What is SIEM or Continuous Security Monitoring (CSM)?

With the cyber-security threat landscape constantly evolving and developing new styles of attacks it is no longer enough to simply trust traditional security controls, like firewalls and antivirus software, to protect you from a motivated attacker. Organizations need the capability to monitor their networks for indicators of compromise in real time. Large enterprises have had the means to implement this type of monitoring for years and smaller organizations are only now starting to catch up. 

ThinkstockPhotos-808157766-1.jpgAccording to Trustwave, the average successful attacker has uninterrupted access to their target’s network for 49 days before being detected. And according to Verizon81% of data breaches circumvent traditional security controls by using either weak or stolen passwords. 

To identify targeted attacks or stop successful attacks before they cause damage, companies must find ways to monitor their IT infrastructure constantly and never trust that any one control is preventing 100% of attacks 

 

This is where CSM, or Continuous Security Monitoring, comes in to play: To keep a vigilant eye for early warning signs of an attack. By establishing a baseline of normal network activity and continuously monitoring for anomalous behavior, attacks can be identified and stopped before they cause the average $3.6M worth of damage of a typical data breach. 

So, What is CSM? 

Continuous Security Monitoring is exactly what is sounds like: technology that empowers organizations to oversee their IT assets, both in the cloud and on premise, in real time from a single portal that can be analyzed by the IT team and key stakeholders. It receives logs from a wide range of devices (servers, routers, access points, etc.) and services (Office 365, Azure, AWS, and more), normalizes them and correlates events from the different sources leaving you with a clear picture of what is happening across your disperse IT environment. This data is typically also compared to a global threat intelligence feed which is used to create alarms if behavior on your network matches patterns of known attacks. 

Most companies report using at least 5 security products, leaving even the best cyber-security personnel at a disadvantage because threat assessment and identification require manual aggregation before action can be taken. CSM takes that once siloed security data and funnels it into a single dashboard allowing your security team to focus on responding to threats, not researching them. 

CSM was born from the National Institute of Standards and Technology’s Risk Management Framework (RSM). This is a six step process for risk mitigation. Ken Durbin, Cyber & Continuous Monitoring Practice Manager with Symantec, puts it this way: “I take the NIST definition of continuous monitoring, which is roughly, a formalized process where an agency can define each of their IT systems, categorize them by risk level, apply the appropriate controls, and continuously monitor the controls in place and assess their effectiveness against threats in their environment.” 

Request a Demo

 

What Are CSM’s Main Areas of Focus? 

It’s important to remember that adopting CSM is not a panacea or a cure all. Careful planning, departmental buy-in and a successful implementation all play critical roles. What’s more, the CSM technology only provides visibility. An intimate understanding of what is on your network and how those pieces normally interact is vital to getting value from that visibility.  

That said, CSM tends to have the greatest impact for most companies and agencies in the following areas: 

  • Cyber Attacks. As mentioned earlier, CSM can help with the early identification of attacks, which can significantly reduce their effectiveness and speed up system recovery. 
  • Change Management. CSM helps organizations manage system changes and updates, both planned and unplanned, which could be an indication of a threat.  
  • Compliance. CSM can help entities remain compliant with various regulations-like NIST SP (National Institute of Standards and Technology, Special Publication) 800-171, GDPR (General Data Protections Regulation) and FISMA (Federal Security Management Act, 2002) and the ability to produce proper documentation as needed. 

By far, the cyber-attack threat environment is the deepest and most complex use case for CSM. 

While there's really no way to get out in front and prevent all attacks, an effective deployment of CSM can provide insight in to the active attacks against an organization, allowing them to make informed decisions to better protect their assets.  

How is CSM Implemented? 

Thoughtfully, carefully and with the understanding that it’s not a “set it and forget it technology.” 

The first step is planning and auditing your current IT infrastructure. Again, continuous monitoring is only as effective as the inputs. If network documentation is out of date or missing, the CSM platform will not be as effective. 

The next step is deployment and baselining. Once the CSM tool is in place and gathering data, a baseline of normal behavior needs to be established before anomalies can be detected. This step often involves touching most servers on the network and can unveil errors that have since gone undetected. By the end of this step the CSM tool should be receiving clean data and only creating alarms for legitimate concerns. 

Your IT network impacts all departments and functions within your organization. Therefore, it’s essential to get buy-in from all stakeholders and involve them, to one degree or another, in the integration. Key individuals should be identified as points of contact for their department should security concerns arise that involve their department. This will require a well-thought out internal communications strategy to not only ensure the right people are identified but that they know what to expect from the security team. 

In addition, you’ll need to audit your current IT controls and assets. If you don’t know what devices and assets you have you can’t keep them safe. Here’s a few areas to catalogue before jumping in: 

  • All devices that have access to the network 
  • All users and their level of access to the network
  • Patch and update management tools 
  • Anti-malware tools 
  • Network configuration management technologies 

Your organization must have its house in order before adopting a CSM platform. Remember, the platform aggregates inputs from your existing infrastructure and funnels it into a single source for analysis. The phrase “garbage in, garbage out” applies in this case. 

Finally, it’s absolutely critical to remember that once the monitoring platform is up and running, your work is not done. The CSM tool should be monitored daily to address any alarms, new and emerging threats and changes to the IT environment 

Is this Technology Right For You? 

That depends. In an ideal world, every organization would be able to implement CSM. The reality is that smaller businesses are no longer immune to attack or the unwanted attention of attackers. The threat is real for both smaller businesses and large corporations and while the implications of an attack can be different in scale, small businesses typically lack the resources to recover from a major data breach while large corporations are able to recover. 

Symantec’s Ken Durbin references Dr. Ron Ross at NIST who specializes in information security and risk management. “Dr. Ross points out that it's not a matter of ‘if’, but ‘when’ systems will be compromised. There is no system on earth that is 100% safeguarded against being compromised at some point. So if we know that someday we're going to be compromised, we need to use the time now to make sure that we have a disaster recovery plan in place so that when we are compromised, the time to get back up and running, and the risk of data loss are minimized. Disaster Recovery often gets overlooked in some continuous monitoring shortcuts.” 

The bottom line: inaction is not an option when it comes to defending your network against threats and compliance risks. A proactive approach, regardless of business size or budget, is essential. While a full blown CSM platform might be too expensive for some companies, there are a host of options in the market that can improve your security posture. 

We can help determine your best path forward for a cost that makes sense for your situation. Contact us today, we’d love to hear more about your organization.