Continuous Monitoring Misunderstood
Network security monitoring includes intrusion detection, audit log correlation and analysis and other methods of detecting failures of our network protections. Continuous monitoring is not the same thing. Continuous monitoring is the process of checking our security controls to make sure they are working.
Here is an article that explains some of the background:
Continuous Monitoring
In September of 2011 NIST released SP 800-137 “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations”.
Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.
Before continuous monitoring, federal agencies were guilty of over-emphasizing “compliance”, or “C&A”; the checking of the effectiveness of security controls every three years. Things change too fast in the world of cyber security to rely upon a check every three years, or in the case of most security controls, even every year is not often enough.
Continuous Monitoring is the philosophy that we must check how well our security controls are working as often as is needed to ensure confidence that they are doing their job well and to make good risk management decisions based on an accurate concept of our risk posture.
For some controls, that may mean checking them once a year. But for other controls, it may mean having the ability to look at how well they are working in real time. We have security controls that define personnel background checks, backup power supplies and fire suppression systems. We also have security controls that define intrusion detection, malware prevention, file integrity checking and vulnerability scans. Some of these controls can be surveyed for their working effectiveness on a less frequent basis and some require constant attention.
There is a difference between using the control for its designed purpose and testing it to make sure it’s working correctly. We hope that we will rarely use our backup power supplies and fire suppression system and we test them on a regular basis, but not every day. Intrusion detection and anti-virus prevention are often in a constant state of use and require closer attention.
The primary goal of continuous monitoring should be to maintain an accurate idea of our risk posture. If this is not being done, our risk management decisions will be flawed and our protections may have holes or weaknesses that we do not know about.
In order to develop this dynamic picture of our protection status, we have to understand how our security controls are being used and what information they provide us. Each control has an area of focus and a range of time interval in its interaction and each control produces information that we need. These and other factors create a “character profile” for each control that allow us to set monitoring priorities and needs.
Continuous monitoring is not about constantly monitoring our network for indicators of compromise. It is about constantly knowing that our protections are working well, even when there has been no compromise. In order to do continuous monitoring, it is likely necessary to also do constant network security monitoring. When we do continuous monitoring well, our security protections become more effective, our vision of our risk posture becomes more current and our compliance checking becomes easier and cheaper to accomplish.
