The single best analogy for continuous network monitoring: Fitbit. What does this mean and what can a Fitbit tell you about continuous network monitoring?
First of all, what do we mean by continuous network monitoring?
“Continuous monitoring is an ancient concept dating back to warring factions using arrows, clubs, and spears. The Babylonians in 539 BC didn’t think they needed to monitor their defenses because their defenses were so impenetrable—that is, until the Persians dammed up the river to sneak in through what turned out to be an unmonitored vulnerability. More recently, we’ve seen references to multiple break-ins that relied on gaining a foothold through one or more vulnerabilities that may or may not have been known.
Because of continuous changes in the threat and monitoring landscape, over the past few years, monitoring has become so important that federal agencies are now required to continuously monitor their systems and defenses. Outside the federal government, IT organizations in almost every sector are required to maintain and monitor their computers to various degrees.”
“Continuous monitoring is a cycle consisting of four basic phases: discovery, analysis, tuning, and reporting. Each of these basic phases has multiple parts, but simplifying the basic phases makes the entire process applicable to a wider range of situations. These are not individual phases that run in sequence; all four phases need to be going on continuously.”
Thank you to the SANS reading room for that great explanation of continuous monitoring!
Back to the Fitbit example
Many of us have learned through our Fitbit that we’re not sleeping enough, exercising enough, or eating correctly. It’s the same scenario with continuous network monitoring, although it monitors your organization’s security posture instead of tracking your personal health.
There are typically 5 critical cyber controls when it comes to continuous network monitoring:
1. Discover all assets: Asset discovery is critical! But many find this step the most difficult. Legacy tools aren’t sufficient to cover it. You should include identification of all authorized or unauthorized hardware and software, transient devices and applications, unknown endpoints, BYOD devices, network devices, platforms, operating systems, virtual systems, cloud applications, and services. The optimum solution should include a combination of automated discovery technologies running in near real-time.
2. Continuously remove the vulnerability from all assets: To remove all vulnerabilities, you must implement a regular continuous monitoring program. Procedures should include three areas:
- Applying software, hardware, and cloud service patches to remove vulnerabilities
- Applying configuration changes to limit malicious exploits
- Applying additional host or network-based security monitoring
3. Deploy a secure network: Network security should be a daily practice. For each asset, one or several mitigating technologies can be deployed to prevent or detect malicious activity. For example, host-based technologies include anti-virus, application white-listing, and system monitoring; network-based technologies include activity monitoring, intrusion prevention, and access control; auditing cloud-based technologies can be done with APIs, threat subscriptions, and network monitoring or endpoint system monitoring.
4. Give users access to the systems and data they need: All users should have a demonstrated business need to access specific systems and data. Limit and control administrative privileges, avoid using default accounts, enforce strong password creation, and log all accesses.
5. Continually hunt for malware and vulnerabilities that could potentially attack the well-being of your network: You must actively monitor your systems for anomaly detection and exploitation. It is frankly unrealistic to expect your systems to be 100% incident free. Attackers acquire new technologies every day; you have to stay one step ahead of them by proactively managing your systems with near real-time continuous scanning for viruses, malware, exploits, and inside threats. Each of the previous 4 controls makes your search for malicious activity easier and creates several audit trails to be used in forensic analysis.
These controls are at the heart of continuous network monitoring, to help you track the vital signs of your systems. If you aren’t sure where to start, take a look at our Modern Approach to Vulnerability Scanning.
IT teams deploying continuous network monitoring for the first time often find they are not remediating their vulnerabilities as fast as they thought, are not monitoring their users as thoroughly as they believed, and are spending precious resources working on the wrong risk reduction programs. Regardless of the industry sector, every executive needs some form of assurance that the organization’s cyber assets are protected.
Many of Cybriant’s customers deploy our continuous network monitoring solutions as a peer to their business systems. Our solutions help assure that the IT organization is not adding new types of cyber risks, so executives can be confident the business is operating safely over the Internet.
Modern Day Problems with Continuous Network Monitoring
Unknown Assets and Devices
An asset is no longer just a laptop or server. It’s now a complex mix of digital computing platforms and assets which represent your modern attack surface, including cloud, containers, web applications, and mobile devices. Proactively discover true asset identities (rather than IP addresses) across any digital computing environment and keep a live view of your assets with our managed vulnerability management service.
Sporadic Vulnerability Scans
Periodic vulnerability scans, like annual physicals, are limited in the type of protection that they can provide to assure system fitness. However, continuous network monitoring is a game-changing technology and is becoming the new normal. Continuous network monitoring is not a fad; it implements the 5 healthy best practices your organization should be monitoring and provides daily visibility into your progress. Tenable is proud to be leading the trend.
Performing only a single vulnerability scan each year or quarter puts organizations at risk of not uncovering new vulnerabilities. The time between each scan is all an attacker needs to compromise a network. With continuous scanning, our security experts automatically have visibility to assess where each asset is secure or exposed.
Prioritized Risk
By using risk prioritization, our security experts have the skills to understand exposures in context. They will prioritize remediation based on asset criticality, threat context, and vulnerability severity. Our reporting will help you prioritize which exposures to fix first, if at all, and apply the appropriate remediation technique
Introduction to The Modern Approach to Vulnerability Scanning
Today’s enterprise networks are in a perpetual state of flux. The use of mobile devices to access corporate data is skyrocketing. More IT services are being delivered via the cloud than ever before. And users are constantly subscribing to SaaS-based applications, including file sharing applications like Box, Dropbox, and Google Drive, without IT’s consent. Meanwhile, hardly a day goes by without reports of a major data breach appearing in the trade rags or some high-profile cyberattack being featured on the evening news.
But why? Are the bad guys getting smarter? Or are our existing defenses becoming outdated? Perhaps it’s a bit of both. Innovations in continuous network monitoring are giving savvy IT security teams a leg up in mitigating risks associated with advanced threats. Unlike legacy vulnerability management systems that rely on active scanning, continuous network monitoring provides real-time visibility into mobile devices, virtual platforms, cloud applications, and network infrastructure — including their inherent security risks. If you and your colleagues are tasked with reducing network security risks while maintaining compliance with industry or government regulations, then this book is for you.
Download the ebook today: https://www.cybriant.com/modern-approach-to-vulnerability-scanning-2/
Real-time Vulnerability Management
The larger the gap, the greater the risk of a business-impacting cyber event occurring. Traditional Vulnerability Management is no longer sufficient. Managed Vulnerability Management extends vulnerability management by covering the breadth of the attack surface (IT, Cloud, IoT/OT) and providing a depth of insight into the data (including prioritization/analytics/decision support). We help security leaders answer the following questions:
Where are we exposed?
What assets are affected, where, and what is the significance/severity? The changing technology and threat landscape have made this harder to see.
Where should we prioritize based on risk?
Data overload and lack of security staffing have made this more important than ever.
How are we reducing exposure over time?
Security leaders want to understand and report on their progress and show the value of their investments to senior management.
If you are unsure how to respond to these questions, let’s talk.
When you outsource your vulnerability management to a security provider like Cybriant, you’ll be able to:
- Discover: Identify and map every asset for visibility across any computing environment
- Assess: Understand the state of all assets, including vulnerabilities, misconfigurations, and other health indicators
- Analyze: Understand exposures in context, to prioritize remediation based on asset criticality, threat context, and vulnerability severity
- Fix: Prioritize which exposures to fix first, if at all, and apply the appropriate remediation technique
- Measure: Model and analyze cyber exposure to make better business and technology decisions
- Report: Cybriant’s security experts staff will report and give security and IT teams complete and accurate visibility and insight.
Cybersecurity Standards for Compliance
There are many different types of government and financial compliance requirements. It is important to understand that these compliance requirements are minimal baselines that can be interpreted differently depending on the business goals of the organization. Compliance requirements must be mapped with the business goals to ensure that risks are appropriately identified and mitigated.
For example, a business may have a policy that requires all servers with customer personally identifiable information (PII) on them to have logging enabled and minimum password lengths of 10 characters. This policy can help in an organization’s efforts to maintain compliance with any number of different regulations. These compliance checks also address real-time monitoring such as performing intrusion detection and access control.
Common compliance regulations that require continuous monitoring include, but are not limited to:
- BASEL II
- Center for Internet Security Benchmarks (CIS)
- Control Objectives for Information and related Technology (COBIT)
- Defense Information Systems Agency (DISA) STIGs
- Federal Information Security Management Act (FISMA)
- Federal Desktop Core Configuration (FDCC)
- Gramm-Leach-Bliley Act (GLBA)
- Health Insurance Portability and Accountability Act (HIPAA)
- ISO 27002/17799 Security Standards
- Information Technology Information Library (ITIL)
- National Institute of Standards (NIST) configuration guidelines
- National Security Agency (NSA) configuration guidelines
- Payment Card Industry Data Security Standards (PCI DSS)
- Sarbanes-Oxley (SOX)
- Site Data Protection (SDP)
- United States Government Configuration Baseline (USGCB)
- Various State Laws (e.g., California’s Security Breach Notification Act – SB 1386)
Yay for Boring Security!
In the recent article, “Is My Company Secure,” we discussed how monitoring is the ‘boring’ phase of selecting a security framework. But, in the end, don’t you want security to be boring? 
By using a framework, we are converting information security from something that is at best a hodgepodge of duct tape into a strategy. The strategy takes us from reaction to prevention and that takes us from front news to boring company that protects their customer’s data. In security, you want to be boring.
Just like a Fitbit, Continuous network monitoring takes a holistic approach to monitoring security well-being. Not only does it discover all assets and track them for vulnerabilities, but it also monitors networks in real-time for threats, gathers contextual analytics, and provides assurance that mitigating controls are in place.
Continuous network monitoring keeps you on track, continually making progress towards improving your security posture and meeting your business goals, just like a Fitbit does for your health.
About Cybriant
Cybriant is a holistic cybersecurity service provider which enables small and mid-size companies to deploy and afford the same cyber defense strategies and tactics as the Fortune 500. We design, build, manage, and monitor cybersecurity programs. Follow Cybriant @cybriantmssp and cybriant.com.
Sources:
https://www.tenable.com/blog/taking-the-pulse-of-your-network-fitbit-for-security
https://www.tenable.com/blog/tenable-s-critical-cyber-controls-for-secure-systems