A continuous monitoring program is a challenging undertaking for any organization. Processes that support data collection and aggregation need to be implemented across the organization. Tools that create the feedback loop for risk analysis and reporting are also critical to a successful continuous monitoring program, but may be harder to find.
Tools vendors are making changes to their technology to help the continuous monitoring process, says Dave Shackleford, founder and principal consultant at Voodoo Security.
"The good news for us is that many of the tools out there now support continuous monitoring and it's part of the overall vendor strategy," he says. "This can really help security teams as they are looking to develop a [data] collection type set of processes and the data analysis side as well. More and more, the tools are really becoming compatible with this type of a strategy and the policies that go along with that."
Several agent-based or agentless tools and central repositories can support the system configuration management aspects of a continuous monitoring program. Network configuration management platforms offer policy, centralization and change management. Enterprise-level vulnerability scanning tools, which can perform authenticated and unauthenticated scans, are another key component of a continuous monitoring program. Web and database scanners to look at code and database issues are readily available. Antimalware tools, which most companies already have in place, can also offer a starting point for a continuous monitoring program, with a few modifications.
Risk management is the final product area that drives successful continuous monitoring strategies. "You’ve got to have something for all of this to be assessed by, " says Shackleford, "and that really comes down to governance, risk and compliance systems and platforms, and analytics engines that can take all of that data, ideally in a compatible format like SCAP, and perform some analysis of your risk."
For many organizations, evaluating risk and what tools and strategy they need to have in place presents a major challenge. Risk management is unique to each organization, security teams need to define their own metrics and values for risk scoring based on business requirements, tolerance for risk and strategy.
Existing tools offer a great place to start on the path to a continuous monitoring program. Organizations should look for vendors that support central data aggregation, integration with SIEM and GRC tools, and all major SCAP protocols from NIST and MITRE, says Shackleford.
About the presenter: Dave Shackleford is the owner and principal consultant of Voodoo Security, lead faculty at IANS, and a SANS analyst, senior instructor, and course author. He has consulted with hundreds of organizations in the areas of security, regulatory compliance, and network architecture and engineering, and is a VMware vExpert with extensive experience designing and configuring secure virtualized infrastructures.