GRC, SIEM, CONTINUOUS MONITORING
Brett Osborne
Sr CyberSec-CyberGRC Advisor|vCISO|CMMC|[@RPM3Solutions]| & SP800-171| Advisor-Assessor-Instructor-Speaker|@Aperitisoft compliance design|Multi Frameworks NIST ISO CIS
From my post (kind of long for a post; article to prevent <TLDR>. (Too Long;Didn'tRead)
And if you don't have architects, GRC and responders staff, your SIEM is only blinking lights. The SIEM should have feeds from around a dozen technologies. The SEIM should report to the GRC staff (Risk or Compliance Manager) so that they will determine if controls, countermeasures and safeguards are working as intended and are effective (i.e. continuous monitoring).
*Adding: SIEM & ConMon
One Post from a vendor tied the CISA statement directly to SEIM (I don’t recall what they were purveyors of – SIEM I guess).
And the SIEM leads to “continuous monitoringâ€â€¦.
The post mentioned some elements: SIEM and XDR
Lets enumerate the rest:
I’ll list the core tech that supports SIEM:
From NIST SP 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations?
I have worked on a variety of SIEMs. Including GOOD, Bad and UGLY
There is a lot of development in the SIEM and similar technology. There are proposals that would replace SIEM.
领英推è
Whatever “IT†is, something is needed to ingest, normalize and support analysis and reporting.
Continuous Monitoring (CONMON) is defined at proving that your controls are effective and working as expected. For unknown reasons it seems to be equated to SIEM. One major security training organization even makes this mistake.
To re-state, the dozen or so technologies above form the foundation of SIEM. Lets call that the
COLLECTION/CONNECTION LEVEL
- The SIEM is the
- AGGREGATION & NORMALIZATION level
?(e.g. build a data base, with an analysis engine and notification generator.)
So what we need is a pair of
- CORRELATORS
?#1 will loop down to the Technologies (the 11 noted), with notification to
Collection technicians and Connection technicians, as well as Responders/Specialists
?(the SOC, and the technical administrators, etc.) in order to verify configurations, as well as investigations
?#2 will feed up to the Analysts – Compliance Manager, IT Risk Manager, Program Manager, etc. to ascertain if control/countermeasure/safeguard is effective, and working as expected. This staff will propose adjustments and alternative implementations if needed, with technical staff input. They will initiate appropriate Plan of Action & Milestones (POA&M) as well as Change Processes.