Continuous monitoring is a risk management approach to cybersecurity that maintains an accurate picture of business security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies. A well-designed and well-managed continuous monitoring program can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status.
In today’s environment of widespread cyber-intrusions, advanced persistent threats, and insider threats, it is essential for businesses to have real-time accurate knowledge of their enterprise IT security posture so that responses to external and internal threats can be made swiftly.
Antivirus products are ``doomed to failure,`` according to senior vice president for information security at Symantec
The first step to providing business context is to identify and understand your organization’s business processes, focusing on those that are critical and sensitive in terms of compliance, customer privacy, and competitive position. There is no way for IT to do this in a vacuum. In many organizations, it requires collaboration between IT and representatives of the business units, the finance department and legal counsel. Many organizations put together security strategy task forces with representatives from each department, who work together for several weeks to analyze business processes and the information and infrastructure they depend on.
Once the business processes are identified and ranked in terms of mission criticality and sensitivity, the next step is to identify the applications and data on which those mission-critical processes depend. Again, this can be accomplished only through collaboration between IT and other business players. From extensive collaborative discussions, you may discover applications that are much more critical than expected. For example, email may be an absolutely critical application for one department, but not critical at all for many others.
When searching out applications and data sources, make sure you take into account mobile devices such as smartphones and tablets, as well as desktop PCs. Collectively, these devices often contain the most recent, sensitive data your organization possesses. Work with the business units to understand who is using mobile devices for accessing and sharing corporate applications and data. Understand the data flows between these devices and data center applications and storage. Find out if your business users are sending business emails over public email services such as Gmail or Yahoo mail. Another often hidden category to investigate is your software development environment, as they are inherently less secure than production environments. Software developers and testers often use current, sometimes mission-critical data to test new and upgraded applications.
Continue working down the layers of infrastructure to identify the servers, both virtual and physical, that run your mission-critical applications. For Web/database applications, you may be talking about three or more sets of servers—Web, application and database—per application. Identify the data storage devices that hold the mission-critical and sensitive data used by those applications.
Develop an understanding of the routers and other network devices that your applications and hardware depend on for fast, secure performance.
Note the security and business continuity measures you have already put in place—including policies, firewalls, application firewalls, intrusion detection and prevention systems (IDPS), virtual private networks (VPNs), data loss prevention (DLP) and encryption—to protect each set of servers and storage devices hosting mission-critical applications and data. Understand the key capabilities of these protections, and which vulnerabilities they address most effectively. This may require some fairly extensive research, including scanning websites and reviews, and speaking with security company representatives.
Only when you’ve understood and mapped out your application and data flows and the underlying hardware, network infrastructure, and protections does it actually make sense to run your vulnerability scans.
Your scanner may produce scores of host and other vulnerabilities with severity ratings, but since results and scores are based on objective measures, it’s important to determine your organization’s business and infrastructure context. Deriving meaningful and actionable information about business risk from vulnerability data is a complex and difficult task. After evaluating your staff’s level of knowledge and workload, you may determine that it would be helpful to partner with a company that is well-versed in all aspects of security and threat assessment. Whether undertaking this task internally or getting outside assistance, your results need to be analyzed to determine which infrastructure vulnerabilities should be targeted first and most aggressively.