5 hours 19 minutes
Lesson 4.4 Information Security Continuous monitoring the objectives for this lesson are identifying the components of a well written information security, continuous monitoring or I SCM strategy.
Understand how to create an eye SCM program, and we'll discuss the policy and documentation requirements for I A C M, including defining how frequently data sources air monitored to develop a ny SCM program. These air the following steps that I recommend to take
first will define what our strategy is for continuous monitoring.
We'll also look at how to establish the Iasi in program.
How to implement the program will look at analyzing data and report findings,
respond to those findings and then finally review and update the I SCM plan and strategy and Programme. So just like the incident response plan we've been talking about, SCM is a core component of your I R plant, and this is something that needs to be reviewed and updated frequently in the organization.
So let's get into it.
There are a few things to look at. Four year strategy. First thing we'll talk about his situational awareness. So the point of
information security continuous monitoring is continuously getting real time or near real time information into your incident response program.
Also, the awareness of threats and threat activity is a big part of this. We'll also look at security controls.
I s C M can be a great way to monitor your security controls and also look at how effective they are. Also help you with inventory control and recurring vulnerability scanning. So a true ah continuous monitoring plan takes into account threats,
vulnerability management, your I t asset management.
And it should detect new devices being added to the network whether or not those air approved. If they are added to the network, do they have known vulnerabilities? So it's a great way to holistically look at your entire portfolio to see what's going on.
We'll jump down to the bottom right hand corner with risk. It can help manage information system risk based on your risk tolerance. So perhaps you create a threshold that if systems are above a certain risk score there, okay, but if they're below, they get flagged and need to be remediated,
and that risk score could be on a number of things. Maybe it's known vulnerabilities or the type
the criticality, the asset or whether it's a high value asset, the type of data, the user. There's all sorts of things that you could put into this formula. And then, finally, the data I SCM can help collect and correlate and analyze security related information
and provide actionable communications to information security personnel.
Now that we've talked about the overall strategy for I, SCM will walk through the rest of the components.
Once you've defined that strategy, it's really about establishing the program. And this requires policy to be in place again, that executive sponsorship. And by in that you need to be successful and determining what are all the sources of data that you have to be
involved in continuous monitoring of your enterprise. Now it's one thing to have a lot of tools. Perhaps you've got vulnerability scanners producing their reports. You have in point detection and response doing their thing. You've got network intrusion detection, doing there reporting and maybe next Gen firewalls with a report of their own.
But if they're all independent and you don't have anything that's correlating aggregating like a sim tool, it's really difficult to know. Do you have a big problem? Or maybe you just have one problem on the network, and nothing on the in points in this continuous monitoring idea is that all of that is being reviewed
simultaneously and across
in the entire enterprise.
You very well could use your SIM tool to accomplish your
continuous monitoring program. So to establish it, you need to really take inventory of what you have and go through the questions and the previous box for your strategy on what's available to you from a data and infrastructure standpoint.
So after we have established that, the next thing is to implement the actual program, and this is where you are going to start
looking at the data that's coming in and setting your timelines up for what is in fact continuous, how often you're checking this information and how you're able to make data driven decisions based on the information coming in to you
and as that information comes in, the next part of this is looking at analyzing the data and then report on the findings. So
the continuous monitoring program is very helpful for you to identify risks and new events on the network to be able to communicate upto stakeholders, one of the things I used to do for my leadership was I had a scorecard for information security, and part of my,
source of data for that score card was, in fact, by continuous monitoring program and the information I got out of that. So having this really does help you formulate reports and provide those to the people that need to know,
then the next step that will talk about is respond to those findings. So if in fact, you see from your continuous monitoring that you've got multiple different in points all reporting the same piece of malware than of course you're gonna respond to that if you layer on top of that the fact that
those hosts air also more vulnerable than your others because they haven't been patched in two months
that's certainly something to take a look at. And then you start getting information in from your let's say, your network devices your ideas. I ps that now all those systems that you got the ER report on our beacon ing out with a command and control channel to a known bad I P address.
So you can see where this continuous monitoring and then having something like a SIM. Pulling all this data together
can be really useful. And give your sock folks information. But also and more importantly, as part of your I r lifecycle gives all of your IRA analysts exactly the kind of information they need to quickly determine. Is this a little I incident or a big guy incident? And how
prolific is this problem?
And then finally will make sure that we review our strategy and our plan or documentation. If we've added a new tool that gives us visibility we didn't once have. Then of course, we want toe put that into our plan and talk through how that affects the entire
strategy for continuous monitoring.
When we develop that policy, we want to make sure that it has appropriate authority and its applicability toe everyone. So if you create a policy is part of your program that says cybersecurity and company X y Z shall have the ability to access all devices and company assets.
That's certainly a good thing to have. Maybe all business units shall comply with cybersecurity is request
for agents to be installed to monitor the activity of those devices. That's a great thing to have. So that's all part of this continuous monitoring strategy. Make sure you develop a strategy to test the subset of controls. So if you know, for instance, you want Teoh. One of your controls is, um,
let's say the
you don't have multiple administrator accounts on a system, or maybe any administrator accounts on a system. So one way you can do that try that is to have either a script go out and look at those systems to see if there's any users in the administrators group.
Or you could use active directory to help you find that out also.
And you could have that information all being brought into your SIM tool, and you can also intentionally go at an administrator account, maybe a local admin to a host on your network and see whether or not your SIM picks that event up.
So you wanna pick a couple's subsets of controls. Those controls we get from C S top 20 or from NIST 853 or from missed cybersecurity framework
and try those And I always like to go with what is the most risk to the organization because those are the ones Of course I want to know about if we've got issues and then create a robust configuration control and change management policy. You want to make sure that any changes going on in the environment are accounted for and you are are aware of those.
Also look for the reporting requirements in the audience in the format for those communications to go to. I mentioned already how I would use that for my executive. So think about things like that. Conduct remediation actions based upon the information you receive from your continuous monitoring program
and then always update your documents to make sure
that continuous monitoring also means continuous documentation and that you are keeping up with technological and architectural changes within your network and your systems.
For security configuration, you have tohave
hardware asset management. It's just an absolute requirement, and we've talked about this a couple times already. It's super important, but even if it's in Excel, it doesn't have to be very expensive. I t asset management tool Microsoft Excel To get started is just fine. You need to know
what assets you have, where they're located, who the owner is of the assets, the criticality of the assets.
If you go to see I s's website, they actually have a downloadable template you can use in Excel to track both hardware and software. So think about that if you don't already have one. Also, you need to have a policy that defines the configuration management
and the framework established by the organization. So, for instance, you may have a policy that says
all devices on company X Y Z network shall have the minimum security control configurations. And it may be the fact that you harden them with dIsa Stig's or with CS benchmarks. It might be that there there are no local administrator accounts on the box.
It might be that it has to have your CTR and your SIM agent on it,
so those are things to think through.
Also, configuration of systems has to be done by I tease known good image to that gold image of the baseline image
and all systems air subject to your CCB your change control board in that process. So how continuous is continuous? This is something that you need to define within your continuous monitoring strategy and your documentation. There's no hard or fast rules, but whatever you define, you also need to make sure that you're following.
So in this this is just a example. Out of Fed ramp Fed Ramp is a program for federal government agencies to procure
cloud services from a vendor that has already gone through, and essentially, an inspection or an authority to use process by a federal agency.
But I thought this was a good example to use here, where they have the missed 853 controls the CS controls, and what they're saying is, for instance, inventory of devices is continuous and ongoing. You can see the 2nd 1 down.
That just means as devices, Air added, that's constantly being looked at. It will be refreshed. This is more real time information.
But maybe once a week you're going to look at maintenance, monitoring and analysis of logs. And then once a month you'll do things like secure configuration software inventory. So it's not really time. But it is something that you need to look for at least once a month, cause it's a little lower risk but still needs to be looked at.
All right. Quiz question. Who defines what continuous is foreign organizations? I SCM a federal law
be in organizations, risk assessment and capabilities
or C insurance companies?
Well, if he answered, be an organization's risk assessment and capabilities, you are correct.
True or false?
I T Asset management is not required for an eye SCM program to be successful.
And hopefully you got this one right. False. It's absolutely required. You have to know what's on the network. Remember, you can't protect what you don't know about. There's a reason hardware i ts that management is in the top of all security controls that are out there like C. I s Sands Co bit whoever you might be looking for.
So make sure that you have that in place again, even if it's in Excel to begin with.
So to follow up on this, the summary of this lesson the components of a well written strategy we talked through with I a c m. We also talked about the policy and documentation requirements for continuous monitoring, including how frequent is continuous and also how to create an eye SCM program