Cyber breaches are causing business executives all across organizations to take note. CISOs are getting questions from senior management, the Board of Directors, auditors, regulators, business leaders, and IT personnel. Responding to these questions often consumes far too many resources and distracts the security organization from their primary mission: actually ensuring security and compliance!
Rapid response to questions requires near real-time security posture data
Typically, they just want to know: How secure are we? What are our risks? What are our exposures? Are we exposed to this particular vulnerability in the news?
With data in so many places, responding to these questions is much more challenging than one might think. Higher level trend and summary data can only be produced when all of the underlying detailed data is centralized and normalized. Without it, just determining how many servers might be vulnerable to a new exploit can take broad organizational cooperation and significant manual effort. Or if a particular vulnerability exists, knowing what the remediation status is across all impacted systems can be elusive. The bottom line is the CISO needs to have detailed near real-time security posture data, even if the request is general in nature.
Consecutive scanning is not good enough
So where do you start? The foundation for effective security metrics is the maintenance of a current inventory of IT assets, both hardware and software. (e.g. servers, workstations, mobile devices, network, storage, virtual, and cloud infrastructure, etc.). Based on the IT asset inventory results, the security organization should know how each asset is configured. Configuration settings are critical to knowing which controls are in place or not in place, and to determining an organization’s baseline security posture.
Even more important, a security organization needs to know what vulnerabilities exist and whether there are known exploits for those vulnerabilities, and to track patching status by asset type and asset criticality. The notion of scanning assets for configuration errors and vulnerabilities every three months or even monthly is no longer sufficient in today’s cyber security environment. Even starting one scan when the one before it completes is not enough. Some vendors call this “continuous scanning” but it is really just “consecutive scanning.” That can leave an exploitable vulnerability or misconfiguration active for hours or days—an eternity when the typical breach happens in seconds or minutes!
Truly continuous network monitoring is a requirement today
Every security organization needs to see everything all the time; to know all IT assets that exist, to know how they are configured, to know which assets are vulnerable and actually exploitable, and to monitor the entire IT environment for new IT assets and unusual activity. This is only possible with truly continuous network monitoring. To learn more about what truly “continuous network monitoring” is, read this eBook by Steve Piper: The Definitive Guide to Continuous Network Monitoring.