Continuous Scanning, Monitoring, and Remediation

This is the fourteenth in our series of sharing thought pieces and the fourth from the CISO Desk Reference Guide: A Practical Guide for CISOs, Volume 2. In the following excerpt from Gary Hayslip’s essay for Chapter 14, Gary explains how important continuous monitoring is to your security program. Please enjoy.

One of the primary processes your cybersecurity program will be responsible for is “continuous monitoring.” In many network/organizational environments, extreme technology change may occur as businesses try innovative solutions to compete in their specific markets. This digital upheaval makes providing enterprise risk management and cybersecurity as a service extremely challenging for security professionals.

I implement the concept of continuous scanning, monitoring, and remediation to provide an effective security practice for my business and our stakeholders. This allows me to bring balance to my security teams and be effective as a security leader when operating in chaotic business environments with no stable risk baseline.

Continuous monitoring provides a critical service to security operations teams through detection, response, and remediation. When such a program is aligned with the organization’s enterprise security program and implemented with appropriate security controls, it enables security organizations to detect security incidents, remediate security gaps, and analyze trends to reduce the company’s risk exposure. Therefore, I believe it is important to understand that continuous monitoring is an essential component of the cybersecurity lifecycle.

Numerous strategic frameworks address continuous monitoring. For example, I have implemented the National Institute of Science and Technology (NIST) guidelines in NIST SP800-137[1] at multiple organizations over the last several years. I consider it best practice for a CISO when standing up a security program.

I believe it is a critical business process for organizations to understand and maintain their situational awareness and oversee their enterprise risk management portfolio. I use the NIST guidelines for continuous monitoring, but the framework you select will depend on your technical requirements, with input from your stakeholders, including the legal team and executive management.

To design and implement an effective continuous monitoring program, a CISO will need to consider the answers to the following questions:

• Purpose of the monitoring system – From the organization’s viewpoint, what are the overall business reasons for developing a monitoring system? Is it a compliance/regulation requirement? Are there technical requirements? As a CISO, you must be able to explain why you must expend resources to develop this program.
• Requirements – Now that you understand why you need to implement it, what are the technical, security, legal, business, and compliance requirements for the program’s creation, management, report structure, and data views?
• What needs to be monitored – This question is critical. The CISO must work with stakeholders and trusted partners to identify what systems, applications, and data to monitor.
• How will it be implemented – From a technology perspective, will this monitoring be on-premises, will it be in the cloud, or would it be better to use a hybrid approach? If deploying sensors or agents, determine if the deployment is a one-to-many configuration or a distributed site-to-site configuration. Once you have identified the data to pull, you can create the architecture to move the data to a location for analysis and storage.
• Data, data, and more data – You have identified what data you will monitor, and now you need to ask yourself, where will the data be stored? Do I have a data retention policy? Do I have a data governance program that specifies who is allowed to access it and why?
• Metrics and reports – Collecting information from the monitoring program should have a purpose. Do you have any metrics? Do you have specific reports based on the analyzed data? What is the story, and to which audience are you providing this information?
• 911 – You understand your requirements, have built a continuous monitoring program for the organization, and are collecting information. Now, the question is, who will use it to protect the organization?

As you can see from these questions, you need to collect extensive information before you begin architecting a monitoring program. I typically start with conducting an inventory of my security suite to identify my security assets, such as firewalls, IPS sensors, honey pots/nets, endpoint platforms, and vulnerability scanners. Then, I document the logs I can collect from these platforms. I next meet with my peers in our data centers, desktop support, and network services teams to verify their assets and the logs I can collect from them. Once I have identified these assets and log types, I will research and deploy a security information and event management (SIEM) platform that will enable me to build dashboards to analyze the collected information for trend analysis. This allows me to make decisions about reducing risk and focus on how to best use my limited resources.

To see how the CISO Desk Reference Guide, Volume 2 fits into your reading journey, reference our reader's guide on our LinkedIn Company page:

https://www.dhirubhai.net/feed/update/urn:li:activity:7216934015398813697/

[1] ?? Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, NIST Computer Security Resource Center, https://csrc.nist.gov/publications/detail/sp/800-137/final.