In today’s highly virtualized environments, where continuous integration and deployment are the norm - it’s just impossible to manually ensure that both security and regulatory compliance controls are adequate.
With virtualized workloads, apps, and the supporting infrastructure being persistently updated, your enterprise needs automated and constant security checks to be ran in parallel. Gone are the days of running monthly security and regulatory compliance assessments. As continuous integration and deployment pipelines rapidly become the norm, rather than the exception, a fundamental shift in the way enterprises view security is essential.
But where to start the continuous security monitoring? When looking at your environment in its entirety, with an eye toward monitoring everything all of the time, it can appear overwhelming. And the reality is that you can’t start monitoring everything all at once. Choices need to be made about where to start: endpoints, servers, and applications need the most oversight?
When deciding where to start your continuous monitoring efforts, the first place to look could be where those who would attack you may also first look. What data or resources would attackers most likely want to target? Is it your intellectual property? The customer data you hold? Perhaps you won’t be the direct target; the attackers may be looking to infiltrate high value partners. Your security teams need to begin monitoring your most valued assets for potential attack paths. This includes network and system logs, and traffic, looking for anomalous behavior, as well as your system configurations.
They key is to focus on monitoring and protecting the most important assets and applications. You’ll need to work closely with audit and compliance teams, operations teams, business application owners, and security teams to identify these assets. Essentially, aim to identify the most critical and valuable systems and data, as well as those that fall under the purview of regulatory compliance, and start your continuous monitoring efforts there.
When implementing continuous security and regulatory compliance monitoring of your high-value assets, include their configurations, the status of security technologies such as anti-malware, network and application firewalls, data leak prevision technologies, etc.
From here you are going to need to automate as many of your security controls as you can, while also monitoring their configurations to ensure that they are managed very consistently across all environments. Are your network configurations identical from one cloud to another? Do your wireless LANs have the same security posture? Are those servers classified at the same risk levels set to similar security configurations, and so on? In this way automation will help you to attain consistency throughout your environment.
What will this continuous security and regulatory compliance monitoring do for you?
Plenty when it comes to building a resilient environment.
When continuously deploying new applications – you will be introducing new mistakes into the environment and by continuously monitoring your environment, you’ll be finding new security errors as they are introduced – so while you will be moving as quickly as you can – you will be bringing your security efforts with you.
As you look for ways to initiate or expand upon your continuous security-monitoring program, I found the NIST Special Publication Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations (Don’t worry, most of the advice is applicable to all large enterprises, not just government environments) to be extremely helpful in its guidance. And the SANS 20 Critical Security Controls is a great starting place to identify controls that can be automated.