Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics //

Security Monitoring

Tech Insight: Speeding Up Incident Response With Continuous Monitoring

Increase speed and effectiveness of incident response through continuous monitoring and enterprise IR tool integration

Continuous monitoring is a buzz phrase come back to life thanks to the U.S. Office of Management and Budget and the Homeland Security Department telling government agencies to implement information security continuous monitoring (ISCM). NIST has also released three new documents in January specifically addressing ISCM. What is it? Well, NIST defines ISCM as "maintaining ongoing awareness of information security, owner abilities, and threats to support organizational risk management decisions." Sounds like something companies with highly sensitive environments or data should be doing already, right?

Continuous monitoring is really nothing new. In its simplest form, it's a transition from the occasional, static analysis of logs, to analysis on a semi-regular to regular basis, to continuous automated analysis and correlation of logs from every system in an enterprise. This constant feed of information is designed to provide near real-time situational awareness to security and operations staff in order to detect new attacks, identify previously unseen threats, and react quickly with actionable information.

While C-level executives will read the definition above and groan due to the perceived cost in technology and personnel, what they don't realize is that continuous monitoring is, in part, just an extension of current processes and technology. It combines log monitoring and analysis, or a SIEM, with data from vulnerability scanners and configuration management systems to provide a complete picture of what's going on within the enterprise network at a moment's notice. If an attack is detected, the knowledge provided through continuous monitoring can show whether it was successful based on whether the target was vulnerable and system activity occurring on the target itself.

From my perspective as a security practitioner and incident responder, having access to this breadth of information is the Holy Grail of security -- if it is easily and quickly searchable. In essence, continuous monitoring tools and processes should enable security pros to react more quickly and efficiently when responding to security incidents -- ideally, in time to detect a breach and prevent further data theft and damage to the organization.

To speed up the response effort, enterprise incident response tools complement continuous monitoring environments well. Depending on the solution chosen, it may feed live data about system activity and alerts directly into a SIEM system, or it might provide on-demand remote incident response capabilities. The difference is that the former is more focused on creating a running record of activities occurring on a system, while the latter is used to perform live incident response activities against one to many remote hosts.

The on-demand type of incident response solutions are more of the traditional incident response tools for enterprises and have been around for a little more than half a decade. They leverage an agent running on each desktop and server, providing quick, on-demand access for security teams who need to investigate suspicious happenings. Security investigators can analyze running processes, image live memory and hard drives, analyze the local hard drive, copy files, and more.

On-demand enterprise incident response tools complement the continuous monitoring process by providing immediate incident response capabilities on hosts with anomalous behavior. More recent versions of these solutions have begun including monitoring capabilities that do not require user intervention to create searches in order to get data back. They can be set to send alerts whenever malicious activity is detected or known indicators of compromise are found on a system. Depending on the solution, it may or may not have an API specifically designed to integrate with SIEM platforms.

Similar to an enterprise change management solution, these always-on incident response monitoring tools keep a record of all activity, including running processes, file system changes, and modifications to the Windows registry. The resulting logs can either be analyzed and processed by the solution's own management interface and back-end analysis system, or fed into an existing enterprise monitoring tool or SIEM for correlation with logs from other systems. The major benefit is that an evidence trail of all activity over time is created, which can greatly speed up the incident response process and security investigations.

The path to continuous monitoring is not an easy or quick one, but the end result can mean the difference between identifying a data breach as it occurs, versus being notified months later by a third party. Integrating it with an enterprise incident response tool can aid in streamlining the response process to stop incidents as they are occurring and prevent additional collateral damage.

In the end, it's all about knowing what's going on and being able to act quickly.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JCharles
50%
50%
JCharles,
User Rank: Apprentice
1/24/2013 | 5:04:30 PM
re: Tech Insight: Speeding Up Incident Response With Continuous Monitoring
- Sure, a lot of vendors say they have the magic box/software that will
fix all the problems automatically but that's a mirage. And they're
complex and expensive too. However they are easy and cost effective SIEM
solutions out there like Secnology, but it will still take a good
Security Expert to make the calls & set the rules.
johnhsawyer
50%
50%
johnhsawyer,
User Rank: Moderator
7/24/2012 | 4:51:49 PM
re: Tech Insight: Speeding Up Incident Response With Continuous Monitoring
Thank you for the comment. I agree that a very large percentage of SIEM deployments are done incorrectly. That's unfortunate but is typically due to a lack of understanding on part of the organization not really understanding what it is they are buying, its capabilities, and the expectation that it will solve all their problems. And, the fact SIEM tends to be incredibly expensive so they don't size it properly in order to save costs or because they aren't including all the logs they should.

Your example is a common failure where those responsible for security have no idea what they should be focusing on. That's not a SIEM or continuous monitoring issue. It's an issue with lack of experience and understanding of what goes on within their network and how attacks really occur.

Regarding concentrating on the fundamentals, I agree that companies need to, but many of those fundamentals feed directly into a continuous monitoring model. Proper logging, log centralization, log monitoring, auditing turned on, firewalls configured properly, IDS tuned, and I could go on and on. Without those things, you can't build the proper platform and processes for continuous monitoring.

Sadly, most of the failures in the above areas come from overinflated promises from security vendors saying their tool is the magic bullet and companies believe them, buy the product, and realize too late that they're still not adequately protected.

-jhs
JRIKER303
50%
50%
JRIKER303,
User Rank: Apprentice
7/23/2012 | 8:50:59 PM
re: Tech Insight: Speeding Up Incident Response With Continuous Monitoring
Pie in the sky talk.- I understand and appreciate why NIST develops and publishes this stuff, but the reality is that just about every organization I know has not even effectively implemented SIEM, but less correlate every log on every server.- The canonical example is "We're going to log and investigate every failed login" - only to find many, many thousands of failed logins every day from scripts that must run with admin or root privs, and fail for unknown reasons.- Enterprises need to concentrate on the fundamentals.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-21392
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not restricted to external IP addresses when transitional IPv6 addre...
CVE-2021-21393
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-29429
PUBLISHED: 2021-04-12
In Gradle before version 7.0, files created with open permissions in the system temporary directory can allow an attacker to access information downloaded by Gradle. Some builds could be vulnerable to a local information disclosure. Remote files accessed through TextResourceFactory are downloaded in...
CVE-2021-21394
PUBLISHED: 2021-04-12
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some parameters on the endpoints used to confirm third-party identif...
CVE-2021-22497
PUBLISHED: 2021-04-12
Advanced Authentication versions prior to 6.3 SP4 have a potential broken authentication due to improper session management issue.