For the last 5 years or so, the term “continuous monitoring” has felt a bit like an elusive goal in the world of information security, possibly even an ambiguous buzzword to some. Many security professionals are still wondering how to get started: What technologies typically make up continuous monitoring infrastructure? What steps should you take to successfully implement these types of security controls organization-wide?
Want a more depth review about how to plan and implement a continuous monitoring strategy with your vulnerability management tools both in-house and in the cloud. Check out my on-demand webinar. Register now.
A good starting point is the Department of Homeland Security's (DHS) Enterprise Continuous Monitoring Technical Reference Model called CAESARS (Continuous Asset Evaluation, Situational Awareness and Risk Scoring) - yes, that’s a LOT of acronyms, but the government loves them. Acronyms aside, the DHS model includes a great breakdown of a continuous monitoring “sensor subsystem”:
Sensor subsystem: This group of technologies makes up the majority of the continuous monitoring data capture for analysis. The following technologies should be implemented:
- System configuration management
- Network configuration management
- Authenticated vulnerability and patch scanners
- Unauthenticated vulnerability scanners
- Web vulnerability scanners
- Database vulnerability scanners
- Antimalware tools
See anything in there that seems to be repeated a few times? If you said “vulnerability scanners,” you get the gold star award. Configuration management is critical, of course, because you’ve got to have a baseline definition for what systems are SUPPOSED to look like. However, in order to assess systems properly, and put the “continuous” in there, you really need a variety of vulnerability scans to run on a regular schedule, or even in a truly continuous fashion. Automation is the key to the whole thing. I know WAY too many organizations out there (even large, seemingly mature ones) that still have a human being clicking the big red shiny “GO” button to launch scans, and while that’s great for spot audits and assessments, or as a precursor to a pen test, it’s not an effective way to truly put a continuous monitoring strategy into action.
Using commercial vulnerability scanning tools to perform both authenticated and unauthenticated scans can produce a large volume of data. For continuous monitoring, scheduling daily or weekly scans of systems and subnets will produce enough data for a sound baseline of what is running in the environment and at a system level, which can then be assessed against newer scans to determine what has changed and what the risks are. Most enterprise vulnerability scanners can cover web and database technologies adequately as a starting point, too, and you can add more specialized tools later if you need more in-depth information.
Doing this in the cloud is critical, too, as you really need as much visibility and “real time” status about your systems to know how things are changing in a dynamic environment. Committing to a real continuous monitoring strategy using in-cloud scanning tools that are preauthorized for the cloud platform in use can be immensely useful in developing inventory status, vulnerability status, and even detecting rogue or unapproved changes that aggressive DevOps teams may have made in the environment.
There are a huge number of benefits to enhancing your vulnerability management program to encompass a more continuous strategy.
Dave Shackleford, Cybersecurity Expert and Founder of Voodoo Security
Dave Shackleford is the owner and principal consultant of Voodoo Security and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures. He has previously worked as CSO for Configuresoft, CTO for the Center for Internet Security, and as a security architect, analyst, and manager for several Fortune 500 companies.
