Hope for a Holy Grail of Continuous Monitoring
The most misunderstood cybersecurity solution holds promise.
Cybersecurity is not about shortcuts. There is no quick route to address increasingly sophisticated attacks or to undo years of neglect wrought by security managers avoiding the problem.
Many experts had hoped that the colossal breach of the Office of Personnel Management several years ago might have heralded much-needed focus, energy and funding to defeat the bad guys. That has proved to be an empty hope, and officials have continued to abrogate their authority to lead in cyberspace.
Among all the potential cyber solutions, continuous monitoring (CM)—the so-called holy grail—is the most misunderstood. Presenting too many shortcuts for both federal and private-sector networks and creating an illusion of success, CM is among the worst of approaches—except for all the rest, to paraphrase Winston Churchill. “Continuous monitoring has evolved as a best practice for managing risk on an ongoing basis,” according to a SANS Institute white paper that addresses the status quo and looks beyond present-day implementation.
The Committee on National Security Systems defines CM as the process that maintains security statuses for information systems on which enterprise operational missions depend. Experts describe CM as a holistic approach to cybersecurity and a robust global risk management (RM) solution.
Despite its shortcomings, CM can support effective continuous and recurring RM assurance. For CM to become a valuable cyber tool and comply with federal standards, agencies must meet the measures and expectations defined in the National Institute of Standards and Technology’s (NIST’s) Special Publication (SP) 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations.
CM is not just the passive visibility piece of an active network. It includes the active efforts of vulnerability scanning, threat alert, reduction, mitigation or elimination in a dynamic information technology environment, all of which are critical to network defense. This conceptual framework explains how agencies can identify a true CM solution through NIST SP 800-137, which highlights 11 security automation domains required to implement true CM.
CM must align endpoint visibility with security monitoring tools, including connectivity to laptops, desktops, servers, routers, firewalls and more. Additionally, these tools must work with a highly integrated security information and event management (SIEM) device, which provides the central processing and analysis of potential threats within an organization’s information technology environment. A clear link also must exist between the security monitoring tools, the SIEM device and the security automation domains, which include malware detection as well as asset and event management. CM first must address these collective components to create a first-generation instantiation.
More specifically, a SIEM appliance provides the core data processing capabilities to coordinate all inputs and outputs effectively across the information technology enterprise. It manages the data integration and interpretation of all CM components and provides the necessary visibility and intelligence for an active incident response capability. Additionally, endpoint devices must be persistently visible to applicable security devices. Together, these parts must align with their respective security controls as described in NIST SP 800-53, which catalogs federal information systems security controls for all systems except national security.
The selected SIEM tool accepts these inputs and evaluates them against defined security policy settings, recurring vulnerability scans, signature-based threats and heuristic and activity-based analyses to ensure the environment’s security posture. SIEM outputs support further visibility of the information technology environment; conduct and disseminate vital intelligence; and alert managers to ongoing or imminent dangers. A SIEM tool also distributes data feeds to analysts in nearly real time. Once the base first-generation functionalities consistently align with the security automation domains, an organization can definitively express that it meets CM requirements.
This does not conclude the process, however. Vital hardware and software configuration items must be known before implementing CM within an enterprise information technology environment. Products from companies such as McAfee and Symantec identify and reduce threats and offer nearly real-time monitoring, while other security tools provide asset visibility, vulnerability detection and patch management updates.
Achieving this security nirvana requires much greater integration and availability of crosscutting intelligence tools than CM can now provide. Wielding multiple security monitoring tools that provide defense in depth might be a better protective strategy, keeping in mind that such an approach certainly will increase maintenance and security costs. Taking this route calls for a return on investment scheme balanced against a well-defined threat risk-scoring approach at all workplace levels. “Organizations are required to adequately mitigate the risk arising from use of information and information systems in the execution of missions and business functions,” reads a portion of NIST’s SP 800-53.
Based on guidance from NIST and the Department of Homeland Security, an effective SIEM appliance must provide four functionalities: aggregate data across a diverse set of security tool sources; analyze multisource data and explore data based on changing needs; make quantitative use of data for security purposes, including the development and use of risk scores; and, finally, maintain actionable awareness of the changing security situation in real time.
Future CM tools must include specific expanded capabilities and functionalities of the SIEM device to tackle increasingly hostile network environments. Improvements likely will yield greater access to a larger pool of threat database signature repositories or more expansive heuristics that identify active anomalies within a target network. The use of artificial intelligence could enhance human threat analysis and provide more automated responsiveness. “The concept of predictive analysis involves using statistical methods and decision tools that analyze current and historical data to make predictions about future events,” reads a portion of the SANS white paper.
The next generation of CM tools must boost human response times for defending against attacks from hours to milliseconds. It also must expand data, informational and intelligence inputs for new and more capable SIEM products and more fully vet data and inputs for completeness and accuracy. The future must bring increased access to signature- and activity-based analysis databases to provide greater risk reduction. Private industry and the intelligence community must offer greater support for agencies constantly battling more capable and better resourced threats.
CM will not be a reality until vendors and agencies can integrate the right people, processes and technologies. This will require capable organizations with trained personnel creating effective policies and procedures with the requisite technologies to stay ahead of the growing threats in cyberspace.
Many vendors describe their CM tool as the holy grail cyber solution, but they cannot completely back up their claims. While meeting the elements of NIST SP 800-137 might seem daunting, it is certainly an attainable goal for CM vendors as artificial intelligence, big data and machine learning rapidly evolve. Of course, getting there will not come quickly. Cybersecurity requires methodical and consistent implementation to achieve the full benefits of CM. Cyber is not just a security problem—it is also a leadership challenge.
Mark A. Russo is Leidos’ lead information security engineer supporting the U.S. Navy’s tomahawk missile system. He is the former chief information security officer at the Education Department and retired from the U.S. Army Reserves in 2012, where he served as a senior intelligence officer and liaison to the Terrorist Screening Center within the FBI. The views expressed are his own.