Select

Continuous Monitoring to Meet your Risk and Compliance Goals

Continuous Monitoring to Meet your Risk and Compliance Goals

There was a time when security personnel would have to dig through thousands of raw log files to figure out what was happening in a network. With such a huge task at hand, threat detection and elimination were impossible to perform frequently. Back then though, attackers were limited in variety and took time to spread. Today’s attackers are wiser and equipped with much more sophisticated options to launch attacks and spread malicious code. Within a short span, millions of machines can be compromised. We have seen many stories of significant breaches in the past two decades.  

Year  Compromised Users  Organization  Stolen Data 
2009  130 million cardholders  Heartland Payment Systems  Credit card numbers 
2013  153 million accounts  Adobe  Usernames, email IDs, and passwords 
2014  145 million users  eBay  Passwords 
2016  57 million Uber users and 600,000 drivers  Uber  Names, email addresses, and mobile numbers from Github Account 
2017  200 million US voters  Republican National Committee (RNC)  Personal Identifiable Information (PII) – names and addresses 
2018  150 million users  Under Armour  MyFitnessPal app usernames and email IDs 
2019  885 million users  First American Financial Corporation  Social security numbers and wire transaction records 

 The list goes on, and we would hardly find a company that attackers have not attempted to infiltrate. Some of the attacks might not be visible, for before they could compromise company data, the companies could take proactive actions to mitigate their impacts. But how are some companies able to save their users amid these threats when many large corporations have suffered?  

The answer lies in the continuous monitoring (CM) system that involves threat detection. This prevention approach cannot happen occasionally, but continuously, such that the moment there is a hint of an attack, the action is taken immediately. Organizations that use continuous monitoring systems to keep track of network health are more likely to prevent attacks. Even if they are attacked, they respond fast and reduce the impacts.  

Challenges with Continuous Monitoring 

Continuous monitoring helps an organization detect security events that may turn into a breach and enable real-time reporting of inconsistencies, violations, and network changes. However, implementing a continuous monitoring system has a fair share of challenges.   

The Problem: Another challenge is tracking endpoints which are tricky. Some endpoints may need you to connect to another country’s network. Also, endpoints are not just laptops or personal computers but can also be other devices like printers and wearables. However, these devices are not always on and connected, in which case real-time tracking is difficult. There can also be some unknown devices that are not on the official list of an organization in the endpoint.  

A Solution: Threat scanning must be done in always-on and passive modes if an organization must ensure that all endpoint devices are covered. 

The Problem: Endpoint systems might utilize different tools for analyzing networks, detecting vulnerabilities, and tracing connected devices. These tools would generate different data sets that have to be put together. This data can be overlapping or inaccurate depending on the methods used at the device end for analysis.  

A Solution: Using a specific standard like SCAP (Security Content Automation Protocol) can release these differences, helping overcome the interoperability challenges that come from variations in tools and their interpretations. MDM (Master Data Management) techniques can also reduce enterprise challenges through cross-references and master identifiers. Bifurcation is also needed between always-on device reports and reports from network-based monitoring tools as the former are more trustworthy. 

The Problem: Despite these measures, an organization cannot live with an assurance of security as the threat landscape keeps expanding. A single approach might not solve the problem.  

A Solution: For continuous monitoring to be most supportive, an organization needs to have a security information and event management system that can ingest heterogeneous data from multiple sources. With this SIEM, continuous monitoring can correlate network activities across hosts, categorize threats, and suggest an appropriate way to respond to these threats. While CM flags a threat, SIEM should be able to use this information to identify threat vectors for all events. 

The Problem: Continuous monitoring strengthens security, but it also raises compliance challenges. Can your company quickly tackle compliance-based deviations? How frequently should you monitor? Your continuity can easily be disrupted by compliance interruptions. To address this, you will end up reprioritizing so you can allocate resources to address compliance issues.   

A Solution: Monitoring tasks like threat identification and prioritization of violations can be automated with SOAR (Security Orchestration, Automation, and Response) and UEBA (User Enabled Behavior Analytics) tools. These tools help identify and flag threats, reducing events to be addressed, leaving more time for remediation. Threats include system deficiencies, vulnerabilities, external threats, and risky user actions. 

The Problem: We depend on many third-party services to perform our tasks because we cannot produce everything we need. While this gives us access to a wide range of capabilities, it also adds risk to data security. Managing internal systems is complex, add vendor management to it and you would be baffled by risks.  

A Solution: CM can also provide visibility into vendor management by reviewing third-party performance and risk. If a vendor delivers below the performance threshold or goes above the acceptable risk threshold, a review can be triggered followed by a remediation activity to resolve issues observed in the review. 

The Problem: Another challenge that can come in the way of CM implementation is risk analysis which is difficult to perform as it is unique to an organization. Moreover, security teams must identify metrics and values based on business needs and communicate security posture in those terms. 

A Solution: CM provides a mechanism for updating security plans and assessment reports thereby supporting risk-related decisions. However, if the risk is not well understood, it creates a challenge for CM implementation that can be overcome by gaining clarity on the following questions: 

  • Can compliance requirements be met with CM implementation? 
  • How can we control the scope of work to establish security controls for CM? 
  • Will stakeholders be sufficiently involved in making risk-related decisions? 
  • Can we manage continuous monitoring within the organization’s budget? 

With continuous security monitoring, an organization can achieve maturity in security posture by leveraging intelligence and machine learning. These can help process triage and investigate potential security incidents to give rapid actionable recommendations. It can help you do the following: 

  • Keep tabs on endpoint activity 
  • Make sense of overlapping and conflicting data 
  • Establish non-integrated security control mechanisms 
  • Meet compliance and regulatory requirements when used to detect not just security anomalies but also compliance deviations 
  • Standardize security risks and link risk management to internal processes 
  • Identify misconfigured security controls 
  • Add knowledge to know-how and measure the right thing 

Your Threat Escape Plan 

Continuous monitoring implementation requires a sound plan that is sans inaccuracies. Your CM plan must define critical assets to be included in your monitoring system (including a risk analysis plan) and identify what CM tools you would be using.  

To have an effective plan in place, your first step is to identify which assets need most protection considering your business goals. Based on the importance of assets in business operations, you can categorize them into low, medium, and high priorities. For critical assets that are high priority, you must create a policy that clearly identifies the assets and how they must be scanned, retained, or analyzed.  

Once your policy is in place, you can start leveraging CM tools to support enterprise security. For this, several continuous monitoring tools can be used for a variety of purposes with configuration management, vulnerability scan, and threat detection being the most common. An organization can use a propriety tool to monitor security themselves or use a third-party tool to reduce the burden of their internal security teams.  

While a tool helps you with vulnerability scans, you can use its insights to develop a patch schedule for systems that need updates. CM tools can help you take an inventory of each asset in your network system and assign priorities for updates based on the risk involved with each patch. CM tools commonly provide vulnerability assessment, but others explore the human perspective such as UEBA (User and Entity Behavior Analytics) and provide endpoint security like EDR/XDR (End Point/Extended Detection and Response) tools.  Further, SOAR (Security Orchestration, Automation, and Response) tools provide threat defense, intelligence, and automation. Some of these tools are listed below: 

CM Tool  Category  Features 
Tenable  VA/PT (Vulnerability Assessment/ Penetration Testing) 
  • IT ecosystem monitoring from a vulnerability perspective  
  • Active scanning of assets to determine risk 
  • Intelligent connectors integrate security data 
  • Network traffic is monitored in the real-time 
  • Host data is captured about changes 
Qualys  VA/PT (Vulnerability Assessment/ Penetration Testing) 
  • Global network monitoring is automated 
  • Changes are alerted based on configured security rules 
  • Dashboard show activities and anomalies that can be drilled down to finer details 
Forcepoint  UEBA (User and Entity Behavior Analytics) 
  • Monitors high-risk behavior of enterprise users  
  • Identifies malicious users, compromises, and corporate espionages 
Securonix  UEBA (User and Entity Behavior Analytics) 

SIEM (security information and event management) 

SOAR (Security Orchestration, Automation and Response) 

  • Combines SOAR, SIEM, network traffic analysis and UEBA 
  • Unified platform to handle security events, and assess workloads 
  • Identifies high need areas using threat risk values 
  • Inform responses through analysis of the contextual information in the old data 
Tripwire  Vulnerability Assessment and Risk Scoring 
  • Endpoint intelligence is used for detecting threats and compliance issues that are alerted 
  • Compliance’s evidence is automatically produced to support audits following a library of 800 policies following regulations like PCI, SOX, FISMA, HIPAA, ISO, and NERC 
  • Security controls are automated and guided through risk remediation 
Rapid 7  Vulnerability Assessment and Risk Scoring 
  • Automated discovery and scanning of assets for misconfigurations, vulnerabilities, and compliance issues 
  • Issues prioritization based on exploits and risk scores 
Trend Micro  EDR/XDR (End Point/Extended Detection and Response) 
  • Endpoint protection platform with application control and behavior analysis 
  • Cross-generational threat defense techniques against attacks 
Crowd Strike  EDR/XDR (End Point/Extended Detection and Response) 
  • Provide platform security through managed XDR and do continuous monitoring of the IT landscape 
Palo Alto Cortex  EDR/XDR (End Point/Extended Detection and Response) and SOAR (Security Orchestration, Automation and Response) 
  • Extended detection and response for end-point security 
  • Playbook-driven automation to respond to incidents and perform speed investigations 
  • Outside-in view of the attack surface covering all internet 
FortiSOAR  SOAR (Security Orchestration, Automation and Response) 
  • Manages incidents, alerts, assets, indicators, and tasks 
  • Customized dashboards and reports  
  • Role-based incident management and access control 
  • Threat intelligence management support 
  • Visual playbooks with platform integrations for automation 
Splunk SOAR  SOAR (Security Orchestration, Automation and Response) 
  • Automation of repetitive tasks like security alerts 
  • Prevention, detection, and response to emerging threats 
  • Built-in threat intelligence and insights to support decisions 
  • Automation of pre-made playbooks for execution 

 

IBM Security™ QRadar® SOAR (Resilient)  SOAR (Security Orchestration, Automation, and Response) 
  • Incident response processes codified into playbooks to guide resolution 
  • Automation of threat response with intelligence on cyberthreats 

 

CM tools can help you assess security risks, identify vulnerabilities, detect threats, raise alarms for threats, and perform risk remediation in real-time so that your security team can proactively deal with security risks and threats. While your security team takes these measures to help you secure your organization and network systems, you also need buy-in from the non-security people who must be aware of the security risks. Thus, educating them to create awareness about security needs is also an essential element for the successful implementation of a CM. Thus, make space for the security awareness campaigns in your threat-escape plan.   

Implementing a continuous monitoring plan can be a daunting task and even with it, no system is 100% safe from potential security threats. However, in the ever-changing threat landscape, continuous monitoring can keep you protected in most scenarios. 

Apexon is a digital-first technology services firm specializing in accelerating business transformation and delivering human-centric digital experiences. For over 17 years, Apexon has been meeting customers wherever they are in the digital lifecycle and helping them outperform their competition through speed and innovation.

Interested in our Security Testing Services?

Contact Apexon +1 408-727-1100

By submitting this form, you agree that you have read and understand Apexon’s Terms and Conditions. You can opt-out of communications at any time. We respect your privacy.

By submitting this form, you agree that you have read and understand Apexon’s Terms and Conditions. You can opt-out of communications at any time. We respect your privacy.