There appears to be a lot of ambiguity and confusion within the security industry about what exactly constitutes “continuous” when discussing Continuous Monitoring.
Defining "Continuous" in Continuous Monitoring
Continuous Monitoring is such a broad term and while it covers the eleven different security domains defined in NIST SP 800-37, it can be applied in different ways to different technology in order to monitor different aspects of the same system. The ambiguity is very similar to the “Real-Time” argument in that the term is open to interpretation depending upon the context in which it is used. The Merriam-Webster dictionary defines continuous as “marked by uninterrupted extension in space, time, or sequence”. Given that definition, Continuous monitoring could be considered by different people to be once every year, once a month, once a week, once a day, and so on.
As Defined by NIST SP 800-137
In relation to NIST, “continuous” monitoring is defined in NIST SP 800-137 as “security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information.”
In many cases today, auditing internal infrastructure devices to identify best practice violations can happen as frequently as once a week with automation, or as infrequently as once a year if only considered during an annual, manually driven IT audit.
CONTINUOUS CONTROL MONITORING
With a manual process, changes to infrastructure devices (if tracked correctly) and systems can be reasonably effective if the network is small and employs a flawless change control and risk validation process – in addition to lots of highly skilled IT staff. Networks with fewer than fifty devices and supporting a few hundred servers and hosts will quickly fall out of Continuous Monitoring for Compliance using the manual approach - as IT resources will never keep up. Unfortunately, the weakest link in this scenario is typically the human element, as often changes go undocumented, exposure incorrectly assessed, and changes often fail to be validated once implemented. This is why the frequency of manual infrastructure audits is rarely less than an annual company event.
System and application control monitoring is a much simpler problem to administer, monitor and maintain than a sprawling, geographically dispersed network infrastructure – which is often the reason for network compromise in the first place. Access to the network device infrastructure is one of the most fluid and dynamic challenges in IT security – with constant changes to Access Control Lists (ACL’s) and firewall rules needed to keep pace with organizational requirements. The question is, can anyone (or anything) manage to successfully maintain visibility into end-to-end network risk if the network is so complex that even change cannot be effectively track and validated? If access can be managed successfully, what frequency does the “continuous” requirement in Continuous Control Monitoring need to be in order to be truly effective? Yearly manual evaluations are clearly not working, so automation can help bridge the gap and bring the interval down to something less than a week – even a day, depending on the size and scope of the monitored control environment.
CONTINUOUS TRANSACTION INSPECTION
A different challenge from audit and control monitoring, Transaction Inspection is a less complex and more mature concept than Continuous Control monitoring for the Infrastructure, thanks to financial requirements. The “Continuous” timeline argument meets the tip of the spear here, as Transaction Inspection systems can typically process hundreds or thousands of transactions a second. However, it is no less important and in IT security terms provides a detective element that complements the preventative elements of audit and control monitoring. Should the preventative controls fail for any reason, the detective element in the form of Transaction Inspection is there to catch what was missed.