Security monitoring

Continuous security monitoring advances automated analysis

The world of cybersecurity is changing at lightning speed, which means it’s time to consider continuous security…

monitoring. Researchers discover and publish new vulnerabilities every week, and attackers quickly create automated exploit tools that exploit these vulnerabilities to gain access to corporate systems. Every time a new vulnerability hits the streets, the race is on for vendors to develop and release patches for administrators to apply before the first attack hits their systems.

Traditional approaches to vulnerability scanning run periodic scans of business systems looking for known vulnerabilities and adding them to a remediation task list. It is not uncommon for these scans to be run on a weekly or even monthly basis. Unfortunately, it’s just not frequent enough to keep pace with modern threats. Today’s threat environment requires a continuous security monitoring (CSM) approach that integrates information from vulnerability scans with other sources of information to provide administrators with a real-time view of their vulnerabilities of security.

Adding Host Monitoring Agents

One of the most effective ways to improve vulnerability scanning results is to supplement traditional vulnerability scans with data gathered from agents running on every system in the enterprise. Most modern vulnerability scanners offer this agent-based capability, where a small software agent resides on each monitored system. The agent collects real-time security configuration information and reports it to the continuous security monitoring system. If a user or administrator changes a setting that could introduce a new vulnerability, the vulnerability is immediately flagged in the CSM console and the system can trigger an alert or take automated action.

Today’s threats require a continuous security monitoring approach that integrates information to provide administrators with a real-time view of vulnerabilities.

For example, if an administrator changes a host firewall rule to allow a new type of traffic on a server, this configuration change can be reported to the CSM system. The continuous security monitoring system can then automatically trigger a new system vulnerability scan that will detect any new vulnerabilities and insert them into the organization’s remediation workflow. This approach dramatically reduces the time it takes to detect the new vulnerability by initiating a scan immediately, rather than waiting for the next regularly scheduled scan.

Network monitoring data integration

System sprawl is a fact of life in modern business. Systems appear on the network faster than IT can identify them, and these systems may contain security vulnerabilities. Most organizations run routine network discovery scans that search their entire IP address space for undocumented systems. These scans are time-consuming and often fail to detect systems configured to exist securely and stealthily and fail to respond to any network probes.

Network monitoring technology integrates with CSM systems to fill this gap. Even the stealthiest system needs to communicate on the network at some point, and network monitors can monitor network choke points, listening for traffic from unknown IP addresses. They can then trigger an automated vulnerability scan of the new system and initiate an asset documentation workflow that brings the system into the organization’s configuration management infrastructure.

Vulnerability management remains an extremely important part of any organization’s cybersecurity program. Continuous security monitoring enhances these efforts by providing vulnerability management tools with real-time information about the presence and configuration of systems on the organization’s network.

This was last published in March 2018

Deepen security operations and management

e-Manual: Now is the time to implement cybersecurity automation