Monitoring assets and vulnerabilities has become a high-priority security practice for many enterprises. As RSA President Amit Yoran said in his RSA Conference 2016 keynote, the inevitability of an attack is so well-known that it's almost cliche.
However, the increasing persistence and stealth of attacks is less cliche. Attack campaigns increasingly use multiple exploit methods and backdoors to ensure persistence. These evolving threats in the security landscape require continuous monitoring of assets and vulnerabilities to maximize visibility, detection, and response throughout a company's network.
Studies show this type of monitoring is not yet widely adopted. Moreover, many organizations monitor assets merely to achieve compliance, not to improve security. Like any entity facing a persistent adversary, enterprises challenged by persistent threats will only ensure their security when they embrace modern monitoring and analysis practices.
Insufficient Investment Yields Inconsistent Results
To neutralize these threats, it is important to understand-and remedy-the areas where organizations are falling short. A recent SANS survey of security practitioners demonstrated that consistently scanning assets and liabilities is still not among the routine best practices of the majority of organizations.
For example, of the surveyed organizations, 38 percent met the current Center for Internet Security Critical Security Controls standards, which means they scan critical assets weekly or more frequently. Thirty-seven percent had immature or nonexistent continuous scanning and remediation programs, while 57 percent lacked trained staff, 42 percent lacked sufficient budgets, and 41 percent lacked management support for implementing continuous monitoring programs.
This lack of staff, budget, and management support is consistent with industry concerns about insufficient resources dedicated to threat monitoring.
Action Starts With Communication
As Yoran explained in his presentation, it is important to emphasize monitoring and response, knowing that prevention will more than likely fail. The idea that prevention will fail is often difficult to communicate to management, since they've likely heard for years that prevention is the cure-all. However, the record is now sufficiently replete with examples of prevention failing-when shown this, management should be receptive to trying a new approach.
In "The Need for Continuous Asset Monitoring," the foundations for a new approach are set forth. The article points to federal agencies' adherence to National Institute of Standards and Technology guidelines for vulnerability management, malware detection, asset management, and configuration management. It also highlights the aggregation of data into a central management console as a good first step to start the process of monitoring assets and vulnerabilities.
These steps are sometimes taken in the quest for security compliance, but monitoring also helps companies realize significant benefits. First, the information gained in this compliance process "helps organizations gain a more robust awareness of their overall risk posture." Further, automated tools can assist in the monitoring processes and start to address the staff and budget shortfalls many organizations face when they begin the monitoring process.
Approaches to Monitoring
The SANS survey outlines additional approaches to further address shortfalls in asset and vulnerability monitoring, including investing in outsourced managed services, measuring and communicating the success of this approach, and automating workflows. The primary purpose of monitoring assets and vulnerabilities should be reducing the attack surface, not just achieving compliance. This focus will help develop effective strategies that result in measurable successes, which can then be communicated to management to gain support for increased investment in monitoring assets and vulnerabilities.