Security

Continuous security monitoring: Wave of the future

The new wave of continuous security monitoring solutions bring together views of security-related data that are often in different silos throughout the organization.

skull-crossbones-security-091013.jpg
Unlike the NSA, most IT security teams struggle to establish and maintain ongoing awareness of the state of information security in their company. Many security professionals, when asked the “are we secure” question by executives, are unable to articulate the answer in a manner that resonates with management (gurgling noises often accompany the response). Why can’t we answer this question? The chief reason is the lack of continuous monitoring and real-time visibility into the overall security picture that plagues many organizations.

NIST defines an information security continuous monitoring (ISCM) program as the ability to “collect information in accordance with pre-established metrics, utilizing information readily available through implemented security controls.” There is a great need to collect and analyze security data continuously in order to effectively manage information risk. Given the dynamic nature of modern threats, security teams are operating at a strategic disadvantage if they are unable to gauge their security posture in real-time.  Setting the course for an organization’s ISCM strategy is needed to enable data driven control of the security information that is floating in different silos throughout the organization’s security architecture.

So, we can all get behind the theoretical aspect of continuous monitoring, but how do we realistically implement it without losing our minds in the process? Security offerings that specialize in continuous monitoring are entering the marketplace with increasing frequency. Companies such as Conventus (Symantec global partner) are at the forefront of this burgeoning field in the security realm.

Evaluating continuous monitoring solutions

Dennis Norris, VP of Product with Conventus, said that the creation of their SOLVE (Simple On-Line Visualization Engine) product, can be attributed to their clients wanting to be better able to answer the “are we secure” question. According to Norris, the monitoring and reporting on traditional security, security operations, and risk/compliance tend to be done in isolation, reducing their value. This isn’t a mature market space yet, but there are some guidelines you should bear in mind when evaluating potential continuous monitoring solutions:  

  1. Provide unified “single pane of glass” view that gleans information from all security and network tools. This provides consolidated reporting on security data from products you already have running on the network.
  2. The information summarized on the pane of glass needs to be multi-dimensional. Norris explained that SOLVE gathers data based on security configurations, if security products are operating as intended, and event processing (the “here’s what’s happening” outlook. SIEMs tend to only show this dimension).
  3. Remember ISCM is meant to supplement, not replace your security infrastructure. Norris refers to it as the “chief integrator”.
  4. Pricing – currently ISCM tends to be adopted by larger enterprises. That being said, more mid-size companies are seeing the value. Well priced offerings should be represent a small fraction (under 5%) of your overall security investment. 

Have you looked into continuous monitoring or SIEM solutions? Beyond expense, what are the biggest barriers to implementation?

About

Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.

1 comments
Yaagnesh_SolarWinds
Yaagnesh_SolarWinds

As part of the continuous monitoring program, to expose an attack or identify the damage caused, you need to analyse the log events on your network in real time. By collecting and analysing logs, you can understand what transpires within your network. Each log file contains many pieces of information that can be invaluable, especially if you know how to read them and analyse them. With proper analysis of this actionable data you can identify intrusion attempts, device misconfiguration, and many more. 

Editor's Picks