I'm interested in implementing a continuous security monitoring program for our application servers. What requirements or technologies and products would you say are needed to successfully achieve 24/7 application monitoring?
Ask the Expert
Perplexed about application security? Send your application security-related questions today! (All questions are anonymous)
Continuous security monitoring has been around for a while and is part of the National Institute of Standards and Technology's Risk Management Framework. or RMF, covered in Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. The organization characterizes continuous monitoring as a formalized process to define and categorize assets by risk, apply the appropriate controls, and continuously monitor them to assess their effectiveness. The main goal of continuous monitoring is to provide constant awareness of the state of security, vulnerabilities and threats to support those managing and protecting the information systems running core mission and business functions.
The top challenge facing enterprises looking to implement continuous security monitoring is developing a comprehensive network-wide program that incorporates existing security status information and reporting tools with methods that provide improved network visibility and data analysis to effectively deliver real-time threat detection and incident response. To ensure a comprehensive view of all assets, applications developed in-house should be built to generate log data of all security-relevant events, so that these can be fed into a monitoring program. Intelligence feeds from products such as those from Symantec and CrowdStrike can be used to provide additional data for assessing risks and the ability of the enterprise's defenses to deal with them. Dashboard views of all the information collected, correlated and analyzed are an important feature of any program to ensure that administrators can quickly see what has changed or where attention is needed. It goes without saying that security teams must have the resources required to handle and respond to all this extra information, so cost must to be taken into account when deciding on budgets.
Technologies suitable for inclusion in a continuous security monitoring program include automated data gathering and aggregation and analysis tools such as those for security information and event management systems. One dedicated continuous monitoring product is Tripwire's Continuous Diagnostics & Mitigation, which can help turn an existing static security control assessment process into an automated one. Asset discovery and profiling tools can help by reducing the time spent categorizing network assets, and automated scans for vulnerabilities and misconfigurations can identify real and potential enterprise risks. These must be ranked based on of the extent to which vulnerabilities can be exploited and their configurations, along with other risk factors like location and data sensitivity to ensure remediation efforts can be prioritized.
Good security is a continuous process, and while continuous 24/7 security monitoring may affect the performance of a production server, the risks of not remediating a known vulnerability pose a far greater threat. With continuous monitoring, administrators have the ability to know exactly which assets are on the network, where they are, if they're vulnerable and if they're at risk -- all in real time. Configuration drift and hardware and software changes that increase the risk profile can be picked up straightaway. It is not a single solution as such, but a security best practice, which is why the Department of Homeland Security has recently awarded a continuous monitoring contract to bolster its cybersecurity defenses.
This was first published in February 2014