There isn’t a single “silver bullet” product that addresses Continuous Monitoring. There are too many factors to consider, which require multiple security elements to function as a single solution. A good approach to continuous monitoring is securing all threat vectors and having those solutions provide data to a central reporting engine. Once data is centralized, things like risk level auditing and policy enforcement can take place. My team has developed a Continuous Monitoring Reference Architecture based on research from customer requirements and testing various security products.
The first step to build a continuous monitoring solution is identifying what should be monitored. A complete continuous monitoring architecture should consider everything from network access alerts to software installed on endpoints. Most networks have gaps in process or technology, which leave holes in desired monitoring reports. For example, administrators may use scanners to audit server vulnerabilities however not monitor configuration changes on routers. Network devices, servers, printers and other network elements offer various forms of risk that need to be detected before a complete continuous monitoring solution can be put into place.
Here are some questions to think about regarding what could be monitored:
1) Do you have a continuos monitoring solution for devices accessing the network?
- Does that solution cover all access avenues (LAN, VPN, WIRELESS)?
- Is everything continuously verified or is it a one-time verification?
- Are policies enforced for different users and devices (guest, contractors and employees)?
- Do you scan devices for threats / risk before or while on the network?
2) Do you have a continuos monitoring solution for enforcing endpoint policy?
- Do you have a solution for checking what is installed on devices?
- Are laptops, desktops, etc. continuously monitored or randomly scanned?
- Are policies enforced?
- Are all endpoints considered (mobile phones, laptops, USB drives)?
3) Do you have a continuos monitoring solution for critical data control?
- Does this include Server, Email and Web data?
- Are policies for data loss enforced on and off the network?
- Does security follow the data (IE copy a sensitive file to a USB drive)?
- Is data limited to users with access credentials or open to all employees?
4) Do you have a policy for physical access to critical areas?
- Are all access points monitored?
- Do you monitor all users entering and leaving a controlled environment?
- Do physical access controls match with logical controls (who walked in and logged into a server)?
5) Do you have a continuos monitoring solution for network devices?
- Do you monitor who makes configuration changes?
- Do you have policies for code versions, configuration templates, etc. that are mandated for network devices?
- Do you collect logs and react to events?
6) Do you adhere to legal or company mandates?
- How often to you test for compliance?
- Do you meet all aspects of mandate requirements?
- Do you know the impact of daily changes to your mandate requirements?
Some examples of solutions for the questions above are : Network Admission Control, Scanners (Nessus, Retina, etc), Data Loss Prevention, Network Management Applications (Cisco LMS, EMC Ionix, etc.) Desktop Management Applications (Altiris, BigFix, etc), Physical Access Controls, Authentication Solutions, Email and Web Solutions, etc.
Once security toolsets are established to capture security events, the next step for a continuos monitoring solution is centralizing all alerts to single management system. A common solution is a security information and event management tool (SIEM). The benefits of most SIEMs are correlating events into one threat, aggregating millions of events into readable data, identifying top problems to remediate and quickly searching through millions of logs for specific data. Some SIEMs offer other features such as compliance reports and workflows however few offer a complete C-level reporting package. An example of a C-level deliverable is alerting the impact of adding a router to the overall FISMA status or determine the cost savings of replacing the router with a more efficient model. There are complimentary solutions to SIEMs to provide this type of data.
To summarize a continuous monitoring architecture, first identify all threat vectors on your network. Develop security solutions to address threat vectores with near real-time reporting capabilities. Build a centralized event management infrastructure that offers various reports that meet business requirements. Most likely it will take time to understand what the desired end result should be so expect many revisions as you develop your continuous monitoring infrastructure.