Grafvision - Fotolia

Manage Learn to apply best practices and optimize your operations.

Adjusting a continuous monitoring strategy to a hybrid era

Your monitoring strategy is vital to keeping networks and data secure. Learn the latest on how to factor the hybrid cloud variable into the security equation.

Many organizations are focusing on a continuous monitoring strategy in-house to improve detection and remediation of vulnerabilities and configuration issues. While implementing a continuous monitoring strategy is a critical aspect of improving network visibility and security, there are challenges achieving this type of visibility in hybrid cloud environments.

CDM controls

For many security teams, the foundation of a continuous monitoring strategy that aligns with the U.S. Department of Homeland Security Continuous Diagnostics and Mitigation (CDM) framework will include the following controls:

  • Patch and configuration management: Ideally, systems will have a host-based agent installed that can provide updates on patch status and configuration items when queried, or send scheduled updates to a central monitoring toolset.
  • Vulnerability scanning: For continuous monitoring, scheduling daily or weekly authenticated and unauthenticated scans of systems and subnets will provide a sound baseline of what is running in the environment and at a system level.
  • Logging and event management: Some form of central log and event collection and monitoring should be in place to aggregate and report on continuous monitoring information, as well as facilitate any investigations.
  • Network monitoring: Network monitoring tools that leverage network flow data or traditional event generation (firewalls, IDS, and so on) can easily play a role in continuous monitoring.
  • Antimalware tools: Both network-based malware detection sandboxing tools and host-based antivirus and whitelisting tools can produce significant monitoring and event data to help with continuous monitoring efforts.

For organizations moving to a hybrid cloud model, finding alternative solutions within cloud provider environments that can offer the same continuous security monitoring capabilities has been problematic in the past. Fortunately, there are many more options available today that can help with this, and even more on the way in the near future.

How to approach a hybrid cloud

The first step organizations should take to determine how they approach continuous security monitoring within a hybrid cloud is to look in-house at their current vendors and products. Most mature security teams are already using a variety of tools that can integrate into virtual environments. Cloud infrastructure is always virtualized, so organizations will need host-based tools that don’t use too many system resources, like McAfee MOVE or Trend Micro Deep Security, as well as patching and configuration agents that are lightweight and integrate into virtual machines within cloud provider environments. CloudPassage is one product that can facilitate this level of host monitoring and control in any infrastructure as a service (IaaS) cloud. Amazon now has its Config utility for monitoring configuration baselines built-in, as well, and Microsoft recently released their Security Center with this capability for Azure instances. Microsoft also offers built-in antivirus for all Azure instances, as well.

Many commercial vulnerability scanners like Qualys and Tenable Nessus are now fully integrated into cloud environments via API, and offer SCAP-compatible scanning and reporting to boot. Network monitoring tools like Lancope (Cisco) Stratawatch and Palo Alto Networks NGFW can integrate into cloud environments and monitor traffic and activity, too.

Many large-scale event management tools have not been fully integrated into cloud environments today, unfortunately. Some providers offer logging for activities related to cloud management, such as Amazon’s CloudTrail, and Microsoft Azure Diagnostics also offers security monitoring for some cloud events. There are numerous event-monitoring products that can integrate into the cloud, although most will not be the same vendors or services used in-house. Sumo Logic offers an event management and monitoring service for cloud environments, and AlertLogic has a platform that can integrate natively into Amazon Web Services. Splunk and AlienVault also have AWS-compatible event management or SIEM platforms, too.

CSM strategy in a hybrid era

For organizations moving to a hybrid cloud, it’s almost a certainty that you’ll end up with new products and services to manage, which means more operational overhead and cost. This is likely to continue for some time, as not all mainstream security vendors will adapt their products to virtual and cloud formats. Whether with traditional products used in-house or new offerings in the market, however, most organizations will find that they can successfully achieve the goals of their continuous monitoring strategy both in cloud provider environments as well as their own data centers. 

Next Steps

More guidance from Dave Shackleford on implementing CSM

Get some expert advice on how to develop a CSM program

Just guarding the network perimeter is no longer sufficient, says SANS Institute expert.

This was last published in February 2016

Dig Deeper on Government information security management