Developing a continuous monitoring strategy is gaining a lot of momentum within many U.S. government agencies and businesses that want to better manage cyber security risk. As we mentioned in our previous blog, having a continuous monitoring plan enables you to see if your security controls are effective over time. While executing that plan can seem daunting, it’s key to take the necessary steps to be aware of the ever-changing threat landscape. That’s why there’s so much value in having a good continuous monitoring strategy.
Government agencies and companies looking for guidance on managing risk generally rely on the Risk Management Framework (RMF) published by the National Institute of Standards and Technology (NIST) in Special Publication 800-37. By taking a risk-based approach to managing threats, you can systematically secure your environment. You can also get a much better understanding of how your actions will affect the entire organization.
Creating an RMF in 6 Steps
Creating an RMF is key to the process, and continuous monitoring is one of the steps you must consider. To create an RMF, follow these steps:
- Categorize – Perform an impact analysis to understand the criticality of the system and data.
- Select – Based on the results of the categorization, select the appropriate controls to implement.
- Implement – Implement the selected controls.
- Assess – Determine if the controls have been implemented correctly.
- Authorize – Determine if the risk is acceptable to operate.
- Monitor – Continuously monitor the controls for effectiveness and report any changes to the overall risk to the system, mission, and organization to the authorizing official in step five.
Having a Strategy
As we mentioned above, continuous monitoring is the final step in the RMF. You can develop your strategy for it in parallel to the other steps of the RMF.
We all have those employees who are invaluable to the organization – the technical folks. The ones that have all the know-how to keep the systems running efficiently and the processes executing as required. These people may be willing and ready to implement a continuous monitoring plan. Their idea of continuous monitoring, though, may be auditing, as many of the 800+ NIST controls as they can, no matter what.
They will run until tackled, but may lack the strategic vision or deeper insights into overall business goals. They don’t necessarily have any idea of the criticality of the data or systems and how they impact the company or agency’s mission. Without a clear understanding of what to monitor and why they’re monitoring it, this can be a frustrating and time-consuming effort, at best.
Trying to audit everything isn’t realistic. Implementing every potential control can backfire if it disrupts system functionality, and just as importantly, it’s usually not cost-effective. Developing a strategy before implementing continuous monitoring can effectively address this challenge.
A good continuous monitoring strategy addresses monitoring and assessment of security controls for effectiveness, security status monitoring, and security status reporting to allow for situational awareness.
It’s pretty straight forward. First, identify the data that must be protected. Second, create a patching process and scan for vulnerabilities regularly. Third, monitor, continuously, all the systems and data touch points you’ve discovered. Fourth, create processes for identifying and addressing any alerts for changes in user behavior and traffic patterns. Fifth, monitor, monitor, monitor!
Implementing an RMF
Organizations that effectively use the RMF take time to identify what’s important, whether its infrastructure, specific systems, or data. Then they implement the appropriate controls to secure and monitor those aspects, which makes continuous monitoring a more flexible and useful tool. Those that don’t will inevitably fail. This is the first step – categorization. Without categorizing the system and data, you risk implementing incorrect or costly controls you may not really need.
It is also crucial to review each of the controls based on the system categorization and select the appropriate controls – step 2, select. All techies think their system and data is the most important, and that may well be the case for their position. Unfortunately, the impact analysis may tell a different story and it may either be more critical or sometimes less critical. The control selection can be tailored based on the categorization. For example, it wouldn’t make sense to implement heavy, expensive security controls for a system with data that is freely available to the public. In other words, the control selection, and implementation – step 3, implement, needs to be appropriate for what it’s going to help protect; nothing more, nothing less.
Step 4, Assess, can be performed both internally and externally. This sends information back to the system and data owners on the implementation of the controls. The report that’s generated tells a story of the control selection and the effectiveness of those controls. It’s not uncommon to assess a system only to find that the controls implementation was done only to satisfy a requirement for the sake of compliance, without it necessarily meeting the spirit of the control requirement.
Once the assessment has been completed, a report and recommendation are presented to the authorizing official on the level of risk that is being accepted if the system was made operational and the data available – step 5, authorize. The official has the burden of accepting the risk to the system but also understanding that risk acceptance may also add risk to other systems within the organization.
Then it all culminates with a continuous monitoring strategy – step 6, monitoring. You can collect, assess, and respond to metrics from each critical area to effectively monitor and manage risk across the organization. The continuous monitoring strategy will ultimately address monitoring and the assessment of security controls to determine the overall risk to the organization.
One solution that many organizations have turned to for continuous monitoring is SOC-as-a-Service, which can give them visibility across their entire network, endpoint devices, and cloud applications and infrastructure. Most organizations don’t have the resources to maintain expensive, noisy security information and event management (SIEM) solutions and staff a security operations center capable of investigation and incident response around the clock.
A cloud-based security orchestration and automation platform, like the one we’ve developed at Delta Risk, reduces noise and prioritizes threats for our security analysts in our SOC to investigate. You can choose a fully managed, co-managed, or hybrid model, to get continuous monitoring at a fraction of the cost of building and staffing your own SOC.
The value of a good continuous monitoring strategy is to have current data available to leadership in order to assess overall risk and make risk-based decisions. Monitoring is the last step in the RMF so it should be complementary to all previous steps [in RMF]. A good continuous monitoring strategy supports organizational risk management decisions to include risk response decisions, ongoing system authorization decisions, and resource and prioritization decisions.