NIST defines an information security continuous monitoring (ISCM) program as the ability to "collect information in accordance with pre-established metrics, utilizing information readily available through implemented security controls." There is a great need to collect and analyze security data continuously in order to effectively manage information risk. Given the dynamic nature of modern threats, security teams are operating at a strategic disadvantage if they are unable to gauge their security posture in real-time. Setting the course for an organization's ISCM strategy is needed to enable data driven control of the security information that is floating in different silos throughout the organization's security architecture.
So, we can all get behind the theoretical aspect of continuous monitoring, but how do we realistically implement it without losing our minds in the process? Security offerings that specialize in continuous monitoring are entering the marketplace with increasing frequency. Companies such as Conventus (Symantec global partner) are at the forefront of this burgeoning field in the security realm.
Dennis Norris, VP of Product with Conventus, said that the creation of their SOLVE (Simple On-Line Visualization Engine) product, can be attributed to their clients wanting to be better able to answer the "are we secure" question. According to Norris, the monitoring and reporting on traditional security, security operations, and risk/compliance tend to be done in isolation, reducing their value. This isn't a mature market space yet, but there are some guidelines you should bear in mind when evaluating potential continuous monitoring solutions:
- Provide unified "single pane of glass" view that gleans information from all security and network tools. This provides consolidated reporting on security data from products you already have running on the network.
- The information summarized on the pane of glass needs to be multi-dimensional. Norris explained that SOLVE gathers data based on security configurations, if security products are operating as intended, and event processing (the "here's what's happening" outlook. SIEMs tend to only show this dimension).
- Remember ISCM is meant to supplement, not replace your security infrastructure. Norris refers to it as the "chief integrator".
- Pricing – currently ISCM tends to be adopted by larger enterprises. That being said, more mid-size companies are seeing the value. Well priced offerings should be represent a small fraction (under 5%) of your overall security investment.
Have you looked into continuous monitoring or SIEM solutions? Beyond expense, what are the biggest barriers to implementation?
Dominic Vogel is currently a security analyst for a financial institution in beautiful Vancouver, British Columbia.