What Really is Continuous Monitoring and Why is it Essential?
Today, nearly all of an agency’s mission-critical functions depend on safe and secure information technology systems. With cyber threats ever evolving and growing at an exponential rate, and increased reliance on technology to deliver core services in government, a robust cyber defense is needed by agencies.
Continuous Monitoring is certainly not a new term, but if you were to ask 10 people how they would define this term, you’re likely to get 10 different responses. Ken Durbin, Cyber & Continuous Monitoring Practice Manager, Symantec, provided expert insights on Symantec’s view of Continuous Monitoring and how agencies are adopting continuous monitoring programs as a means to protect government data and infrastructure. Durbin also highlights the benefits, best practices and challenges to adopting a continuous monitoring program.
Continuous monitoring is one part of a six-step process in the NIST Risk Management Framework (RMF), from NIST publication 800-53, rev4. Durbin adds, “I take the NIST definition of continuous monitoring, which is roughly, a formalized process where an agency can define each of their IT systems, categorize them by risk level, apply the appropriate controls, and continuously monitor the controls in place and assess their effectiveness against threats in their environment.” Continuous monitoring is an essential step for organizations to identify and measure the security implications for planned and unexpected changes to hardware, software, firmware and to assess vulnerabilities in a dynamic threat space.
This holistic view of security of IT systems is essential as agencies are faced with increasing threats, and must create security systems that are ‘threat agnostic.’ “That's one of the beauties of continuous monitoring - it's threat-agnostic. If you've taken the time to really identify what's critical to your IT system and you've put the appropriate controls in place to police those specific aspects of the network, it can be flexible,” explained Durbin.
Continuous monitoring provides many benefits to government agencies yet holistic adoption still seems to be lagging. “If you're operating all those sensors in silos, which unfortunately, a lot of people are doing, you're only seeing one aspect of what's going on in your network. Continuous monitoring really provides a situational awareness of your network, giving you the opportunity to react to that changing situation,” said Durbin.
For agencies, one perceived challenge to continuous monitoring is following and understanding the full NIST RMF definition of continuous monitoring. “When people hear that there's 800 plus controls, they think, wow, that's a little daunting. So I think an education on how they can be deployed is beneficial. NIST gives you all these controls, but they also give you a very clear roadmap on how to implement them,” said Durbin.
The real challenge is having the support across departments. In many instances, IT systems cross departments, so agencies need to gather buy-in from a lot of different stakeholders to get continuous monitoring implemented. Cross-departmental policy collaboration can be difficult in the forefront, and Durbin recommends that agencies define the primary stakeholders as well as supporting roles early in the process.
Durbin also referenced advice given from Dr. Ron Ross, a Fellow at the National Institute of Standards and Technology (NIST) who specializes in information security and risk management. “Dr. Ross points out that it's not a matter of "if", but “when” systems will be compromised. There is no system on earth that is 100% safeguarded against being compromised at some point. So if we know that someday we're going to be compromised, we need to use the time now to make sure that we have a disaster recovery plan in place so that when we are compromised, the time to get back up and running, and the risk of data loss are minimized. Disaster Recovery often gets overlooked in some continuous monitoring shortcuts.”
Symantec spans many different areas of continuous monitoring, and depending on the customer’s need and level of maturity, Symantec can tailor a solution to meet an agency’s unique requirements. This means everything from putting sensors in place for hardware, software and configuration management, to full scale Risk Management System.
Durbin adds, “Where Symantec has become unique is in our ability to aggregate the data from customers' existing sensors (Symantec or third party) and correlate, process and present that data in meaningful ways so that the appropriate person within an IT organization has actionable intelligence which they can use to make decisions from a continuous monitoring perspective.”
As the threats to government continue to grow in complexity, it’s essential that agencies adopt best practices to protect systems. Continuous monitoring is part of a robust security plan that gives true situational awareness and provides agencies time to react and respond to threats against their most critical infrastructure.