Security Process Data is unlikely that a networking and computing environment that was initially configured in 2010 is unchanged today. In fact, it is highly likely that your own network has undergone minor and possibly major changes in the last six months. As technology has advanced and threats to networks have increased, the need to monitor networks has become crucial.
Traditional approaches to security process data collection involved solution-specific logging and data capture, sometimes paired with a central Security Information and Event Management (SIEM) or other security management device. As organizational IT infrastructure and systems have become more complex, security process data has also increased in complexity and scope.
Information security continuous monitoring (ISCM) is a holistic strategy to improve and address security. As with any security initiative, it begins with senior management
buy-in. The most effective security programs consistently have upper management support. This creates an environment where the policies, the budget, and the vision for the company all include security as a cornerstone of the company’s success. ISCM is designed to align facets of the organization including the people, the processes, and the technologies in place.
An organization needs to do the following:
- Monitor all systems
- Understand threats to the organization
- Assess security controls
- Collect, correlate, and analyze security data
- Communicate security status
- Actively manage risk
This will aid the organization in implementing ISCM. ISCM will help ensure that security controls are effective and that the organization’s risk exposure is within acceptable limits.
ICSM standards are increasingly available, and major examples include the following:
- NIST SP800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations” (https://csrc.nist.gov/ publications/detail/sp/800-137/final)
- Cloud Security Alliance STAR level 3 provides continuous monitoring-based certification (https://cloudsecurityalliance.org/star/continuous/)
- The FedRAMP Continuous Monitoring Strategy Guide (https://www.fedramp .gov/assets/resources/documents/CSP_Continuous_Monitoring_Strategy_ Guide.pdf)
- NIST SP 800-37, “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy” (https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/draft), is in draft as of the writing of this book but specifically includes risk management link- ages to governance and process.
There are several steps to implementing ISCM as outlined in NIST SP800-137.
- Define the strategy based on the organization’s risk tolerance.
- Formally establish an ISCM program by selecting metrics.
- Implement the program and collect the necessary data, ideally via automation.
- Analyze and report findings, and determine the appropriate action.
- Respond to the findings based on the analysis and use standard options, such as risk mitigation, risk transference, risk avoidance, or risk acceptance.
- Plan strategy and programs as needed to continually increase insight and visibility into the organization’s information systems.
Depending on the organization and the maturity of the implemented ISCM, it is typically necessary to implement one step of the strategy at a time. ISCM tools pull information from many sources. This data may be integrated with SIEM tools. Ideally this process is automated.
ICSM has become increasingly complex as organizations spread their operations into hosted and cloud environments and as they need to integrate third parties into their data-gathering processes. Successful ICSM now needs to provide methods to interconnect legacy ICSM processes with third-party systems and data feeds.