Continuous Diagnostics and Monitoring (CDM) is many things, and simultaneously is not a thing at all. It is not a process, a tool, or a library of best practices. It is a state of being. It is about being secure, being mindful of risks, being able to respond quickly to the inevitable threats you will face, being prepared for the worst case scenario, and being able to prove that you have achieved this state. The road to this state of being has no end; it is an ongoing journey with many twists and turns; it is long and arduous. In the grand scheme things, however, it is absolutely necessary.
A rational look at today’s threat landscape
Hackers are experts in every available operating system, every mainstream middleware vendor, reverse engineering, encryption, cracking, networking, programming, phishing, viruses, social engineering, and so on. Thanks to botnets, they have unlimited resources and computing power. They are creating malware that 10 years ago would have been the unrealistic plot of a sci-fi movie. The worst part: they are extremely well organized. Libraries of viruses, malware, exploits, and vulnerabilities are shared between hackers for little or no cost. Your private and business information assets (if not already out there in the dark corners of the internet) are unquestionably worth something to someone. No person, business, or government is out of harm’s way. Are you concerned about the security of your most valuable business assets? If not, you should be. If so, here are some questions you most likely have already been asking
- If your IT Operations and Security organizations were audited today to prove that you are collecting, correlating, and acting upon all of the data available to you, how long would it take you to present this data? How much would the preparation of this information cost you?
- If a hacker exploited any one of the thousands of unknown vulnerabilities to gain access to your applications or infrastructure, how would you detect the threat? How would you identify the root cause and mitigate the new vulnerability?
- How would you correlate a seemingly normal application performance issue with a security incident? How much would it cost you each hour that this correlation was not made for a critical application?
- Do your change, configuration, security, and operations organizations work as a cohesive unit in mitigating risks? Are they on the same page in regards to the threats that you face? Are they even reading from the same book?
The Continuous Diagnostics and Monitoring requirements
Now let’s have a high level look at some of the requirements of Continuous Diagnostics and Monitoring, and see how they might help us answer these questions (take a deep breath before continuing). To protect your business you will need the following:
- Intrusion detection and prevention
- Network discovery, monitoring, and automation
- Virus and malware scanning
- Vulnerability scanning for infrastructure and applications (in real time)
- Application performance monitoring by virtual users and real end users
- Infrastructure monitoring
- Data loss protection
- Identity based security management
- Asset and configuration management databases
- Change management system
- Predictive analysis monitoring (monitors for variances from baselines)
- Deep level application diagnostic monitoring
- Log retrieval and archival for everything already mentioned
- A way to store all of this data in such a way that you can report accurately on the past, the present, and the future
- Real time dashboard and alerting
- An integration point for everything mentioned above (oh yeah, it needs to be able to correlate all of this data, too)
Perhaps you already have some or all of these tools in your belt, at least in some form. Then you’re headed in the right direction! They need to be tightly integrated, controlled, archived, searchable, and reportable. Now what?
The “End of Silos”
Interestingly enough, the most important aspect of CDM is going to be the most commonly overlooked one. It is also the best place to begin this journey, and is the cheapest component of everything mentioned so far. Some call it a holistic and cohesive IT organization, some call it non-existent. I like to call it EoS or the “End of Silos.” This does not mean that everyone is going to exchange hats once a day, or sacrifice expertise in one function for a broader understanding of all functions. It simply means that every organization in your IT department (and for that matter, every organization that touches something your IT department owns) needs to start speaking the same language, reading the same book, and on the same page. You cannot afford an end user responding to a phishing email with their credentials any more than you can afford your security operations removing themselves from the rest of IT (the same goes for change, config, infrastructure, and all of the other groups that like to operate within their own guidelines).
In the ideal world of CDM, two events should be correlated automatically and everyone (the application owner, the SOC, the operations team) should be informed as to the root cause and the mitigation. The time saved by this correlation and group cooperation might prevent any loss of data at all.
The idea here is that you can own and integrate all of the tools in the world, and still miss the low hanging fruit. Nominate a CDM champion in every IT group to establish objectives and understand how each group’s data can be leveraged. Advertise your goals and progress to everyone in your organization, and show them that the continual cooperation between normally siloed groups can save everyone’s time, and keep your business out of the headlines. Sit down with your auditor for a single day, and watch their jaw hit the floor when there’s not a single log unaccounted for, and your risk level can be accurately reported for every business service with the click of button. Live in the past, present and future with CDM. Become the CDM.