Vulnerability Management and Continuous Monitoring

For the last 5 years or so, the term “continuous monitoring” has felt a bit like an elusive goal in the world of information security, possibly even an ambiguous buzzword to some. Many security professionals are still wondering how to get started: What technologies typically make up continuous monitoring infrastructure? What steps should you take to successfully implement these types of security controls organization-wide?

Want a more depth review about how to plan and implement a continuous monitoring strategy with your vulnerability management tools both in-house and in the cloud. Check out my on-demand webinar. Register now.

A good starting point is the Department of Homeland Security's (DHS) Enterprise Continuous Monitoring Technical Reference Model called CAESARS (Continuous Asset Evaluation, Situational Awareness and Risk Scoring) - yes, that’s a LOT of acronyms, but the government loves them. Acronyms aside, the DHS model includes a great breakdown of a continuous monitoring “sensor subsystem”:

Sensor subsystem: This group of technologies makes up the majority of the continuous monitoring data capture for analysis. The following technologies should be implemented:

1. System configuration management
2. Network configuration management
3. Authenticated vulnerability and patch scanners
4. Unauthenticated vulnerability scanners
5. Web vulnerability scanners
6. Database vulnerability scanners
7. Antimalware tools

See anything in there that seems to be repeated a few times? If you said “vulnerability scanners,” you get the gold star award. Configuration management is critical, of course, because you’ve got to have a baseline definition for what systems are SUPPOSED to look like. However, in order to assess systems properly, and put the “continuous” in there, you really need a variety of vulnerability scans to run on a regular schedule, or even in a truly continuous fashion. Automation is the key to the whole thing. I know WAY too many organizations out there (even large, seemingly mature ones) that still have a human being clicking the big red shiny “GO” button to launch scans, and while that’s great for spot audits and assessments, or as a precursor to a pen test, it’s not an effective way to truly put a continuous monitoring strategy into action.

Using commercial vulnerability scanning tools to perform both authenticated and unauthenticated scans can produce a large volume of data. For continuous monitoring, scheduling daily or weekly scans of systems and subnets will produce enough data for a sound baseline of what is running in the environment and at a system level, which can then be assessed against newer scans to determine what has changed and what the risks are. Most enterprise vulnerability scanners can cover web and database technologies adequately as a starting point, too, and you can add more specialized tools later if you need more in-depth information.

Doing this in the cloud is critical, too, as you really need as much visibility and “real time” status about your systems to know how things are changing in a dynamic environment. Committing to a real continuous monitoring strategy using in-cloud scanning tools that are preauthorized for the cloud platform in use can be immensely useful in developing inventory status, vulnerability status, and even detecting rogue or unapproved changes that aggressive DevOps teams may have made in the environment.

There are a huge number of benefits to enhancing your vulnerability management program to encompass a more continuous strategy.

Check out my on-demand webinar on this topic, where we’ll talk in more depth about how to plan and implement a continuous monitoring strategy with your vulnerability management tools both in-house and in the cloud.