2. Page 2
The massive moving forces of innovation and security threats today are crushing the average enterprise IT department.
The Twin Forces of Change in IT
On one side, the evolution of network
systems continues to accelerate at
lightning speed. Cloud, virtualization,
containerization, big data analytics,
mobility, and the Internet of Things are
now constantly rewriting the rules of
connectivity and data governance.
On the other, attackers seek
to keep enterprises on their
back feet by changing their
techniques just as rapidly, if not
more so.
On their own, each of these
dynamic forces would be
painful to contend with.
Together, these parallel
trends threaten the entire
enterprise’s bottom line.
The only way for IT to adapt their networks to the twin forces of change in technology is to ensure that security evolves just as quickly as
the infrastructure and the threats. The only way for this kind of dynamic security to take hold is through continuous security monitoring.
3. Page 3
As you know, today’s enterprises are highly
virtualized, with servers and applications
continuously being integrated, deployed, and
updated. Workloads shift from public cloud
infrastructure to on-premise storage systems and
back again, while your users are connecting new
and more devices every day.
Couple those agile and ever-changing systems
with an increased likelihood of security-related
errors with skilled and persistent attackers and
the risk of breached and disrupted systems
increase dramatically.
With all those factors considered, it becomes
undeniable to conclude that manual security
measures just can’t ensure that systems
and applications remain managed in
line with internal security policies and
hardened against attack. Additionally, modern
IT environments, such as DevOps, means
applications and infrastructure changes more
rapidly than ever before. As fast as systems are
being developed, deployed, and updated, then
security checks need to be run in parallel and just
as swiftly. Gone are the days of running monthly
security assessments.
This is the only way that enterprises can expect
to successfully defend themselves against
attackers now.
4. Page 4
The lessons of recent cybersecurity
history are also unambiguous:
Compliance-driven and
reactive information
security efforts will not
succeed at mitigating
system vulnerabilities and
threats to a tolerable state.
Networked business-technology assets need to
be inventoried, configured, and maintained; their
vulnerabilities must be identified and mitigated;
and they need to be vetted constantly for signs
of malware and compromise. If these processes
can’t be automated, they can’t be managed
successfully.
But it can be daunting to figure out where or how
to start a Continuous Security Monitoring (CSM)
effort. Some enterprises try to tackle too much at
once, and give up once they start. Others decide
it is too overwhelming, and they don’t start at all.
That’s not good, but it’s why we wrote this guide.
5. While CSM hasn’t necessarily taken hold of the mainstream, there are plenty of thought leaders in both private and government sectors who realize the
importance of automating and monitoring as many security processes as possible. They understand that this kind of automation not only reduces data
breach risks but makes it possible to identify and stop potential attacks when suspicious activities are spotted.
These folks have lead the way in developing a number of excellent resources and frameworks that can help you get going on the path to continuous
monitoring.
Start Building Momentum with a Framework
Page 5
GET STARTED WITH NIST
One great place to get started is the
NIST Special Publication Information
Security Continuous Monitoring (ISCM)
for Federal Information Systems and
Organizations. Most of the advice is
applicable to all large enterprises, not just
government environments and provides
extremely helpful guidance.
PCI IS ALSO HELPFUL
Another area where CSM has gained
traction is in the Payment Card Industry
Data Security Standard (PCI DSS). PCI
DSS is also a broad set of security
controls, but is aimed at protecting
payment cardholder data. PCI DSS also
stresses the ability to understand the
daily system and application changes
within any aspect of the enterprise.
CDM Framework
One effort that is well underway is the U.S.
government’s Continuous Diagnostics and
Mitigation (CDM) program. The CDM program
originated in the U.S. Department of Homeland
Security and was created by Congress, CDM
provides both federal departments and agencies
what they need to know to put into place
effective continuous security controls. CDM is a
standardized way for federal entities to manage
the threats and vulnerabilities that matter, based
on potential and likelihood of impact.
Also, unlike FISMA, which has been widely
criticized for being an exercise in security
paper shuffling and check boxing, CDM aims
to help U.S. federal organizations better protect
users, software, networks, and infrastructure
by continuously examining their information
technology systems for vulnerabilities and
threats.
6. Page 6
SOURCE: U.S. Department of Homeland Security
Last Published Date: November 6, 2015
The Three Primary Phases of
Continuous Diagnostics and Mitigation
PHASE 1: Identify
and Manage Assets
PHASE 2: Least Privilege
and Infrastructure Integrity
PHASE 3: Boundary Protection
and Event Management for
Managing the Security Lifecycle
HWAM
Hardware Asset Management
TRUST
Access Control Management
(Trust in People Granted Access)
PLAN
Plan for Events
SWAM
Software Asset Management
BEHV
Security-Related Behavior
Management
RESPOND
Respond to Events
CSM
Configuration Settings
Management
CRED
Credentials and Authentication
Management
AUDIT/MONITOR
Generic Audit/Monitoring
VUL
Vulnerability Management
PRIV
Privileges
DOCUMENT
Document Requirements,
Policy, etc.
Boundary Protection
(Network, Physical, Virtual)
QM
Quality Management
RISK MANAGEMENT
7. The government isn’t moving
alone. The private sector is also
embracing CSM frameworks
in areas such as continuous
improvement and automated
testing in DevOps and the
automating of the SANS
20 Critical Controls. Many
enterprises are turning to the
SANS 20 Critical Controls and
using them to automate asset
management, configuration
management, vulnerability
management, anti-malware, and
data loss prevention, among
other controls. The effort
was informed by a number of
international organizations and
U.S. agencies and is currently
managed within the SANS
Institute.
SANS
20 Critical
Controls
Page 7
SOURCE: SANS
Inventory
of Authorized
and Unauthorized
Devices
Inventory
of Authorized
and Unauthorized
Software
Secure Configurations for
Hardware and Software on
Mobile Devices, Laptops,
Workstations, and Servers
Continuous Vulnerability
Assessment and
Remediation
Malware Defenses
Application Software
Security
Wireless Access Control Data Recovery Capability
Security Skills
Assessment and
Appropriate Training
to Fill Gaps
Secure Configurations
for Network Devices
such as Firewalls,
Routers, and Switches
Limitation and Control
of Network Ports,
Protocols, and
Services
Controlled Use
of Administrative
Privileges
Boundary Defense
Maintenance,
Monitoring, and
Analysis of
Audit Logs
Controlled Access
Based on the
Need to Know
Account Monitoring
and Control
Data Protection
Incident Response
and Management
Secure Network
Engineering
Penetration Tests
and Red Team
Exercises
8. Regardless of the
framework you choose,
there are typically five key
components to an effective
continuous monitoring
program. As you build out
your toolset to move toward
continuous monitoring,
keep in mind that this
doesn’t have to be a complete
transformation. In many
cases you’re probably already
using many of these tools in
your information security
program.
5 Key Components Of
Continuous Security Monitoring
Page 8
Asset Management
Configuration Management
Vulnerability Management
Access Control
Incident Response
9. Page 9
These include simple
inventory management and asset-
auditing software that is used to
identify all authorized hardware
and is able to quickly identify
unauthorized hardware.
Asset management
software comprises all of
the tools used to manage
and inventory corporate
owned and used devices
and applications.
It is highly unlikely that any
unauthorized devices are
managed to any enterprise
security policy. They are likely
not only vulnerable to being
breached, but already are
breached. It’s imperative that
they be identified and either
brought to policy standard or
removed from the network.
Asset Management
10. Page 10
Your software configuration
management process is how
you identify software and
system configurations, and
either confirm that they are
being managed to policy or
are deficient and need to be
corrected.
Certainly, misconfigurations of
IT assets need to be kept down
to a minimum. Your attackers
will scan your systems looking
for such misconfigured assets
and take advantage of them to
gain a foothold on the network.
Even if those vulnerable
systems are not their primary
target, they will infiltrate and use
it as a foothold to dig deeper.
Configuration
Management
11. Page 11
Here, you assess for
software vulnerabilities
within your networked
devices, remedy those
that are identified
(especially the critical
level vulnerabilities)
and then test that
patches and updates
have been successfully
applied.
Hopefully, if you run an
enterprise of any size, you have
a vulnerability management
program in place.
Software weaknesses are a
common way through which
adversaries seek to try to gain
entry onto networked devices.
Vulnerability
Management
12. Page 12
Good access control is critical to
success. The size and scope of these
efforts are largely determined by
the size of the enterprise, number
of employees, and services they
need access to. This typically includes
everything from physical building
and data center access to providing
enterprise resources such as phones,
desks, email, etc. and everything in-
between.
These are the processes to
automate the management
of provisioning and de-
provisioning of users and
devices to the network, system,
and enterprise resources.
This also includes the automated
management and monitoring of identity
access privileges (no greater authority
for access than is necessary) and
super user access, such as that being
required for administrative rights.
Access Control
13. For this, enterprises need to
automate the detection of
breaches as much as possible,
and have the response in
place to respond to the degree
necessary. Some breaches
may require little manual
response, perhaps pushing a
new machine image out to an
endpoint. Other breaches may
require extensive forensics
analysis and remediation and
cleansing effort.
If an enterprise is
going to be looking for
indicators of breach
and compromise, it
needs to have effective
ways to swiftly and
adequately deal with
those incidents.
Page 13
Incident
Response
14. Page 14
This will likely be a combination of existing
toolsets, some snappy API and integration work,
and maybe even building new custom tools.
Pulling the technology
together: Continuous
Security Monitoring Platform
Enterprises that embark on the path to continuous security monitoring are going
to be collecting and managing a lot of data. A lot of data. These will be coming
from network monitoring tools, intrusion detection systems, management
consulters, compliance and configuration management toolsets, and so forth.
You will need a way to collect this data, analyze it,
visualize it, and actually respond to it.
15. In interviews with CISOs, many enterprises turn to their vulnerability
management systems, which track a lot of system vulnerabilities,
networked assets, and confirmation settings. Others have turned to
the security and information management systems, configuration
management systems, and log management systems. And as these
programs are built out, most of these tools are used in conjunction
with their outputs fed to data analysis and dashboard tools.
Realistically, as you build
your CSM program out, you
will have various siloed sets
of information that, over
time, you will pull together
and build an actual real-
time ability to continuously
monitor and react to system
conditions.
Page 15
16. Page 16
Where do you start automating your CSM
program? There are many approaches,
such as automating what you currently
have the tools to automate: regular
vulnerability assessments, patch and
antimalware updates, reporting and
alerting, and so on. Another way is to
identify the most critical assets and
continuously monitor those and, over
time, build that program out to the rest of
the organization.
Some enterprises are automating
based on the federal CDM, others PCI
DSS (for payment card data), and still
others are looking at automating the
20 Critical Security Controls. The 20
Critical Controls was made specifically
for IT security professionals and
provides straightforward, risk-based,
implementation guidance.
Automate everything you can,
and then automate more
Focus on
continuous
monitoring to
test and evaluate
remediation
Provide common
metrics that all
stakeholders can
understand
Automate
processes
Use knowledge
of actual attacks
to build defenses
These controls stand on
four pillars:
17. Page 17
That includes
automating the
maintenance of
authorized and
unauthorized device
asset inventory,
software, security
device configurations,
and continuous
vulnerability
assessment and
remediation.
Organizations report that the 20 Critical
Controls are very effective at helping them to
select the right security technologies and then
implement, configure, monitor, and manage a
better information security program. And the
critical controls of course strongly encourage
automating controls enforcement wherever
possible.
18. Page 18
So, where do you begin your continuous security monitoring efforts?
When looking at your environment in its entirety, with an eye toward
monitoring everything all of the time, it can appear overwhelming. And
the reality is that you can’t start monitoring everything all at once.
Choices need to be made about where to start: endpoints, servers, and
applications need the most oversight and where a breach would cause
the most damage.
This is why, when deciding where to
start your continuous monitoring
efforts, the first place to look could
be where those who would attack
you also may look first.
What data or resources would attackers most likely want to target? Is
it your intellectual property? The customer data you hold? Perhaps you
won’t be the direct target; the attackers may be looking to infiltrate high-
value partners. Your security teams need to begin monitoring your most
valued assets for potential attack paths. This includes network and
system logs, and traffic, looking for anomalous behavior, as well as your
system configurations.
Attackers aren’t the only threat. The risks around regulatory compliance
also rise in rapidly changing environments. Here, you need to take
inventory of your assets and applications that touch regulated data. For
compliance, you will need to consider continuously monitoring your asset
configurations and event logs for any deviations from your compliance
and security policy.
Getting started with CSM
19. The key is to focus on monitoring and
protecting the most important assets
and applications. You’ll need to work
closely with audit and compliance
teams, operations teams, business
application owners, and security
teams to identify these assets.
Essentially, aim to identify the most critical and valuable systems
and data, as well as those that fall under the purview of regulatory
compliance, and start your continuous monitoring efforts there.
When implementing continuous security and regulatory compliance
monitoring of your high-value assets, include their configurations, the
status of security technologies such as anti-malware, network and
application firewalls, data leak prevision technologies, etc.
From here, you are going to need to automate as many of your security
controls as you can, while also monitoring their configurations to ensure
that they are managed consistently across all environments. Are your
network configurations identical from one cloud to another? Do your
wireless LANs have the same security posture? Are those servers
classified at the same risk levels set to similar security configurations?
And so on. In this way automation will help you to attain consistency
throughout your environment.
Page 19
20. CONCLUSION About Bitdefender
Building an effective CSM program isn’t something that
will happen overnight. But, as you automate certain
processes,youjustneedtomakecertainthoseprocesses
remain automated and in good shape. Use the time
saved to automate the next set of security processes
and feed the status into a dashboard or, initially, a set of
dashboards. In time, you will eventually automate your
entire program.
So what will this continuous security and regulatory
compliance monitoring do for you? Plenty, when it comes
to building a resilient environment.
When continuously deploying new applications, you will
be introducing new mistakes into the environment and
by continuously monitoring your environment, you’ll be
finding new security errors as they are introduced. So,
while you will be moving as quickly as you can, you will
be bringing your security efforts with your CSM program.
Bitdefender is a global security
technology company that delivers
solutions in more than 100 countries
through a network of value-added
alliances, distributors and reseller
partners. Since 2001, Bitdefender has
consistently produced award-winning
business and consumer security
technology, and is a leading security
provider in virtualization and cloud
technologies. Through R&D, alliances
and partnership teams, Bitdefender
has elevated the highest standards
of security excellence in both its
number-one-ranked technology
and its strategic alliances with the
world’s leading virtualization and
cloud technology providers.
www.bitdefender.com
www.bitdefender.com/business
businessinsights.bitdefender.com