First, what is continuous monitoring? By definition, it's the process of continually monitoring your systems. Businesses monitor systems for different reasons, IT Operations Teams continuously monitor systems for availability to end-users. "Hackers" are continuously monitoring systems in attempt to exploit systems via various means. As security professionals we need to continuously monitor for vulnerabilities, emerging threats, changes in system configurations, changes in application code, deviations of policy, etc. Continuous monitoring doesn't necessarily mean a 24x7 real time monitoring and reporting of all systems, rather the term means the implementation of a monitoring and oversight process to provide a clear picture of security at any given time.
Many security teams struggle to perform continuous monitoring well, and many times success is out of their control. This can be attributed to an expanding network perimeter, inability to hire more IT Security staff in a growing business, and inability to purchase and implement security technology automation tools to compensate for lack of IT Security staff.
For security teams that have funding and staff for continuous monitoring. The challenge becomes what to monitor, how to monitor, and where to monitor. Figuring out these requirements out can be a very complex task. Here are 3 considerations to make when designing your continuous monitoring program:
1. Understand the business or company you are trying to secure and the strategy of your IT Security Program. A good place to start is interviewing business leaders within the organization. In these interviews you should attempt to understand the business goals and objectives, places where problems have existed in the past, results of internal/external audits, etc. Knowing this information about your organization will allow you to begin building a continuous monitoring program that adds value to your organization and hopefully reduce security remediation time for internal staff. One key consideration often overlooked is what are the strategic goals of your Security Program--if it is a strategic measure to improve at systems security (server hardening, etc), it might be wise to start phase these strategic initiatives into the early stages of your continuous monitoring program. This will allow your Security initiatives time to mature in accordance with your strategic Security Roadmap.
2. Knowing what you want to continuously monitor and not monitor is a critical consideration. NIST Computer Security standards outlines a three tier impact/risk system comprised of High, Medium, Low rankings. When organizing your systems consider where critical information exists and business context of systems being used. For example, a critical database containing very sensitive information might be risk ranked as high and have more rigorous continuous monitoring controls place upon it. Where as another system holding public information might be risk-ranked as low and be governed by a more relaxed catalog of continuous monitoring controls. This will help to drive toward a strategy on where to deploy your limited resources first.
3. Define your continuous monitoring policies and intervals. As mentioned above, you don't need to continuous monitor all systems all the time. For high risk systems you might choose to scan systems every 5 to 15 minutes, where as low risk systems you might have a scan policy that runs once every 24 hours. Some measures you should consider frequency of scans, how long to retain log data, how often to analyze data, if you should alert on high-risk system vulnerabilities and alerts. There's some good guidance in NIST SP 800-92.
Cloud systems should also be included in your strategy. You should seek guidance from the the Cloud Security Alliance (CSA) and NIST SP 800-144. There's a couple common mechanisms for monitoring compliance in this space; develop data flow diagrams and understand how and what data is flowing to and from the cloud. Based on those data flow diagrams it might make sense to continuously monitor certain systems or API's involved in the data processing and transmission. It's also important to know how your cloud service provider is monitoring their logs and security data to protect your data.
Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.