Bit defender ebook_secmonitor_print
-
Upload
james-morris -
Category
Design
-
view
28 -
download
0
Transcript of Bit defender ebook_secmonitor_print
Continuous Security Monitoring in a Continuous WorldThreats are moving quickly, so cybersecurity efforts need to keep up.
Page 2
The massive moving forces of innovation and security threats today are crushing the average enterprise IT department.
The Twin Forces of Change in IT
On one side, the evolution of network systems continues to accelerate at lightning speed. Cloud, virtualization, containerization, big data analytics, mobility, and the Internet of Things are now constantly rewriting the rules of connectivity and data governance.
On the other, attackers seek to keep enterprises on their back feet by changing their techniques just as rapidly, if not more so.
On their own, each of these dynamic forces would be painful to contend with.
Together, these parallel trends threaten the entire
enterprise’s bottom line.
The only way for IT to adapt their networks to the twin forces of change in technology is to ensure that security evolves just as quickly as the infrastructure and the threats. The only way for this kind of dynamic security to take hold is through continuous security monitoring.
Page 3
As you know, today’s enterprises are highly virtualized, with servers and applications continuously being integrated, deployed, and updated. Workloads shift from public cloud infrastructure to on-premise storage systems and back again, while your users are connecting new and more devices every day.
Couple those agile and ever-changing systems with an increased likelihood of security-related errors with skilled and persistent attackers and the risk of breached and disrupted systems increase dramatically.
With all those factors considered, it becomes undeniable to conclude that manual security measures just can’t ensure that systems and applications remain managed in line with internal security policies and hardened against attack. Additionally, modern IT environments, such as DevOps, means applications and infrastructure changes more rapidly than ever before. As fast as systems are being developed, deployed, and updated, then security checks need to be run in parallel and just as swiftly. Gone are the days of running monthly security assessments.
This is the only way that enterprises can expect to successfully defend themselves against attackers now.
Page 4
The lessons of recent cybersecurity history are also unambiguous:
Compliance-driven and reactive information security efforts will not succeed at mitigating system vulnerabilities and threats to a tolerable state.
Networked business-technology assets need to be inventoried, configured, and maintained; their vulnerabilities must be identified and mitigated; and they need to be vetted constantly for signs of malware and compromise. If these processes can’t be automated, they can’t be managed successfully.
But it can be daunting to figure out where or how to start a Continuous Security Monitoring (CSM) effort. Some enterprises try to tackle too much at once, and give up once they start. Others decide it is too overwhelming, and they don’t start at all. That’s not good, but it’s why we wrote this guide.
While CSM hasn’t necessarily taken hold of the mainstream, there are plenty of thought leaders in both private and government sectors who realize the importance of automating and monitoring as many security processes as possible. They understand that this kind of automation not only reduces data breach risks but makes it possible to identify and stop potential attacks when suspicious activities are spotted.
These folks have lead the way in developing a number of excellent resources and frameworks that can help you get going on the path to continuous monitoring.
Start Building Momentum with a Framework
Page 5
GET STARTED WITH NIST
One great place to get started is the NIST Special Publication Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations. Most of the advice is applicable to all large enterprises, not just government environments and provides extremely helpful guidance.
PCI IS ALSO HELPFUL
Another area where CSM has gained traction is in the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is also a broad set of security controls, but is aimed at protecting payment cardholder data. PCI DSS also stresses the ability to understand the daily system and application changes within any aspect of the enterprise.
CDM Framework
One effort that is well underway is the U.S. government’s Continuous Diagnostics and Mitigation (CDM) program. The CDM program originated in the U.S. Department of Homeland Security and was created by Congress, CDM provides both federal departments and agencies what they need to know to put into place effective continuous security controls. CDM is a standardized way for federal entities to manage the threats and vulnerabilities that matter, based on potential and likelihood of impact.
Also, unlike FISMA, which has been widely criticized for being an exercise in security paper shuffling and check boxing, CDM aims to help U.S. federal organizations better protect users, software, networks, and infrastructure by continuously examining their information technology systems for vulnerabilities and threats.
Page 6
SOURCE: U.S. Department of Homeland Security Last Published Date: November 6, 2015
The Three Primary Phases of Continuous Diagnostics and MitigationPHASE 1: Identify and Manage Assets
PHASE 2: Least Privilege and Infrastructure Integrity
PHASE 3: Boundary Protection and Event Management for Managing the Security Lifecycle
HWAMHardware Asset Management
TRUSTAccess Control Management (Trust in People Granted Access)
PLANPlan for Events
SWAMSoftware Asset Management
BEHVSecurity-Related Behavior Management
RESPONDRespond to Events
CSMConfiguration Settings Management
CREDCredentials and Authentication Management
AUDIT/MONITORGeneric Audit/Monitoring
VULVulnerability Management
PRIVPrivileges
DOCUMENTDocument Requirements, Policy, etc.
Boundary Protection(Network, Physical, Virtual)
QMQuality Management
RISK MANAGEMENT
The government isn’t moving alone. The private sector is also embracing CSM frameworks in areas such as continuous improvement and automated testing in DevOps and the automating of the SANS 20 Critical Controls. Many enterprises are turning to the SANS 20 Critical Controls and using them to automate asset management, configuration management, vulnerability management, anti-malware, and data loss prevention, among other controls. The effort was informed by a number of international organizations and U.S. agencies and is currently managed within the SANS Institute.
SANS 20 Critical Controls
Page 7SOURCE: SANS
Inventory of Authorized
and Unauthorized Devices
Inventory of Authorized
and Unauthorized Software
Secure Configurations for Hardware and Software on
Mobile Devices, Laptops, Workstations, and Servers
Continuous Vulnerability Assessment and
Remediation
Malware DefensesApplication Software
SecurityWireless Access Control Data Recovery Capability
Security Skills Assessment and
Appropriate Training to Fill Gaps
Secure Configurations for Network Devices
such as Firewalls, Routers, and Switches
Limitation and Control of Network Ports,
Protocols, and Services
Controlled Use of Administrative
Privileges
Boundary Defense
Maintenance, Monitoring, and
Analysis of Audit Logs
Controlled Access Based on the
Need to Know
Account Monitoring and Control
Data ProtectionIncident Response and Management
Secure Network Engineering
Penetration Tests and Red Team
Exercises
Regardless of the
framework you choose,
there are typically five key
components to an effective
continuous monitoring
program. As you build out
your toolset to move toward
continuous monitoring,
keep in mind that this
doesn’t have to be a complete
transformation. In many
cases you’re probably already
using many of these tools in
your information security
program.
5 Key Components Of Continuous Security Monitoring
Page 8
Asset Management
Configuration Management
Vulnerability Management
Access Control
Incident Response
Page 9
These include simple inventory management and asset-auditing software that is used to identify all authorized hardware and is able to quickly identify unauthorized hardware.
Asset management software comprises all of the tools used to manage and inventory corporate owned and used devices and applications.
It is highly unlikely that any unauthorized devices are managed to any enterprise security policy. They are likely not only vulnerable to being breached, but already are breached. It’s imperative that they be identified and either brought to policy standard or removed from the network.
Asset Management
Page 10
Your software configuration management process is how you identify software and system configurations, and either confirm that they are being managed to policy or are deficient and need to be corrected.
Certainly, misconfigurations of IT assets need to be kept down to a minimum. Your attackers will scan your systems looking for such misconfigured assets and take advantage of them to gain a foothold on the network. Even if those vulnerable systems are not their primary target, they will infiltrate and use it as a foothold to dig deeper.
Configuration Management
Page 11
Here, you assess for software vulnerabilities within your networked devices, remedy those that are identified (especially the critical level vulnerabilities) and then test that patches and updates have been successfully applied.
Hopefully, if you run an enterprise of any size, you have a vulnerability management program in place.
Software weaknesses are a common way through which adversaries seek to try to gain entry onto networked devices.
VulnerabilityManagement
Page 12
Good access control is critical to success. The size and scope of these efforts are largely determined by the size of the enterprise, number of employees, and services they need access to. This typically includes everything from physical building and data center access to providing enterprise resources such as phones, desks, email, etc. and everything in-between.
These are the processes to automate the management of provisioning and de-provisioning of users and devices to the network, system, and enterprise resources.
This also includes the automated management and monitoring of identity access privileges (no greater authority for access than is necessary) and super user access, such as that being required for administrative rights.
Access Control
For this, enterprises need to automate the detection of breaches as much as possible, and have the response in place to respond to the degree necessary. Some breaches may require little manual response, perhaps pushing a new machine image out to an endpoint. Other breaches may require extensive forensics analysis and remediation and cleansing effort.
If an enterprise is going to be looking for indicators of breach and compromise, it needs to have effective ways to swiftly and adequately deal with those incidents.
Page 13
IncidentResponse
Page 14
This will likely be a combination of existing toolsets, some snappy API and integration work, and maybe even building new custom tools.
Pulling the technology together: Continuous Security Monitoring Platform
Enterprises that embark on the path to continuous security monitoring are going to be collecting and managing a lot of data. A lot of data. These will be coming from network monitoring tools, intrusion detection systems, management consulters, compliance and configuration management toolsets, and so forth.
You will need a way to collect this data, analyze it, visualize it, and actually respond to it.
In interviews with CISOs, many enterprises turn to their vulnerability management systems, which track a lot of system vulnerabilities, networked assets, and confirmation settings. Others have turned to the security and information management systems, configuration management systems, and log management systems. And as these programs are built out, most of these tools are used in conjunction with their outputs fed to data analysis and dashboard tools.
Realistically, as you build your CSM program out, you will have various siloed sets of information that, over time, you will pull together and build an actual real-time ability to continuously monitor and react to system conditions.
Page 15
Page 16
Where do you start automating your CSM program? There are many approaches, such as automating what you currently have the tools to automate: regular vulnerability assessments, patch and antimalware updates, reporting and alerting, and so on. Another way is to identify the most critical assets and continuously monitor those and, over time, build that program out to the rest of the organization.
Some enterprises are automating based on the federal CDM, others PCI DSS (for payment card data), and still others are looking at automating the 20 Critical Security Controls. The 20 Critical Controls was made specifically for IT security professionals and provides straightforward, risk-based, implementation guidance.
Automate everything you can, and then automate more
Focus on continuous monitoring to test and evaluate remediation
Provide common metrics that all stakeholders can understand
Automate processes
Use knowledge of actual attacks to build defenses
These controls stand on four pillars:
Page 17
That includes automating the maintenance of authorized and unauthorized device asset inventory, software, security device configurations, and continuous vulnerability assessment and remediation.
Organizations report that the 20 Critical Controls are very effective at helping them to select the right security technologies and then implement, configure, monitor, and manage a better information security program. And the critical controls of course strongly encourage automating controls enforcement wherever possible.
Page 18
So, where do you begin your continuous security monitoring efforts? When looking at your environment in its entirety, with an eye toward monitoring everything all of the time, it can appear overwhelming. And the reality is that you can’t start monitoring everything all at once. Choices need to be made about where to start: endpoints, servers, and applications need the most oversight and where a breach would cause the most damage.
This is why, when deciding where to start your continuous monitoring efforts, the first place to look could be where those who would attack you also may look first. What data or resources would attackers most likely want to target? Is it your intellectual property? The customer data you hold? Perhaps you won’t be the direct target; the attackers may be looking to infiltrate high-value partners. Your security teams need to begin monitoring your most valued assets for potential attack paths. This includes network and system logs, and traffic, looking for anomalous behavior, as well as your system configurations.
Attackers aren’t the only threat. The risks around regulatory compliance also rise in rapidly changing environments. Here, you need to take inventory of your assets and applications that touch regulated data. For compliance, you will need to consider continuously monitoring your asset configurations and event logs for any deviations from your compliance and security policy.
Getting started with CSM
The key is to focus on monitoring and protecting the most important assets and applications. You’ll need to work closely with audit and compliance teams, operations teams, business application owners, and security teams to identify these assets. Essentially, aim to identify the most critical and valuable systems and data, as well as those that fall under the purview of regulatory compliance, and start your continuous monitoring efforts there.
When implementing continuous security and regulatory compliance monitoring of your high-value assets, include their configurations, the status of security technologies such as anti-malware, network and application firewalls, data leak prevision technologies, etc.
From here, you are going to need to automate as many of your security controls as you can, while also monitoring their configurations to ensure that they are managed consistently across all environments. Are your network configurations identical from one cloud to another? Do your wireless LANs have the same security posture? Are those servers classified at the same risk levels set to similar security configurations? And so on. In this way automation will help you to attain consistency throughout your environment.
Page 19
CONCLUSION About Bitdefender
Building an effective CSM program isn’t something that will happen overnight. But, as you automate certain processes, you just need to make certain those processes remain automated and in good shape. Use the time saved to automate the next set of security processes and feed the status into a dashboard or, initially, a set of dashboards. In time, you will eventually automate your entire program.
So what will this continuous security and regulatory compliance monitoring do for you? Plenty, when it comes to building a resilient environment.
When continuously deploying new applications, you will be introducing new mistakes into the environment and by continuously monitoring your environment, you’ll be finding new security errors as they are introduced. So, while you will be moving as quickly as you can, you will be bringing your security efforts with your CSM program.
Bitdefender is a global security technology company that delivers solutions in more than 100 countries through a network of value-added alliances, distributors and reseller partners. Since 2001, Bitdefender has consistently produced award-winning business and consumer security technology, and is a leading security provider in virtualization and cloud technologies. Through R&D, alliances and partnership teams, Bitdefender has elevated the highest standards of security excellence in both its number-one-ranked technology and its strategic alliances with the world’s leading virtualization and cloud technology providers.
www.bitdefender.com
www.bitdefender.com/business
businessinsights.bitdefender.com