As discussed in our previous post, “Cultivating a Continuous Assessment Mentality,” individuals and organizations interested in achieving a robust cybersecurity program capable of adapting to the ever changing environment must move toward a mindset of continuous assessment of cybersecurity posture.
While no one would argue that a real-time view of security posture and continuous monitoring of threats and vulnerabilities is what we should all be aiming for, actually attaining this vantage point over all security controls is something else entirely.
Pushing back against a continuous assessment model is understandable when the implementation can be so overwhelming. Where do you start? How do you afford it? How do you manage what seems like the impossible? This article aims to provide a strategy for moving the needle in the right direction while acknowledging that the target is always shifting.
One of the first steps to implementing continuous monitoring approach is to determine what to be continuously monitoring. You’ll need an exhaustive inventory of assets, and, according to the CARTA model, a healthy distrust in the security of all of them. You’ve got to know everything you are trying to protect and where obvious vulnerabilities lie before you can even begin to strategize how to assess risk continuously.
The reality that resources are limited means that you will also have to prioritize. Unfortunately, the already daunting task of securing all assets at all times has become even more challenging thanks to the coronavirus pandemic and consequent dispersal of the people and technology that need protecting. Start by making decisions about what is most important to protect and where your defenses are most vulnerable. Triangulating these two factors will provide a sense of direction.
Prioritizing, likely with input from the C-suite, will make allocating resources, directing personnel, and choosing tools and technologies to move toward continuous assessment easier. Knowing your priorities will also make the prospect of continuous assessment less daunting.
Once assets are accounted for with a “zero trust” perspective and you’ve prioritized where to start focusing efforts, the next step is to establish a baseline to work from in identifying threats on an ongoing basis. What data points need to be monitored to help flag threats? In order to catch the blips that might indicate a problem, you’ll have to have a strong view of normal interactions with the data and within the ecosystem you are protecting.
Some data may have to be manually gathered, but the goal would be to implement processes and use tools that can scan automatically, constantly providing information. Having all the information you can get about security posture at regular intervals is the key to identifying vulnerabilities and active attacks. Consider what programs, platforms, tools, or people you need to check the datapoints that will provide insight necessary to assess risk of your prioritized programs and data.
The point of continuous assessment is to have the information necessary to make timely decisions to combat active threats or, better yet, spot vulnerabilities before they are exploited. Collecting a massive amount of data about the assets and systems in an ecosystem is key but only as far as it can effectively inform decision making. The data requires analysis to calculate risk.
Some of that calculation will likely require human attention—professionals that can look at the collected data and spot changes and issues. However, continuous assessment requires constant analysis. Just managing and tracking manual analysis will require cataloging systems. The key to ramping up CM efforts is automating analysis of data and risk calculation so time and effort can be spent responding to threats rather than just trying to identify them.
Investing in automated risk calculation—whether it’s time spent building or budget spent purchasing the necessary tools—will reap dividends toward making continuous assessment possible.
Continuous assessment of security posture requires constant collection of data, analysis of what it means, and evaluation against standards of acceptable risk for a given organization or enterprise. This process necessitates automating as many steps as possible.
Identifying and investing in the people and platforms that effectively automate is imperative. But beyond just automating steps, successful continuous assessment also requires integrating the constant flow of information from all the sources into something that can be managed and acted upon by a cybersecurity professional or team of professionals.
The last step in implementing a continuous assessment model in a cybersecurity program is effectively managing continuous assessment. Tracking, managing, communicating about, and actually remediating continuously is the real goal. Don’t neglect to invest in a platform—like PlexTrac—that provides a real time view of security posture and enables the action necessary to improve and defend it.
Continuous assessment is hard. It’s a process that will require not only embracing a new mindset but also working in new ways. Despite the challenge, a methodical approach to implementing a continuous assessment model in your cybersecurity program can make it manageable. In the long run, investment now will pay dividends in the future.