The National Institute of Standards and Technology (NIST) defined their Risk Management Framework (RMF) in Special Publication (SP) 800-37. Within this document, six steps to the RMF are defined (see diagram below).
While the RMF applies to federal information systems or systems that fall under FedRAMP authorizations, there is much to be learned from this process that can be applied to commercial systems as well, specifically in the realm of continuous monitoring. While the NIST has developed documentation and guidance supporting each of these six steps, this blog post will focus on Step 6 – Monitor Security Controls.
The NIST SP 800-137 defines Information Security Continuous Monitoring as “maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. The objective is to conduct ongoing monitoring of the security of an organization’s networks, information, and systems, and respond by accepting, avoiding/rejecting, transferring/sharing, or mitigating risks as situations change.”
To me, the key phrases in this definition are “ongoing awareness” and “support[ing] organizational risk management decisions” as “situations change.” The organizational management is responsible for identifying risks to the organization and defining the approach to address those risks. The organizational risk appetite defines the levels of risk senior management is willing to take in order to meet their stated strategic objectives. Then people, policy, processes and technology are leveraged to buy down the risks facing the organization – starting in the highest risk areas and moving toward the lower risk areas.
It is, unfortunately, becoming common place to read about breaches which result in significant damage to corporations or theft of financial resources. Just recently, hackers stole $100 million from the central bank of Bangladesh (http://www.databreachtoday.com/bangladesh-bank-hackers-steal-100-million-a-8958). Implementing a security program is essential to address the risks of modern day business, but a point in time or a set it and forget it security program will not be able to address the threats of today’s environment. Just as the threat landscape is dynamic, your security program must be equally dynamic. That is where continuous monitoring comes in. Continuous monitoring allows your organization to adapt to the changing landscape and address the evolving risks to your organization.
For any continuous monitoring program to be successful, you must know your enterprise. Sun Tzu, the ancient Chinese general, military strategist and philosopher stated, “if you know neither the enemy nor yourself, you will succumb in every battle.” It is difficult to know the multitude of our digital enemies, but we can and should know ourselves – intimately.
With that knowledge of our organization and supporting environment, we can get to work. The first step is to develop a strategy and supporting program. Start simple; don’t try and monitor everything at once. Focus on the critical controls first and make sure your technical (e.g. secure system configurations) and procedural (e.g. user access reviews) monitoring techniques are solid. Evaluate if they are providing the correct data and facilitating decision making regarding your organizational risks. As your awareness increases, you will be able to prioritize your remediation efforts.
As part of your continuous monitoring program, focus on both proactive and detective techniques. Proactive techniques include active vulnerability scanning, configuration and patch management as well as monitoring your applications and endpoints. Detective techniques include log consolidation, reduction, analysis and reporting and other alerting mechanisms. There are multiple commercial and open source tools available to assist you in your continuous monitoring program. In continuous monitoring, automation is your friend. One thing to be cautious about is getting lost in the volumes of data that are produced. If something isn’t working, make the needed changes so it does. The key is that the tools provide the data to identify areas where remediation is necessary and risk decisions are supported.
Hopefully, this blog oriented you in the right direction to take your first step in implementing a continuous monitoring program. Remember the security mantra, “prevention is ideal, but detection is a must.” With a continuous monitoring program in place, you’ll be much more equipped to detect where security controls are not working, identify where remediation is needed and implement the needed changes in your risk management program to address the ever evolving threat landscape.
For more information on continuous monitoring, see our blog post FedRAMP Continuous Monitoring — What Are the Responsibilities of the CSP and 3PAOs? or contact us for more information.
Ray Dunham started his career as an Air Force Officer in 1996 in the field of Communications and Computer Systems. Following his time in the Air Force, Ray worked in the defense industry in areas of system architecture, system engineering, and primarily information security. Ray leads L&C’s FedRAMP practice but also supports SOC examinations. Ray enjoys working with clients to secure their environments and provide guidance on information security principles and practices.