Continuous Monitoring: Get it RightStrategy Starts With Understanding the Task's Scale
Too many organizations misunderstand exactly what continuous monitoring is, says Centrify's Matt Hur, who offers insights on how to deploy continuous monitoring solutions for the best results.
Defining continuous monitoring is one common challenge; understanding its scale is another.
"Federal agencies' IT environments are very large and complex, and continuous monitoring requires a great deal of visibility," says Hur, senior director of product management at Centrify Corporation. "You're not just saying 'what happened?' like you might get from reviewing log files, but also [getting] visibility with respect to the context of what happened."
The scale issues become: How to manage so much data; and how to associate that data in the appropriate context?
"You can imagine that if you have thousands of systems and log files to look through, there's only so much a systems administrator can review in a particular day," Hur says. "And that presents a fairly large challenge."
In an exclusive interview about maximizing continuous monitoring, Hur discusses:
- Common challenges organizations face;
- How to prepare your environment for continuous monitoring;
- Tips to ensure you get the best results.
Hur has held senior product management and technical positions at Cisco, Microsoft, and other public and private companies where he was responsible for growth and innovation in network, software, and online services products and technologies. He holds multiple patents in the area of distributed security, and he has co-authored multiple security standards that have been widely adopted and deployed. He has been an invited speaker, panelist, and program committee member at multiple industry and professional conferences and events.
TOM FIELD: To start with, what do you find is most misunderstood about continuous monitoring?
MATT HUR: Continuous monitoring really implies a process, a way of approaching the problem of managing security controls. The term continuous monitoring may be construed to mean one should have a set of scheduled reports, for example. However, continuous monitoring really implies a process of verifying that security policies that are authored are then enforced as intended and that appropriate actions, remediation or adjustments may be made. In this sense, continuous monitoring is a continuous process that's part of the lifecycle of security control.
FIELD: Let's talk about this in the context of government agencies, and specifically to data centers. What have you found to be the challenges that agencies have when they're trying to apply continuous monitoring to their data centers?
HUR: I think the biggest challenges arise from issues of scale. Federal agencies' IT environments are very large and complex, and continuous monitoring requires a great deal of visibility, not just saying what happened, like you may get from just reviewing log files, but also visibility with respect to the context of what happened. Scale, there are a few issues. One is how to manage so much data and two is how to associate that data in the appropriate context. You can imagine that if you have thousands of systems and log files to look through, there's only so much that a system administrator can review in a particular day, and that presents a fairly large challenge.
FIELD: How should organizations prepare their security controls for their environment for continuous monitoring?
HUR: They need to look at what they can do to simplify and streamline their security controls. A lot of complexity comes from having different non-integrated processes and security control mechanisms. This often comes from the fact that data centers are heterogeneous. And in fact, this is a good thing because it allows an organization to address a number of requirements that could not be met with a one-size-fits-all approach. The key is to have consistent and easily managed security controls across the heterogeneous data center environment.
I guess if I had to sum it up succinctly, I'd say that they need to reduce the number of silos and swivel-chair administrations by centralizing the way the security controls are authored as opposed to enforced, which we would expect to be distributed in a very large environment, and they need to put the concept of least privilege in the practice in a way that simplifies centralized control and visibility.
FIELD: One of the things we don't hear often enough when it comes to continuous monitoring is about skills. What are the skills that organizations need in place to do effective continuous monitoring?
HUR: I'd make a few comments here. First of all, organizations should look at how they can leverage skills they already have in place. If there are ways to leverage and extend their existing skill set, then advancing the security controls and continuous monitoring capabilities becomes much more evolutionary than what you might term a forklift upgrade.
The second point I'd make is that aside from "skills," organizations should look at a mindset for how the cycle of control and visibility, and principles like least access, are part of the security control and continuous monitoring process.
FIELD: To follow up on a couple of points we've talked about here, we've discussed what organizations need to do to prepare their environment. We've talked about the skills and the mindset. With these in place, how do they then ensure that they get the best results from their efforts?
HUR: They should first address how they can simplify their environment in order to assure that they can apply security controls consistently. And the obvious example would be to centralize identities. Depending on how this is approached, this could be a very large task. But here's where the right tools can really be a great help.
Next, they should focus on how they apply security controls consistently across the variety of systems, applications and endpoints used in federal agencies.
FIELD: Certainly Centrify Corporation has done a lot of work with federal agencies. What do you find to be some of the specific challenges that your customers have faced related to continuous monitoring?
HUR: Our customers face security and auditing challenges due to - like I said before - the heterogeneous data center environment. They have a mix of Windows, Unix and Linux, where they must streamline the way they set authentication and authorization policies, whether that be for a physical or virtual environment.
For example, one common challenge is the existence of local accounts on Unix systems. Unix presents issues with setting and managing consistent security controls, and it presents an auditing and compliance issue. Now, our customers also face similar challenges with being able to set up and manage consistent endpoint security controls across mobile devices like Apple iOS, Android, MacBook and Windows.
FIELD: Let's go to the next step now and talk about how your customers specifically have deployed your product. What results have they seen from those efforts?
HUR: Customers have leveraged Centrify along with Active Directory to implement security controls based upon risk-based management principles, but they've been able to unify identities, enforce the principle of least privilege access through Centrify's roles-based model and simply management of the security controls by leveraging Centrify's own, which provides a very efficient, hierarchal model, as well as the ability to delegate administrative permission into the most appropriate personnel.
Now, because Centrify integrates and details near real-time capture of user sessions, organizations are getting much more immediate assessments on the effectiveness of their security controls. And customers are also leveraging Centrify to lockdown, like I said before, Mac and mobile devices. In addition to that, they enforce the use of smart cards on Mac and Linux workstations and make user tools in combination with security information and event management products to increase visibility into their operational environment that was not possible through just basic log-file viewing.
FIELD: If you were to boil it down, what advice would you offer to government security leaders looking to get the most out of their continuous monitoring?
HUR: I think it comes down to a few points. First, use data center consolidation and cloud security initiatives to unify security controls in your environment. Think about how identity and privilege can be centralized as your agency proceeds with data-center consolidation, cloud-first and share-first initiatives.
Another point I'd make is to take advantage of and leverage an existing scalable infrastructure like Active Directory, combined with the right cross-platform tools, to secure and manage your heterogeneous environments, whether they're physical or virtual, to ensure that users log in as themselves and to enforce the policy of least privilege.
The last point I'd make is to ensure that monitoring approaches capture enough detail in the context of how users actually access resources, showing not just events but the intent and impact of user actions. This will ensure your continuous monitoring program can assess baseline security controls and therefore lead to implementation of improved controls that provide user authorization based on least-privilege principles.