The world of cybersecurity moves at a blazingly fast pace, which means it's time to consider continuous security monitoring. Researchers discover and publicize new vulnerabilities every week, and attackers quickly build automated exploit tools that leverage those vulnerabilities to gain access to enterprise systems. Every time a new vulnerability hits the streets, the race is on for vendors to develop and release patches that administrators must apply before the first attack hits their systems.
Traditional approaches to vulnerability scanning run periodic scans of enterprise systems searching for known vulnerabilities and adding them to a remediation task list. It's not uncommon for these scans to be run on a weekly or even monthly basis. Unfortunately, that's simply not frequent enough to keep pace with modern threats. Today's threat environment calls for a continuous security monitoring (CSM) approach that integrates information from vulnerability scans with other information sources to provide administrators with a real-time view of their security vulnerabilities.
Adding host monitoring agents
One of the most effective ways to enhance vulnerability scanning results is to complement traditional vulnerability scans with data gathered from agents running on each system in the enterprise. Most modern vulnerability scanners offer this agent-based capability, where a small software agent resides on each monitored system. The agent collects security configuration information in real time and reports it back to the continuous security monitoring system. If a user or administrator modifies a setting that may introduce a new vulnerability, it is immediately reported in the CSM console, and the system may trigger an alert or take automated action.
For example, if an administrator modifies a host firewall rule to allow a new type of traffic into a server, this configuration change can be reported to the CSM system. The continuous security monitoring system may then automatically trigger a new vulnerability scan of the system that will detect any new vulnerabilities and insert them into the organization's remediation workflow. This approach dramatically shortens the amount of time required to detect the new vulnerability by initiating an immediate scan, rather than waiting for the next regularly scheduled scan.
Incorporating network monitoring data
System sprawl is a fact of life in modern enterprises. Systems spring up on the network more quickly than IT can identify them, and those systems may contain security vulnerabilities. Most organizations run routine network discovery scans that search their entire IP address space seeking out undocumented systems. These scans are time-consuming and often do not detect systems that are configured to exist in a secure, stealthy fashion and not respond to any network probes.
Network monitoring technology integrates with CSM systems to bridge this gap. Even the stealthiest system needs to communicate on the network at some point and network monitors can watch network chokepoints, listening for traffic from unknown IP addresses. They may then trigger an automated vulnerability scan of the new system and initiate an asset documentation workflow that brings the system into the organization's configuration management infrastructure.
Vulnerability management remains an extremely important component of any organization's cybersecurity program. Continuous security monitoring enhances these efforts by providing vulnerability management tools with real-time information on the presence and configuration of systems on the organization's network.