Continuous Monitoring and Risk Scoring

Many organizations have recently discovered that – while traditional security monitoring systems can help reduce risk, they are not enough to react to today’s external, targeted, persistent, zero-day attacks. As a result, a number of Federal agencies and some private sector organizations are beginning to replace point-in-time audits and compliance checks with a Continuous Monitoring program to help them simultaneously assess the effectiveness of controls and provide visibility into current threats through situational awareness in a more efficient and effective automated fashion.

The National Institute of Standards and Technology (NIST) first described continuous monitoring as a critical component of its Risk Management Framework, when in its Special Publication 800-37 Rev 1, “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach” it advised agencies to put in place the following elements:

  • Configuration Management and Change Control: Develop processes for organizational information systems, throughout their SDLCs, and with consideration of their operating environments and their role(s) in supporting the organization’s missions and core business processes;
  • Security Impact Analyses: Develop security impact analysis and conduct analyses to monitor for changes to organizational information systems and their environments of operation for any adverse security impact to systems, mission/business and/or organizational functions which said systems support;
  • (Ongoing) Assessment of System Security Controls: Develop assessment frequencies based on an organization-wide continuous monitoring strategy and individual system authorization strategies; and
  • Security Status Monitoring and Reporting: Communicate accurate and up-to-date security-related information to support ongoing management of information security risks and to enable data-driven risk mitigation decisions with minimal response times and acceptable data latencies.

At the heart of understanding risk is understanding change. Any time a system changes from a known state – or ”baseline” – risk is incurred. Detecting and understanding changes is key to weighing the risk associated with a given change, and to taking appropriate actions. Precision and continuous change detection is, therefore, a fundamental component of IT risk mitigation. In addition, continuous checking of settings, configurations, and system behaviors to determine anomalies is crucial to closing the risk detection and mitigation gap.

Implementing Continuous Monitoring

One of the first major challenges in developing a strategy for implementing a continuous monitoring effort, however, is defining the term. There have been a number of attempts: NIST has produced two documents that seek to define and provide guidance on the subject of continuous monitoring. The first of these documents is a Frequently Asked Questions (FAQ) guide on continuous monitoring that was published in June 2010. The second of these guides is the draft publication for Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organization, released in December 2010. According to NIST, continuous monitoring was defined as follows:

“Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. The objective is to conduct ongoing monitoring of the security of an organization’s networks, information, and systems, and respond by accepting, avoiding/rejecting, transferring/sharing, or mitigating risk as situations change.”

Continuous Monitoring Technical Reference Model

More recently, NIST released three reports that are related to continuous monitoring. The first, NIST Interagency Report 7756 Second Public Draft, “CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Model” provides a reference model for organizations to collect data from across a diverse set of security tools, analyze the data, score the data, enable user queries and provide overall situational awareness.

The model is designed so organizations can meet these goals by leveraging their existing security tool investments and avoid designing and paying for custom solutions. It was developed using the Department of Homeland Security’s monitoring framework Continuous Asset Evaluation, Situational Awareness, and Risk Scoring (or CAESARS) architecture as a starting point.

The second document, NISTIR 7799, “Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications” provides the technical specifications for the continuous monitoring reference model presented in NISTIR 7756 with enough specificity to enable instrumentation of existing products and development of new capabilities by vendors.

The third document, NISTIR 7800, “Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration and Vulnerability Management Domains” augments the reference model with guidance on addressing these specific areas. It does this by leveraging the Security Content Automation Protocol (SCAP) version 1.2 for configuration and vulnerability-scan content, and it recommends reporting results in an SCAP-compliant format.

Two Pronged Approach

While the initial thrust of continuous monitoring is controls-based in the Federal government, many forward-thinking organizations have expanded their continuous monitoring program to address threat management via Situational Awareness and Incident Response (SAIR). The result is a two-pronged approach:

  • Proactive Monitoring: Vulnerability monitoring and asset/device awareness
  • Detective Monitoring: Full-view, context-aware threat monitoring, analysis and alerting

The various “domains” that are candidates for continuous monitoring include the following:

Asset Management  Configuration Management
 Event Management  Incident Management
 Information Management  License Management
 Malware Detection and Remedy  Network Management
 Patch Management  Vulnerability Management
 Software Assurance

Although not (yet) specified, two other domains (Digital Policy Management and Advanced Persistent Threat) are under consideration by NIST.

By adopting a continuous monitoring program that addresses both proactive and reactive monitoring, organizations in both the public and private sector are able to not only manage compliance, but can track security trends, make risk management decisions, and determine where they need to improve security posture.