WP FM Continuous Cyber Situational Awareness
WP FM Continuous Cyber Situational Awareness
WP FM Continuous Cyber Situational Awareness
SITUATIONAL AWARENESS
Continuous monitoring of security controls and
comprehensive cyber situational awareness are the
building blocks of proactive hybrid cloud security
Executive Summary
Successful cyber security programs require complete cyber situational awareness. For
enterprises that are embracing the cloud, this means having comprehensive visibility
to assets and activities throughout hybrid cloud networks. Cyber situational awareness
enables security and network professionals to predict and defeat cyber-attacks by
recognizing threats originating outside an organization as well as vulnerabilities
and threats emerging from within. The foundation of this awareness is continuous
monitoring that produces visibility in real-time across the hybrid network and all of its
connections and devices.
A comprehensive continuous monitoring program provides essential, near real-time
security status-related information. It allows an organization to track the security state
of a system on an ongoing basis and maintain the security authorization for the system
over time. Maintaining the security state of information systems in highly dynamic
environments that include cloud, virtual, physical, and software-defined network
infrastructure, as well as endpoints and operational technology (OT) / Internet of Things
(IoT) is particularly challenging.
To meet this challenge, organizations use a variety of threat and vulnerability monitoring
tools. Although they may be effective at performing targeted tasks, such tools typically
cannot provide complete visibility into the threat landscape. Security and network
professionals therefore need a continuous cyber situational awareness program
that leverages investments in existing tools while introducing new approaches to
network visibility and data analytics to achieve real-time, accurate, advanced threat
detection and incident response for hybrid environments.
This paper provides an overview of the concept of continuous monitoring, describes
how to achieve continuous monitoring, shows why automation is critical to continuous
monitoring and reporting, and summarizes the impact of the proliferation of new
technologies on an organization’s security and risk postures. The paper then
discusses FireMon’s approach to continuous monitoring through real-time network
and cloud discovery, topology mapping, and leak discovery, and how it delivers vital,
comprehensive visibility to security and network professionals.
Introduction
Comprehensive cyber situational awareness is foundational to effective hybrid
network security.
Cyber situational awareness involves the collection, correlation and analysis of
information to produce a common operational picture of the entire hybrid cloud
environment, including:
Without a means to obtain holistic cyber situational awareness, security and network
professionals largely rely on locally focused specialty products, such as intrusion
detection systems (IDS), and manual data analysis from complex systems such as
network management suites to gain a level of insight into the network infrastructure.
But monitoring only specific parts of the network without visibility into the state of the
network as a whole leaves inherent gaps in defenses.
Many organizations have determined that while traditional security monitoring
systems can help information assurance efforts, they are rarely adequate for today’s
external, targeted, persistent attacks. As a result, enterprises are beginning to replace
point-in-time audits and compliance checks with continuous monitoring programs to
help them prioritize controls and provide visibility into current threats.
The National Institute of Standards and Technology (NIST) has been a thought leader
in the development of information security standards. The NIST Special Publication
800 series1 of standards for cyber security have become the de facto standard for
securing network data systems in the United States and many other countries.
Leading IT security regulators employ the key concept of managing and tracking the
security state of information systems – moving away from point-in-time snapshot
testing of security infrastructure effectiveness to continual analysis of the ability of
security systems to protect critical assets and data.
1
http://csrc.nist.gov/publications/PubsSPs.html
2
NIST Special Publication 800-137, Information Security Continuous Monitoring (ISCM) for Federal
Information Systems and Organizations, published September 2011
3
http://www.nist.gov/manuscript-publication-search.cfm?pub_id=909726
NIST defines six components – the Risk Management Framework (RMF) – that
work together to provide comprehensive guidance on how to implement continuous
monitoring into the security lifecycle (illustrated in Figure 2). The RMF emphasizes
the importance of near real-time risk management through strong and effective
continuous monitoring processes. It also encourages the use of automation to give
top-level management the critical information needed to make cost-effective, risk-
based decisions that support their primary missions and business processes.
STA RT
FIPS 199/SP800-60
CATEGORIZE
Information System
SP 800-53A/SP 800-137 FIPS 200/SP 800-53
Define criticality/sensitivity of
MONITOR information system according to
potential worst-case, adverse
SELECT
Security State impact to mission/business. Security Controls
SP 800-39
SP 800-37 SP 800-70/Many Others SPs
AUTHORIZE IMPLEMENT
Information System SP 800-53A Security Controls
Figure 2: Continuous Monitoring and the Risk Management Framework proposed at NIST4
4
http://csrc.nist.gov/groups/SMA/forum/documents/Forum-121410-Continuous-Monitoring-AJohnson.pdf
» NIST Special Publication 800-37, Rev 1, Guide for Applying the Risk
Management Framework to Federal Information Systems, published
February 22, 2010
5
CESG (Communications-Electronics Security Group), the United Kingdom’s National Technical Authority for Information Assurance (IA).
Although details of the mandates and regulations differ, they share common
policy requirements with respect to continuously monitoring security controls and
boundaries around sensitive network data.
GOVERNMENT AGENCIES
The information and systems agencies need to protect are critical to the nation and national
security. FISMA regulations now mandate continuous monitoring of security controls.
FINANCIAL SERVICES
Ensuring the integrity of financial transactions to guard against fraud, error and
misuse is a daily essential.
As hybrid networks become the norm, they can be complex, fragmented and
unpredictable. Organizations should consider the gaps in network visibility that these
technologies introduce. IT professionals should review their security architecture,
policies and processes in order to implement strategies that bridge these gaps.
Guidance from the Cloud Security Alliance (CSA) calls for a concerted continuous
monitoring effort of a cloud provider’s environment, operations, and governance-
related activities, such as updating information security. The CSA advises
implementing a systematic vulnerability scanning and mitigation program for
provider systems and networks, and continuously monitoring for data protection and
unauthorized activities in the cloud. For organizations using a public cloud provider,
it is the provider’s responsibility to monitor its own log data (e.g., host audit logs,
firewall logs). Understanding the provider’s policies and establish alerting criteria and
procedures is critical.
With the predicted growth in cloud adoptions over the next few years, it is important
to develop a continuous monitoring program with the cloud in mind. In the U.S.
federal government, continuous monitoring requirements are the same for federal
agencies and any external service providers (e.g., cloud service providers) used by the
agencies. To receive reauthorization of a Federal Risk and Authorization Management
Program (FedRAMP) security authorization from year to year, cloud providers must
monitor their security controls, assess them on a regular basis, and demonstrate that
the security posture of their service offering is continuously acceptable.
6
www.sans.org/critical-security-controls
ZONES
Lumeta allows for the creation of zones to allow an organization to segment
continuous compliance monitoring of network access controls for compliance with
regulatory and internal information security policies. Zones can be as simple or as
complex as defined by an organization and can be comprised of logical networks and
subnets, regardless of where they are physically deployed around the world.
Figure 4: Lumeta is a necessary foundation for continuous monitoring and comprehensive cyber situational
awareness. It integrates with an organization’s existing products, such as VM, SIEM and NAC. Network, security
and compliance products can only be fully effective when operating with 100% network visibility.
Continuous monitoring using Lumeta provides a complete view of network assets and connections to
monitor network availability and assess business impact due to network changes. Lumeta is an effective
means for both data capture and data analysis to support real-time, risk-based decision making.
About FireMon
FireMon delivers continuous security for hybrid
enterprises through a powerful fusion of vulnerability
management, compliance and orchestration. Since
creating the first-ever network security policy
management solution, FireMon has continued
to deliver visibility into and control over complex
network security infrastructures, policies, and risk
postures for more than 1,700 customers around the
world. For more information, visit www.firemon.com.