There was a time when security personnel would have to dig through thousands of raw log files to figure out what was happening in a network. With such a huge task at hand, threat detection and elimination were impossible to perform frequently. Back then though, attackers were limited in variety and took time to spread. Today’s attackers are wiser and equipped with much more sophisticated options to launch attacks and spread malicious code. Within a short span, millions of machines can be compromised. We have seen many stories of significant breaches in the past two decades.
|Year||Compromised Users||Organization||Stolen Data|
|2009||130 million cardholders||Heartland Payment Systems||Credit card numbers|
|2013||153 million accounts||Adobe||Usernames, email IDs, and passwords|
|2014||145 million users||eBay||Passwords|
|2016||57 million Uber users and 600,000 drivers||Uber||Names, email addresses, and mobile numbers from Github Account|
|2017||200 million US voters||Republican National Committee (RNC)||Personal Identifiable Information (PII) – names and addresses|
|2018||150 million users||Under Armour||MyFitnessPal app usernames and email IDs|
|2019||885 million users||First American Financial Corporation||Social security numbers and wire transaction records|
The list goes on, and we would hardly find a company that attackers have not attempted to infiltrate. Some of the attacks might not be visible, for before they could compromise company data, the companies could take proactive actions to mitigate their impacts. But how are some companies able to save their users amid these threats when many large corporations have suffered?
The answer lies in the continuous monitoring (CM) system that involves threat detection. This prevention approach cannot happen occasionally, but continuously, such that the moment there is a hint of an attack, the action is taken immediately. Organizations that use continuous monitoring systems to keep track of network health are more likely to prevent attacks. Even if they are attacked, they respond fast and reduce the impacts.
Challenges with Continuous Monitoring
Continuous monitoring helps an organization detect security events that may turn into a breach and enable real-time reporting of inconsistencies, violations, and network changes. However, implementing a continuous monitoring system has a fair share of challenges.
The Problem: Another challenge is tracking endpoints which are tricky. Some endpoints may need you to connect to another country’s network. Also, endpoints are not just laptops or personal computers but can also be other devices like printers and wearables. However, these devices are not always on and connected, in which case real-time tracking is difficult. There can also be some unknown devices that are not on the official list of an organization in the endpoint.
A Solution: Threat scanning must be done in always-on and passive modes if an organization must ensure that all endpoint devices are covered.
The Problem: Endpoint systems might utilize different tools for analyzing networks, detecting vulnerabilities, and tracing connected devices. These tools would generate different data sets that have to be put together. This data can be overlapping or inaccurate depending on the methods used at the device end for analysis.
A Solution: Using a specific standard like SCAP (Security Content Automation Protocol) can release these differences, helping overcome the interoperability challenges that come from variations in tools and their interpretations. MDM (Master Data Management) techniques can also reduce enterprise challenges through cross-references and master identifiers. Bifurcation is also needed between always-on device reports and reports from network-based monitoring tools as the former are more trustworthy.
The Problem: Despite these measures, an organization cannot live with an assurance of security as the threat landscape keeps expanding. A single approach might not solve the problem.
A Solution: For continuous monitoring to be most supportive, an organization needs to have a security information and event management system that can ingest heterogeneous data from multiple sources. With this SIEM, continuous monitoring can correlate network activities across hosts, categorize threats, and suggest an appropriate way to respond to these threats. While CM flags a threat, SIEM should be able to use this information to identify threat vectors for all events.
The Problem: Continuous monitoring strengthens security, but it also raises compliance challenges. Can your company quickly tackle compliance-based deviations? How frequently should you monitor? Your continuity can easily be disrupted by compliance interruptions. To address this, you will end up reprioritizing so you can allocate resources to address compliance issues.
A Solution: Monitoring tasks like threat identification and prioritization of violations can be automated with SOAR (Security Orchestration, Automation, and Response) and UEBA (User Enabled Behavior Analytics) tools. These tools help identify and flag threats, reducing events to be addressed, leaving more time for remediation. Threats include system deficiencies, vulnerabilities, external threats, and risky user actions.
The Problem: We depend on many third-party services to perform our tasks because we cannot produce everything we need. While this gives us access to a wide range of capabilities, it also adds risk to data security. Managing internal systems is complex, add vendor management to it and you would be baffled by risks.
A Solution: CM can also provide visibility into vendor management by reviewing third-party performance and risk. If a vendor delivers below the performance threshold or goes above the acceptable risk threshold, a review can be triggered followed by a remediation activity to resolve issues observed in the review.
The Problem: Another challenge that can come in the way of CM implementation is risk analysis which is difficult to perform as it is unique to an organization. Moreover, security teams must identify metrics and values based on business needs and communicate security posture in those terms.
A Solution: CM provides a mechanism for updating security plans and assessment reports thereby supporting risk-related decisions. However, if the risk is not well understood, it creates a challenge for CM implementation that can be overcome by gaining clarity on the following questions:
With continuous security monitoring, an organization can achieve maturity in security posture by leveraging intelligence and machine learning. These can help process triage and investigate potential security incidents to give rapid actionable recommendations. It can help you do the following:
Your Threat Escape Plan
Continuous monitoring implementation requires a sound plan that is sans inaccuracies. Your CM plan must define critical assets to be included in your monitoring system (including a risk analysis plan) and identify what CM tools you would be using.
To have an effective plan in place, your first step is to identify which assets need most protection considering your business goals. Based on the importance of assets in business operations, you can categorize them into low, medium, and high priorities. For critical assets that are high priority, you must create a policy that clearly identifies the assets and how they must be scanned, retained, or analyzed.
Once your policy is in place, you can start leveraging CM tools to support enterprise security. For this, several continuous monitoring tools can be used for a variety of purposes with configuration management, vulnerability scan, and threat detection being the most common. An organization can use a propriety tool to monitor security themselves or use a third-party tool to reduce the burden of their internal security teams.
While a tool helps you with vulnerability scans, you can use its insights to develop a patch schedule for systems that need updates. CM tools can help you take an inventory of each asset in your network system and assign priorities for updates based on the risk involved with each patch. CM tools commonly provide vulnerability assessment, but others explore the human perspective such as UEBA (User and Entity Behavior Analytics) and provide endpoint security like EDR/XDR (End Point/Extended Detection and Response) tools. Further, SOAR (Security Orchestration, Automation, and Response) tools provide threat defense, intelligence, and automation. Some of these tools are listed below:
|Tenable||VA/PT (Vulnerability Assessment/ Penetration Testing)||
|Qualys||VA/PT (Vulnerability Assessment/ Penetration Testing)||
|Forcepoint||UEBA (User and Entity Behavior Analytics)||
|Securonix||UEBA (User and Entity Behavior Analytics)
SIEM (security information and event management)
SOAR (Security Orchestration, Automation and Response)
|Tripwire||Vulnerability Assessment and Risk Scoring||
|Rapid 7||Vulnerability Assessment and Risk Scoring||
|Trend Micro||EDR/XDR (End Point/Extended Detection and Response)||
|Crowd Strike||EDR/XDR (End Point/Extended Detection and Response)||
|Palo Alto Cortex||EDR/XDR (End Point/Extended Detection and Response) and SOAR (Security Orchestration, Automation and Response)||
|FortiSOAR||SOAR (Security Orchestration, Automation and Response)||
|Splunk SOAR||SOAR (Security Orchestration, Automation and Response)||
|IBM Security™ QRadar® SOAR (Resilient)||SOAR (Security Orchestration, Automation, and Response)||
CM tools can help you assess security risks, identify vulnerabilities, detect threats, raise alarms for threats, and perform risk remediation in real-time so that your security team can proactively deal with security risks and threats. While your security team takes these measures to help you secure your organization and network systems, you also need buy-in from the non-security people who must be aware of the security risks. Thus, educating them to create awareness about security needs is also an essential element for the successful implementation of a CM. Thus, make space for the security awareness campaigns in your threat-escape plan.
Implementing a continuous monitoring plan can be a daunting task and even with it, no system is 100% safe from potential security threats. However, in the ever-changing threat landscape, continuous monitoring can keep you protected in most scenarios.
Apexon is a digital-first technology services firm specializing in accelerating business transformation and delivering human-centric digital experiences. For over 17 years, Apexon has been meeting customers wherever they are in the digital lifecycle and helping them outperform their competition through speed and innovation.