Increase speed and effectiveness of incident response through continuous monitoring and enterprise IR tool integration
Continuous monitoring is a buzz phrase come back to life thanks to the U.S. Office of Management and Budget and the Homeland Security Department telling government agencies to implement information security continuous monitoring (ISCM). NIST has also released three new documents in January specifically addressing ISCM. What is it? Well, NIST defines ISCM as “maintaining ongoing awareness of information security, owner abilities, and threats to support organizational risk management decisions.” Sounds like something companies with highly sensitive environments or data should be doing already, right?
Continuous monitoring is really nothing new. In its simplest form, it’s a transition from the occasional, static analysis of logs, to analysis on a semi-regular to regular basis, to continuous automated analysis and correlation of logs from every system in an enterprise. This constant feed of information is designed to provide near real-time situational awareness to security and operations staff in order to detect new attacks, identify previously unseen threats, and react quickly with actionable information.
While C-level executives will read the definition above and groan due to the perceived cost in technology and personnel, what they don’t realize is that continuous monitoring is, in part, just an extension of current processes and technology. It combines log monitoring and analysis, or a SIEM, with data from vulnerability scanners and configuration management systems to provide a complete picture of what’s going on within the enterprise network at a moment’s notice. If an attack is detected, the knowledge provided through continuous monitoring can show whether it was successful based on whether the target was vulnerable and system activity occurring on the target itself.
From my perspective as a security practitioner and incident responder, having access to this breadth of information is the Holy Grail of security — if it is easily and quickly searchable. In essence, continuous monitoring tools and processes should enable security pros to react more quickly and efficiently when responding to security incidents — ideally, in time to detect a breach and prevent further data theft and damage to the organization.
To speed up the response effort, enterprise incident response tools complement continuous monitoring environments well. Depending on the solution chosen, it may feed live data about system activity and alerts directly into a SIEM system, or it might provide on-demand remote incident response capabilities. The difference is that the former is more focused on creating a running record of activities occurring on a system, while the latter is used to perform live incident response activities against one to many remote hosts.
The on-demand type of incident response solutions are more of the traditional incident response tools for enterprises and have been around for a little more than half a decade. They leverage an agent running on each desktop and server, providing quick, on-demand access for security teams who need to investigate suspicious happenings. Security investigators can analyze running processes, image live memory and hard drives, analyze the local hard drive, copy files, and more.
On-demand enterprise incident response tools complement the continuous monitoring process by providing immediate incident response capabilities on hosts with anomalous behavior. More recent versions of these solutions have begun including monitoring capabilities that do not require user intervention to create searches in order to get data back. They can be set to send alerts whenever malicious activity is detected or known indicators of compromise are found on a system. Depending on the solution, it may or may not have an API specifically designed to integrate with SIEM platforms.
Similar to an enterprise change management solution, these always-on incident response monitoring tools keep a record of all activity, including running processes, file system changes, and modifications to the Windows registry. The resulting logs can either be analyzed and processed by the solution’s own management interface and back-end analysis system, or fed into an existing enterprise monitoring tool or SIEM for correlation with logs from other systems. The major benefit is that an evidence trail of all activity over time is created, which can greatly speed up the incident response process and security investigations.
The path to continuous monitoring is not an easy or quick one, but the end result can mean the difference between identifying a data breach as it occurs, versus being notified months later by a third party. Integrating it with an enterprise incident response tool can aid in streamlining the response process to stop incidents as they are occurring and prevent additional collateral damage.
In the end, it’s all about knowing what’s going on and being able to act quickly.