Wednesday, January 23, 2013

Continuous Monitoring: You’re Doing It Wrong

The Federal Government is not really sure what it’s talking about. Are you?

[This article also appears at Great Lakes Computer.]


One of the surprising challenges of being an Information Security professional is keeping up with the current buzzwords and jargon in the industry, and it’s made more difficult by the fact that not everybody uses those terms in the same way. For instance, given the posture of an organization and whether or not it’s sales-based or based on something else (research, defense, etc.), the term Data Loss Prevention (DLP) can mean different things. However, when I went back to work for the US Federal Government, I thought that Continuous Monitoring was one term that was clear as crystal.

It turns out, however, that the government, which of necessity places a huge emphasis on regulatory compliance, is using the term in an entirely different way from the commercial sector. Continuous Monitoring, as used by the private sector,  is actually a relatively new concept, and that’s because it’s only really been in the last few years that we could spin up machines with enough speed and power to do the job in real time.

What Continuous Monitoring should mean is a way to watch what’s happening on your network in real time, integrated with logging so that you can go back and follow patterns, graph anomalies, and so forth. For instance, a good CM setup should tell you when most of your users are using social media, or if there’s a spike in activity to or from a certain address, and so on. The information has always been there, but it’s been hard to find, and now we have the means to automate grabbing those details and presenting them in such a way that network and security admins can form a much better mental picture of what’s going on.

However, NIST and the Federal Government have made this term their own, and they mean something completely different - and far less useful, security-wise - by it. I think that the government’s use of the term completely misses the point and buries CM under a pile of compliance paperwork, and the result is that nobody is really watching the network the way that they should be.

What the government means by Continuous Monitoring is looking at the NIST-defined security controls - policy statements dealing with regulatory compliance - for a given network and deciding if they are applied correctly, given the threats list that the government subscribes to and the vulnerabilities that routine scans discover.

NIST does define CM as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions”, which sounds as if it would fit in with the automated approach that I described briefly above, but the problem is that most of the people who are actually responsible for performing this monitoring are using completely manual methods to demonstrate compliance. For instance, I have been told that presenting auditors documented evidence of testing security controls in small batches over time constitutes Continuous Monitoring because it shows “continuously” action promoting the security of the network I’m responsible for. I suppose it doesn’t hurt, but that’s not what CM should be.

Change is slow in the government, but I’m hopeful, as many agencies (including mine) are installing new vulnerability and monitoring solutions that I think will really be an eye-opener on the subject of CM. Compliance is important, but it doesn’t define Information Security; it’s just one part of the whole.

No comments:

Post a Comment