous monitoring program

needs to include policy management capabilities to create, import and manage security policies

to define what needs to be secured across the enterprise and the specific controls to secure them.

2. DATA INTEGRATION, CONSUMPTION, AND CORRELATION

To maintain ongoing awareness and provide visibility into assets, data integration,

consumption, and correlation capabilities are needed to gather information about an

enterprise’s IT assets that often reside in a variety of disparate systems—this is the technical

foundation of any continuous monitoring program.

3. ASSET INVENTORY AND CONFIGURATION MANAGEMENT

A continuous monitoring program needs to provide asset inventory and configuration

management capabilities that utilize all the data that has been gathered to present an accurate

and up-to-date understanding of what’s deployed on the network, e.g. devices, installed

software, how things are configured, and who’s using them for what purpose.

4. COMPLIANCE ASSESSMENT

To ensure that security policies and controls are correctly and effectively implemented, a

continuous monitoring program should provide compliance assessment capabilities that utilize

asset inventory and configuration management data as well as other audit and scan data to

evaluate the compliance of the enterprise IT assets against these policies and controls.

5. VULNERABILITY MANAGEMENT

Every day organizations are flooded with a deluge of vulnerability alerts. A continuous

monitoring program should provide capabilities to analyze these vulnerabilities, assess which

assets are exposed, and help to prioritize which ones to fix based on their potential impact to the

enterprise.

6. REMEDIATION AND EXCEPTION MANAGEMENT

As non-compliant items and vulnerabilities are discovered, a continuous monitoring program

needs to be able to direct actions and guidance to remediate and mitigate those findings. Not all

findings can be fixed or some may need more time to be fixed so exception management

capabilities are also needed to define exceptions on certain findings or defer fix actions.

7. RISK MANAGEMENT

Finally, a continuous monitoring program needs to take all of the collected data, compliance and

vulnerability assessment results, residual findings, and operational impact information and feed

that into standard risk scoring algorithms to generate a set of quantitative risk scores that paint

an accurate picture of the organization’s security risk posture.

For more information on the PanOptesTM Continuous Monitoring Platform or how SuprTEK

can assist you with your Continuous Monitoring program, contact us at:

Phone: (703) 564-2012 | Email: continuous.monitoring@suprtek.com