This review article discusses continuous network monitoring and organizations solution that works with them. This paper also compares how continuous monitoring is effective over traditional network monitoring systems and, the benefits in implementing continuous monitoring system.
Continuous network monitoring and assessment is a progressing best practice to effectively address threats, technology risks, and changing regulatory requirements. It is an effective countermeasure to implement in an organisation, which ensures the effective protection against today's cyber threat. To attain continuous monitoring an organisation must require a balanced combination of processes, people, and technologies to help automatically detect and report vulnerabilities in the IT environment.
Continuous monitoring program ensures the planned, required and deployed security controls within an information system or inherited by the system continue to be effective over time when inevitable changes if occur. Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST(National Institute of Standards and Technology) Special Publication 800â€37, Revision 1, Applying the Risk Management Framework to Federal Information Systems (February 2010). The Risk Management Framework (RMF) provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. Continuous network monitoring plays a key role to access the security impacts on an information system which may be an output of planned and unplanned changes to the hardware, software, firmware, or environment of operation.
In an organisation continuous network monitoring is an effective defensive measure to implement against today's cyber threats. In practice vulnerability and configuration assessments are performed yearly, quarterly, or monthly. These periodic assessments result in knowledge gaps and have limited value when an incident occurs. Continuous network monitoring eliminates those gaps.
Continuous network monitoring entails the incorporation of core technologies with applied intelligence that collectively gives an organization the ability to implement and maintain an effective and efficient continuous monitoring and assessment program. The research paper issued by TENABLE Network Security, Inc.(January 2012) describes ,by orchestrating internal processes with the core technologies outlined below, organizations can create the baseline operational and technical capabilities to support:
• Real-time asset discovery
• Real-time situational awareness of vulnerabilities and events
• Real-time incident response.
Core technologies for continuous network monitoring are vulnerability and configuration assessment, network span port to capture network events in real time, Log correlation engine or security information and event management and centralized management console.
According to Jerry Shenk (Own Your Network with Continuous Monitoring, September 2010), a continuous monitoring program to be success , it should manage and maintain consistent configuration for the computing system in the organisation, management support to authorize an IT personnel to maintain the configuration , management identifies and approve the key assets to be monitored and provide reports to appropriate personnel.
Continuous monitoring is a cyclic process which consists of four phases' discovery, analysis, tuning and process. These are not individual phases that run in sequence but rather all four phases need to be going on continuously.
Continuous monitoring transforms staff efforts from a reactive to a proactive position. Continuous monitoring eliminates the 'fog of war' predicament during crisis because of real-time or near real-time visibility of assets, vulnerabilities, and risks based on current events and information ,James Tarala (February 2012) .
Benefits of implementing continuous monitoring system
• Keeping a just-in-time inventory of all assets, vulnerabilities, and security configuration gaps
• Identify new cyber threats such as advanced persistent threats (APTs)
• Gaining visibility into network events and activities to identify glitches
• Improvement in incident response capabilities based on risks, vulnerabilities, and current events
In the current environment the continuous network monitoring helps to opposing todays cyber threats, minimize the risk of new technologies and increase the reputation by successively fight against vulnerability and provide instant remedies.
NIST's defines continuous monitoring as follows:
"Continuous Monitoring is a risk management approach to cyber security that maintains an accurate picture of an organization's security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies."
Mr. Kevin M. Dulany(January 2013) states that continuous monitoring does not replace security authorization but an effectively designed monitoring program can effectually renovate an infrequent security control assessment and risk determination process into a dynamic process that provides essential, near real time security status related information to senior management. Senior management can use this information to take appropriate risk mitigation actions and make cost-effective, risk based decisions concerning the operation of their information systems. So it allows an organization to monitor the security state of an information system on an ongoing basis and maintain the security authorization. It is highly crucial to know the state of security of information systems in highly dynamic environments of operation involving changing threats, vulnerabilities, technologies, and missions/business processes.
Organizations should be careful in focusing on continuous monitoring as a whole, riskâ€based security life cycle approach. Inappropriate planning for security controls and without the correct implementation of those controls, the value of continuous monitoring is greatly diminished. This is because the near realâ€time, ongoing monitoring of weak and/or ineffective security controls resulting from flawed information security requirements can result in a false sense of security.
The development of security plans in an organisation for their information system and environment must be centered on mission and operational requirements to ensure a good security control. NIST Special Publication 800â€53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations, provides a wide-ranging, , operational, and technical security controls based on the most current threat and attack information available. This security control catalog enables a defenseâ€inâ€depth protection capability that includes people, processes, and technologies, a set of safeguards and countermeasures to address threats from cyber-attacks, human error, and natural disasters.
Outcome Based Security Monitoring in a Continuous Monitoring World
According to Ron Gula (December 2012), Technology has advanced sufficiently enough such that vulnerability management can be performed in near real-time at large scale. Because of this, outcome based security monitoring for large enterprises are now possible with "big data" types of analytics.
At the recent 2012 ITSAC conference in Baltimore, John Streufert, the Director of the National Cyber Security Division of DHS, outlined five recommendations for achieving continuous monitoring. These were:
•Scan daily, at least every 36 to 72 hours
•Focus on attack readiness
•Fix daily
•Grade personally
•Hold managers responsible
In large organisations data collected using various devices can be used to both model and measure in near real-time. This data helps drive better decisions, identify trends before they are problems, make better policies, and make asset owners more accountable for the systems they are managing. The data allows for true "outcome based" security measurements of different IT organizations, assets, or business units. The outcomes that executives and management can ask for can be tracked in real-time and not be constrained, modified or distorted by human intervention, politics or the lack of an ability to track this information.
According to my research, in today's rapidly changing threats and dynamic network environment the periodic and static vulnerability and configuration security assessments are no longer effective, so the processes and technologies to support continuous network monitoring should be accomplished.
