From: Dark Reading
Increase speed and effectiveness of incident response through continuous monitoring and enterprise IR tool integration
By John H. Sawyer
Continuous monitoring is a buzz phrase that has had new life breathed into it thanks to the U.S. Office of Management and Budget and the Homeland Security Department telling government agencies to implement information security continuous monitoring (ISCM). NIST has also released three new documents in January specifically addressing ISCM. What is it? Well, NIST defines ISCM as “maintaining ongoing awareness of information security, owner abilities, and threats to support organizational risk management decisions.” Sounds like something companies with highly sensitive environments or data should be doing already, right?
Continuous monitoring is really nothing new. In its simplest form, it’s a transition from the occasional, static analysis of logs from logs on a regular to semi-regular basis to continuous automated analysis and correlation of logs from everysystem in an enterprise. This constant feed of information is designed to provide near real-time situational awareness to security and operations staff in order to detect new attacks, identify previously unseen threats, and react quickly with actionable information.
While C-level executives will read the definition above and groan due to the perceived cost in technology and personnel, what they don’t realize is that continuous monitoring is in part just an extension of current processes and technology. It combines log monitoring and analysis, or a SIEM, with data from vulnerability scanners and configuration management systems to provide a complete picture of what’s going on within the enterprise network at a moments notice. If an attack is detected, the knowledge provided through continuous monitoring can show if the attack was successful based on whether the target was vulnerable and system activity occurring on the target itself.
From a security practitioner and incident responder’s perspective, having access to this breadth of information is the holy grail of security — of course, that it is if it is easily and quickly searchable. In essence, continuous monitoring tools and processes should enable security pros to react more quickly and efficiently when responding to security incidents — ideally, in time to detect a breach and prevent further data theft and damage to the organization.
To speed up the response effort, enterprise incident response tools complement continuous monitoring environments well. Depending on the solution chosen, it may feed live data about system activity and alerts directly into a SIEM system or it might provide on-demand remote incident response capabilities. The difference being that the former is more focused on creating a running record of activity occurring on a system, while the latter is used to perform live incident response activities against one to many remote hosts.
The on-demand type of incident response solutions are more of the traditional incident response tools for enterprises and have been around for just over half a decade. They leverage an agent running on each desktop and server providing quick, on-demand access for security teams who need to investigate suspicious happenings. Security investigators can analyze running processes, image live memory and hard drives, analyze the local hard drive, copy files, and more.
On-demand enterprise incident response tools complement the continuous monitoring process by providing immediate incident response capabilities on hosts with anomalous behavior. More recent versions of these solutions have begun including monitoring capabilities that do not require user intervention to create searches in order to get data back. They can be set to send alerts whenever malicious activity is detected or known indicators of compromise are found on a system. Depending on the solution, it may or may not have an API specifically designed to integrate with SIEM platforms.
Similar to an enterprise change management solution, these always–on incident response monitoring tools keep a record of all activity including running processes, file system changes, and modifications to the Windows registry. The resulting logs can either analyzed and processed by the solution’s own management interface and backend analysis system or fed into an existing enterprise monitoring tool or SIEM for correlation with logs from other systems. The major benefit is that an evidence trail of all activity over time is created, which can greatly speed up the incident response process and security investigations.
The path to continuous monitoring is not an easy or quick one, but the end result can mean the difference between identifying a data breach as it occurs, versus being notified months later by a third party. Integrating it with an enterprise incident response tool can aid in streamlining the response process to stop incidents as they are occurring and prevent additional collateral damage.
In the end, it’s all about knowing what’s going on and being able to act quickly.
Leave a Reply