Many organizations want to implement a continuous monitoring policy, which combines processes and technology to ensure security systems are working efficiently and effectively. Continuous monitoring enables IT teams to identify issues that could introduce risk or lead to compliance violations. As such, a continuous monitoring policy not only makes good business sense but is increasingly necessary to comply with industry regulations and standards.
Considerations on Continuous Monitoring
Continuously monitoring all operations and systems on a network can be costly and resource-intensive. Not every organization has the time, resources, and money needed to perform this task. Therefore, organizations should determine where they should concentrate their monitoring efforts, focusing most heavily on important assets and mission-critical systems.
Sorting through and prioritizing company assets is not a task IT should attempt in isolation. Rather, a cross-functional team with members from different functions and business units should be created-this team will provide a broader view of business needs so crucial assets can be sorted according to their importance and the potential consequences of information being breached.
Focus on Threats and Vulnerabilities
When considering the importance of each asset, organizations should focus on what information is connected to or housed in each system. The first step is to identify what information and which systems are most important to keeping day-to-day operations running. If these assets are compromised, the organization will likely experience downtime and other costly consequences.
Then, for each asset, the team should analyze threats the organization might face if an adversary gained access to the information. These findings should be supplemented with data on the likelihood of an attacker gaining access to important information. Threats and vulnerabilities should then be rated on a scale from least critical to most critical.
Refining Your Continuous Monitoring Policy
The scores from this exercise will enable the organization to determine which assets are the most important and therefore decide where to focus security capabilities. IT teams can prioritize action according to criticality, which will help the organization better manage potential risks without taking a blanketed approach to security that assumes all risks are created equal.
The organization's continuous monitoring policy can be refined accordingly so essential assets are more closely monitored and remediation plans are carefully honed so threats and vulnerabilities to the most essential operations and systems will be highlighted first. When developing incident response plans and capabilities, the organization will be able to develop a range of countermeasures to apply to each asset and plot out the threat scenarios it may face. In this way, incident response and remediation can be honed and made considerably more effective.
Use Automation Where Possible
For a small organization, these activities may be possible through manual methods. However, automation is key to achieving efficiency and can help rate the criticality of assets and perform continuous monitoring activities.
During the monitoring process, the system will provide alerts for security practitioners, but organizations can be inundated by such alerts. According to the Federation of American Scientists, organizations typically receive 17,000 malware-related alerts per week, and many alerts are false positives. Therefore, security analysts need to apply business context to threat alerts and vulnerability and risk assessments so alerts can be prioritized and critical incidents can be highlighted.
Continuous monitoring is becoming an essential part of enterprise security, and it is increasingly demanded by regulators. However, it is impractical to apply the same level of monitoring to all assets within an organization. It is far more cost-effective to determine where to focus the greatest monitoring efforts-an exercise that will benefit the business as a whole by making it more resilient to threats.
Category: RSA Fundamentals, Blog Post
Keywords: Continuous Monitoring