I D C A N A L Y S T C O N N E C T I O N

Transcription

1 I D C A N A L Y S T C O N N E C T I O N Robert Westervelt Research Manager, Security Products T h e R o l e a nd Value of Continuous Security M o nitoring August 2015 Continuous security monitoring (CSM) provides a window into an organization's risk posture and allows for that risk position to be monitored and improved. Organizations are looking for ways of optimizing their security infrastructure to cost-effectively deal with real threats. Continuous security monitoring tools and processes provide the knowledge and intelligence that enable IT professionals to coordinate cyberdefense. CSM products can be considered the "brains" of an organization's security efforts. The following questions were posed by Tenable to Robert Westervelt, research manager for IDC's Security Products group, on behalf of Tenable's customers. Q. Enterprises spend a considerable amount of money on security products, but serious breaches continue to plague those same organizations. Is there something else people can do to improve their security investments? A. The latest spate of high-profile breaches has prompted organizations to reassess their approach to securing their critical assets. One of the best ways to do that is by bolstering visibility through continuous security monitoring. The best approach is to use tools that pull in contextual data over network, user, and application activity within both the corporate confines and the extended network. Continuous security monitoring provides the context required to gain situational awareness and, in turn, accelerates response when security incidents are identified, which is sorely needed if enterprises are ever going to break this persistent litany of breaches. Having continuous security monitoring tools also bolsters the security program by supporting risk-based decisions over the shotgun approaches to security decisions we see so often when critical incidents occur. That kind of security decision making when organizations are already in crisis is costly and doesn't necessarily result in protecting the most critical assets. Building in threat information with the contextual data collected about changes to the network, user habits, and application use provides the salient information required to make sound impact assessments. This kind of decision making helps security teams focus on mitigating risks to the data that keeps the blood flowing in the organization. Q. Could you explain what is meant by "continuous security monitoring"? A. Continuous monitoring is the ability to gain situational awareness of all devices and applications on the network; proactively identify, prioritize, and remediate vulnerabilities and configuration weaknesses; and gain a clear understanding that all the deployed security controls supporting IDC 1977

2 the security program are performing effectively. Continuous security monitoring enables organizations to ensure adequate protection of sensitive corporate and customer data. It involves correlating data from endpoint and network devices, security appliances, and software to identify internal threats and signs of attackers already present on the network. The result of an ongoing monitoring program is gaining a clear understanding at all times of the organization's true security posture. A program uses a mixture of automation and manual processes to achieve this complete situational awareness. Organizations typically pull in log data from the network, endpoints, and applications, analyzing and correlating events to identify potential problems that require further investigation. Forward-leaning organizations interviewed by IDC also use a mixture of passive and active vulnerability scanning to identify vulnerabilities and configuration errors in systems and applications and also identify evidence of malware and botnet activity. Those scans probe systems regularly and examine network traffic for anomalous activity that could signal a serious threat or a growing performance issue before it disrupts business operations as well as evidence of cloud services use, the presence of virtual systems, and mobile devices attempting to connect to corporate resources. It also involves regularly assessing system status across the corporate environment and its extended environments to verify the resiliency of the infrastructure as part of a proactive risk mitigation program. The data gleaned from vulnerability scanning and log management can be combined with information pulled from support systems that manage help desk requests, asset and configuration management, and incident response activities to gain additional insight. Some organizations are also adding external threat intelligence feeds both static and customized feeds to rapidly deploy protective measures when new attacks are detected and investigate whether system activity shows any known indicators of compromise associated with those attacks. Organizations that have been successful at this also gain buy-in from senior leadership and pull in lines-of-business leaders with the most knowledge of the company's core assets and business mission. They combine their knowledge with those of IT operations and security practitioners who understand the infrastructure and security controls in place to enforce data governance policies. Having these individuals involved can help everyone gain a clear understanding of the organization's risk tolerance. Q. It's generally difficult to quantify the value of security. Given that, what are the benefits an organization should expect from continuous security monitoring? A. Organizations that maintain continuous network monitoring programs improve their agility, creating a proactive security program rather than one that is consistently reacting to security incidents. Continuous monitoring enables the IT team to identify newly introduced security weaknesses before they are targeted by an attacker. The increased visibility also enables chief information security officers (CISOs) to allocate resources based on the relative impact an identified weakness has on valuable assets. If an organization is conducting passive vulnerability scanning and network traffic analysis, the data gleaned can be correlated with log data from workstations, servers, and network security gear to identify malware and other threats. This approach has also been proven to identify advanced threats, including new zero-day malware often used in targeted attacks. The data collected pulls together suspicious log-in activity, changes in network traffic that indicates botnet communication, or running processes that could be evidence of the presence of malware or criminal lateral movement within the organization IDC

3 Data breach investigations consistently identify that the common point of failure for victim organizations is the lack of proactive monitoring including oversight of remote access connections, which are frequent targets of criminals. Changes in outbound communication could also signal malware communication to remote servers or data exfiltration already in progress. Attackers often cloak their malicious activity using encryption, but abnormal traffic can trigger immediate action and further investigation. The key is to have a strong correlation engine that can identify issues and also provide the context required behind the identified issues to support rapid incident response. It is easier said than done, and most organizations have not assessed their incident response procedures, an essential component that makes continuous monitoring truly effective. Once all the continuous monitoring components are in place, maintained, and consistently used by the IT team, the enriched security program could give a company a competitive advantage. Senior executives will have the metrics in place to demonstrate to potential business partners and customers evidence of a strong security posture. The enhancements also support risk-based decision making or a data-driven approach to risk mitigation. The data gleaned from continuous monitoring can be used to measure the effectiveness of existing security investments and establish the foundation for a securityminded culture among employees. Compliance initiatives are also bolstered by having a clear validation of regulatory compliance status at all times. But more importantly, the IT security team gains a continuous knowledge of all the assets within the organization and prioritizes efforts to reduce the attack surface. The CISO can corroborate budget requests for future technology investments with data that can be easily understood by senior leadership within the organization. Q. What are the components of a continuous security monitoring solution, and which features should an enterprise concentrate on when evaluating such a solution? A. Before an organization begins evaluating continuous security monitoring solutions, an assessment should identify existing security infrastructure, the location of sensitive assets, and data flow. A clear understanding of the operational processes in place and the goals for the program is also necessary to develop requirements for evaluating solutions. A continuous security monitoring solution should have a flexible deployment model with components that support on-premises, cloud-based, or hybrid approaches. It must have the ability to pull in data from a variety of sources, including existing third-party log management, data loss prevention, and file integrity monitoring products. It must be able to assess and gauge the effectiveness of intrusion prevention systems, firewalls, and other network defenses. The solution should be scalable and have the flexibility to adapt to infrastructure changes. It must be capable of proactive auditing to maintain a constant snapshot of system statuses and alert when configuration weaknesses or vulnerabilities are detected. The solution should be agile enough to support rapid response and have the ability to measure the effectiveness of mitigation efforts, including modified security controls and the addition of new security technologies. Look for reporting capabilities that are intuitive and customizable and that provide mitigation guidance and workflows for rapid response when issues are identified. More robust solutions can prioritize risks based on system configurations, the organization's risk posture, and the sensitivity of the assets at risk. Ease of use is important, and report templates should support a variety of use cases. The analytics engine should support incorporating threat intelligence feds and be agile enough to process data about new threats. It should be capable of correlating activity from endpoint agents, logs, and data generated by emerging advanced threat detection products IDC 3

4 Dashboards must be configurable, display high-level information, allow drilldown for more granular data, and give the organization the ability to tailor the display to individual use cases. Management controls should support customization based on the organization's risk posture and the ability to tune alerts to eliminate false positives. Any generated alerts must have the context behind them to help investigators identify, scope, and contain a threat quickly. Q. Many talk about the IT security ecosystem as consisting of people, process, and technology, yet it seems technology gets the lion's share of attention. Should organizations be looking at security more holistically? A. Absolutely. In recent years, we have seen what happens when organizations fail to calculate the full impact of adopting new security technology. Despite the adoption and deployment of modern security systems capable of detecting advanced threats, there have been countless data breaches that stem from the failure to prioritize and investigate alerts, process breakdowns, inadequate or nonexistent training, and a lack of planning. Failing to thoroughly vet the impact of a new technology results in not getting the full value out of the investment or worse it can cause a false sense of security. A thorough evaluation includes understanding the immediate and long-term impact of the new solution, including the need for potential changes to the incident response workflow and ongoing maintenance and optimization requirements when changes take place. Reports detailing data breaches consistently find attackers targeting mainly known vulnerabilities and using configuration weaknesses to their advantage. Criminals bypass poorly configured and maintained network security appliances and steal account credentials to spoof a valid user and avoid being detected. Organizations can greatly reduce the potential for these lapses by becoming, achieving, and maintaining a proficient security program and using proactive monitoring to make it more costly for criminals to carry out attacks against their network. The essential technology ingredients at the heart of any continuous network monitoring program are vulnerability scanning tools to probe systems and monitor network traffic for threats and an analytics engine capable of correlating and analyzing an extensive amount of log data, network, and endpoint activity. This involves bridging silos of data, addressing weak or inadequate processes, assessing and updating policies, and communicating those policies effectively. Modern security technologies must be flexible enough to integrate with diverse security infrastructure to enable organizations to create agile security systems. Rather than layering or bolting on security technology, forward-leaning organizations are linking detached systems to interoperate when a security incident occurs. If done the right way, these systems can share threat data to become situationally aware. These intelligent security systems can respond when a threat is detected and apply protections to the rest of the network if they are needed. A B O U T T H I S A N A L Y S T Robert Westervelt is a research manager within IDC's Security Products group. He provides insight and thought leadership in the areas of cloud security, mobile security, and security related to the Internet of Things (IoT). Westervelt is also responsible for research and analysis around a wide range of evolving security markets, including endpoint security, security and vulnerability management (SVM), and identity and access management (IAM) IDC

5 A B O U T T H I S P U B L I C A T I ON This publication was produced by IDC Custom Solutions. The opinion, analysis, and research results presented herein are drawn from more detailed research and analysis independently conducted and published by IDC, unless specific vendor sponsorship is noted. IDC Custom Solutions makes IDC content available in a wide range of formats for distribution by various companies. A license to distribute IDC content does not imply endorsement of or opinion about the licensee. C O P Y R I G H T A N D R E S T R I C T I O N S Any IDC information or reference to IDC that is to be used in advertising, press releases, or promotional materials requires prior written approval from IDC. For permission requests, contact the IDC Custom Solutions information line at or [email protected]. Translation and/or localization of this document require an additional license from IDC. For more information on IDC, visit For more information on IDC Custom Solutions, visit Global Headquarters: 5 Speen Street Framingham, MA USA P F IDC 5