Continuous monitoring: Start with basic data collection techniques

Organizations pursue various approaches to continuous monitoring, but the first question is always what to monitor.

For organizations planning to implement a continuous monitoring program and supporting infrastructure, one of the biggest questions at the outset is "What do we monitor?" In Special Publication 800-53 Rev. 4, the National Institute of Standards and Technology (NIST) outlines a three-tier impact/risk system describing high, medium and low rankings for security controls.

When you're determining the criticality of enterprise systems, consider the data the system interacts with, as well as compliance requirements and business context. The storage area network with critical data may require strenuous controls that need to be applied quickly. A public-facing website with no sensitive data could be considered a secondary objective.

Enterprises pursue various approaches to continuous monitoring, but all organizations need to collect and aggregate some fundamental data types, to get things underway as soon as possible. In SP800-53, NIST outlines the priorities for different controls in Appendix D.

The initial -- and simplest -- category of data to collect is vulnerability scanning information. Both authenticated and unauthenticated scans are called for in a continuous monitoring strategy. You should collect the following information:

  • Network inventory (IP addressed and hostnames, if available)
  • Ports, protocols and services running on systems identified
  • System attributes (OS, patch level, system role)
  • Recognizable system and application vulnerabilities and severity

The next category of data collection is system and network configuration management, which will vary widely in terms of implementation and coverage. You should focus on the critical systems first, and collect and assess the following data to aid in developing your risk assessment:

  • Network system inventory (names and management IP addresses)
  • Network device type (switch, router, firewall) and platform version
  • Known network device vulnerabilities and severity
  • Network access controls and firewall rules
  • Configuration controls as compared to a published internal standard that meets industry guidelines and best practices

Users and groups defined and allowed to access the devices and systems, as well as roles

Patch and update status

Antimalware tools are also a "quick win" when companies are implementing continuous monitoring programs, because many enterprises already have host-based antivirus installed, often with whitelisting and file integrity monitoring capabilities. Antimalware agents are usually installed on critical servers and systems for compliance reasons.

To incorporate these controls into a continuous monitoring strategy, ensure the following information is being collected and acted upon:

  • Current list of agents installed, with versions and signature file dates
  • Capabilities enabled on each agent (antivirus, whitelisting, file integrity monitoring, host IDS or IPS.)
  • Critical alerts and actions taken (deletion, quarantine)

If network-based antimalware sandboxing is installed and in use, collecting alerts and platform information from these devices is also valuable, along with any external threat intelligence data that may be integrated with these systems.

Vulnerability scans of Web applications and platforms, as well as database servers, should be integrated into continuous monitoring programs, too. When you are just getting started, some baseline scans with "standard" vulnerability scanning tools can be useful, but most organizations will eventually need to implement purpose-built scanners for Web applications and databases. These tools should generate the following data:

  • Inventory data (IP addresses and names) for Web and database servers
  • Vulnerability data for common Web application flaws like SQL injection and cross-site scripting (XSS)
  • Configuration details for Web servers and application platforms
  • Database server OS and version
  • Database configuration flaws and issues

Finally, define your continuous monitoring analysis intervals — you don't need to continuously monitor all systems all the time. For high-risk systems, a suggested scan internal is every 5 to 15 minutes, whereas low-risk systems are fine with scans that run once every 24 hours. NIST SP800-92 offers guidance on scanning and assessment frequency, along with data analysis and retention suggestions.

About the author: Dave Shackleford is the owner and principal consultant of Voodoo Security, lead faculty at IANS, and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures.

Next Steps

For more on continuous monitoring tools and strategies

This was last published in October 2014

Dig Deeper on Real-time network monitoring and forensics