Continuous Monitoring for Situational Awareness
Originally posted on the Trend Micro blog.
On the 5th, I’ll be attending the D.C. Metro Cyber Security Summit in Washington, D.C. The event promises to be jam-packed with discussion around some of the key issues facing information security on the national stage.
During the 12:30–14:00 block, our own Chief Cybersecurity Officer, Tom Kellermann , is going to present a case study called, “Spinning the Chess Board on Hackers.” Tom is going to look at how offensive techniques and situational awareness can affect defensive postures. You can get a feeling for the level of analysis that Tom brings to the table in his latest post, “ The Sixth Estate of Cyberspace: The Hacker Supply Chain .”
He’s a fantastic speaker with a wealth of knowledge. This one promises to be one of the top talks of the day (no pressure, Tom). I’ll be on the panel, “Enterprise Mobile Security & BYOD” starting at 11:45.
We’re going to be discussing the impact that personal devices have on your corporate security approach, the risks posed to your data, and so forth. Given my focus on usability and my history in operational roles, I’m looking forward to being a bit of a contrarian voice.
For this post, I wanted to highlight one of the key areas of information security that underpins almost all of the topics on the Summit’s agenda – and that’s continuous monitoring.
If you’ve been following along with my posts here on the blog, or if we’ve met in person, you know that I usually avoid military metaphors when talking about information security.
I’m going to make an exception here since the term “situational awareness” perfectly describes what I believe is the most critical component of a successful security practice. Situational awareness boils down to being able to understand what’s going on as the environment continues to change around you.
This concept is the foundation on which you build the rest of your security practice. You have to be aware of the environment in which your data is being processed and stored. You have to be able to adapt that understanding as new variables come into play…and in today’s modern IT environments, something is always changing.
The only way to achieve situational awareness in an IT environment is through a strong, continuous monitoring process.
Your monitoring process is going to provide the data that other areas of your security practice and your organization will use to make decisions. In any risk assessment you make about activities in your environment, data from your monitoring process is going to contribute heavily.
Instead of simply guessing at the state of the environment in which you’re processing key organizational data, you can use your monitoring process to provide real data about the state of the environment and how it’s changed over time.
That data makes making an informed decision a whole lot easier.
The Monitoring Process
I’ve posted before about how moving to the cloud will affect your existing monitoring process, but I haven’t written much about setting up that process in the first place.
The ins & outs of creating and developing a strong monitoring process would take more space than I have here, but there are three main stages to this process of which you need to be aware:
You have to ensure that you’re collecting as much data as you can; normalize it so that you can analyze the data; and then — here’s the key — react to that analysis.
I’ll be posting more on continuous monitoring soon, but in the meantime, here are a few resources that can help set the stage:
“Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations,” is a great, formal structure for monitoring processes from NIST (document #800-137)
“Enterprise Fights Back: Building An Incident Response Team” is a TrendLabs white paper that will be released on Thursday, 05 June, 2014 that highlights the need for monitoring and how to leverage it for incident response
“Frayed Edges; Monitoring a perimeter that no longer exists,” a recording of a talk I gave at AtlSecCon 2013 and SecTor 2013 on the keys to a successful, modern monitoring practice
A Strong Foundation
I can’t stress enough how important monitoring is to a successful security practice. You’re going to hear it again and again at Thursday’s summit. It’s a simple concept and a challenging endeavor but worth every cent you invest in it.
Without continuous monitoring and the situational awareness it provides, your practice is essentially operating blind. In a world where we’re seeing more and more sophistication in attacks, that’s simply unacceptable. If you’re attending the event, be sure to touch base.
I’d love to discuss anything on the day’s agenda. If you’re not attending in person, you can always touch base in the comments below, or follow along on Twitter, where I’m @marknca. The event is tweeting using #cybersummitDC as a hashtag.