The Known Network
How continuous monitoring protects complex environments by finding vulnerabilities as they occur
Your network can be secure one minute and insecure the next. Firewall misconfigurations, policy conflicts, new intrusions, or other changes are always emerging – and often going unnoticed. Continuous monitoring provides a way for businesses to have their fingers constantly on the pulse of their security status, so they can act without delay to prioritize and execute responses.
What is Continuous Monitoring?
Continuous monitoring is an ongoing awareness of the security status of the network, including vulnerabilities and threats.
Specifically, continuous monitoring helps organizations manage risk by:
- Continuously monitoring security enforcement point changes that could lead to unnecessary exposure, misconfiguration, unauthorized change and unacceptable risk
- Helping detect and mitigate security vulnerabilities
- Maintaining continuous compliance with industry standards
- Identifying threats and security holes in security policies
- Generating detailed reports for all periodic assessments
- Capturing valuable policy documentation to meet compliance assessment requirements
- Ensuring that policy changes adhere to existing requirements
- Recertifying all mandated firewall rules and configurations
- Providing actionable intelligence for remediation guidance
How Continuous Monitoring Works
Continuous monitoring looks at rule sets and compares proposed changes to a set of checks. These checks map to internal security policies, regulatory requirements, or any other requirements related to network security access controls.
Who Needs Continuous Monitoring and Why?
Continuous monitoring is particularly important for businesses covered by a regulatory standard. All regulatory standards require constant compliance – there is no requirement that says, “Be compliant between 9-5, M-F,” or “Be compliant for most of yesterday.” Compliance is supposed to be always-on, so organizations such as retailers, healthcare organizations, utility and power businesses, and federal agencies and contractors that must adhere to PCI DSS, HIPAA, NERC, NIST, FEDRAMP, GDPR, etc., rely on continuous monitoring to prevent data breaches, penalties, potential litigation, and loss of reputation.
Continuous monitoring is also highly recommended for any enterprise running a hybrid environment. Hybrid environments are highly dynamic, with devices and endpoints joining and dropping throughout the day. As these changes occur, vulnerabilities can be created and defenses and compliance can be compromised. The only way to prevent these risks is to maintain visibility into network changes.
However, even organizations that are not concerned with compliance and do not use hybrid networks benefit from continuous monitoring. All businesses need an uninterrupted understanding of what is happening in their networks. Otherwise, they have no way of knowing whether their data and intellectual property are safe, their security measures are adequate, and their policies are working as intended.
Do You Know What’s in Your Network? Real-time and continuous, automated visibility across your entire network reduces your attack surface, eliminates data leaks, and ensures continuous compliance.
6 Best Practices for Continuous Monitoring
There are a number of ways to go about planning a continuous monitoring strategy, but most organizations take a risk-based approach, such as that defined in NIST SP 800-137. The NIST Risk Management Framework describes a 6-stage process for managing continuous monitoring.
- Categorize the underlying criticality and asset value of specific IT systems and data
Define and assign value to assets by analyzing data captured in vulnerability scanners. Reviewing this data allows you to quantify and prioritize the risk associated with the vulnerability of network assets.
- Select baseline security controls and apply device policies as directly related to overall risk
Enterprise networks are larger and more complex than ever with virtual data centers, cloud computing and mobility. Each additional component generates more security controls that must be implemented and tracked. Use a network security policy and risk management solution that improves your security posture by providing powerful configuration analysis and proactively reducing risk.
- Implement and validate effective controls that properly execute security policies
Choose a continuous monitoring solution that supports leading firewalls from Check Point, Cisco, Juniper, McAfee, and Palo Alto. It should also integrate seamlessly with vulnerability scanners, such as Qualys, Rapid7, McAfee, nCircle, and Nessus, so you can assess and define the vulnerability of underlying assets.
- Continuously assess all controls to be sure they are working in unison to maintain cross-infrastructure protection
Track and record configuration changes in an audit log. Most continuous monitoring solutions offer a built-in library of controls that enable customized security policy assessments, tracking of previous audit mitigations, and analysis of environment-specific risks.
- Authorize requests to alter network access and record all changes and their specific parameters
Track configuration changes and common failures by device and look for longer-term trends. Preview the potential impact of all changes before they are implemented in the production network to ensure changes meet network compliance standards. Once a change is implemented, document network changes with detailed reports and pinpoint which devices were changed, what was changed, and who made the changes.
- Monitor all required security controls at all times to maintain overarching policy compliance
Use real-time configuration change alerting to identify security policy violations. Automatically assess new device configurations for compliance. Immediately report configurations that fall outside the norm, ideally through push notifications to the security team’s mobile phones and email inboxes.
Must-Have Capabilities in a Continuous Monitoring Solution
There are many solutions that include some level of continuous monitoring, but they vary greatly in array and scope. Here are the features that are critical to providing visibility, enabling flexibility, and strengthening security:
- Real-Time Monitoring
Real-time monitoring uses data from across the network to feed a live stream of logs, configurations, changes, policies, vulnerabilities, etc. This provides a complete picture of what is happening in the environment at any given moment.
- Real-Time Security Analysis
Real-time security analysis gauges the efficacy of existing firewall policies, including comparative scoring, to understand current access enforcement.
- Policy Search
A strong policy search capability can quickly search all devices within the enterprise domain from a single place in the application.
- Traffic Flow Analysis
Use traffic flow analysis to understand network traffic behavior by tracing the source and destination of every rule in each of the existing firewall policies.
- Modeling and Testing
Model and test the impact of changes prior to implementation to ensure they do not create additional IT risks. This reduces time and increases efficiency while providing full documentation of all changes for compliance purposes.
- Scaled Data Ingest
Scaled data ingest flexes with surges, network changes and mutations, platform shifts, and traffic. This prevents slowdowns and blockages that would negate the benefits of real-time monitoring.
- Customizable Reporting
Customizable reporting provides flexibility to mix and match controls based on context, what’s being monitored, what actions are necessary, etc.
No More Mysteries in the Network
In today’s complex infrastructures, security gaps can go unnoticed. The point-in-time data that most organizations rely on is good for understanding a past event or demonstrating compliance, but it doesn’t help them make their networks more secure in the moment.
The only way to obtain actionable intelligence in a complex environment is through continuous and historic data at a scale that analyzes millions of vulnerabilities in seconds. Armed with this information, organizations can proactively secure their assets and make better decisions about security responses and investments.
FireMon is the only agile network security policy management platform that integrates real-time, continuous visibility across your entire network, to reduce your attack surface, eliminate leak paths, and ensure compliance.
See what it’s like to have a 360-view of your entire network. Schedule a demo today.