Continuous security monitoring (CSM) is a threat intelligence approach that automates the monitoring of information security controls, vulnerabilities, and other cyber threats to support organizational risk management decisions.
Organizations need real-time visibility of indicators of compromise, security misconfiguration, and vulnerabilities in their infrastructure and networks.
Traditional security controls like firewalls, antivirus software, and penetration testing are no longer enough to protect against a sophisticated attacker. Even if your infrastructure is relatively stable (which isn't likely), attackers find new zero-days to exploit and researchers share vulnerabilities to the Common Vulnerabilities and Exposures (CVE) on a daily basis.
Even if your information security policy is world-class, 81% of data breaches circumvent traditional security controls by using weak or stolen passwords according to Verizon. This is why companies are increasingly turning to continuous monitoring solutions that provide security information but can also find leaked credentials and exposed data on the open, deep, and dark web, such as UpGuard BreachSight.
Why is Continuous Security Monitoring Important?
Continuous security monitoring is important because it enables organizations to continually assess their overall security architecture to determine whether they are complying with their internal information security policies on a day-to-day basis, as well as when changes occur.
In today's environment, many, if not all, organizations rely on technology to carry out mission-critical functions, so the ability to manage this technology and to assure its confidentiality, integrity, and availability is also mission-critical.
Four trends that are increasing the importance of continuous security monitoring:
- The increasing digitization of sensitive data: Organizations around the world are increasingly digitizing the sensitive data they store, whether that be customer personally identifiable information (PII) or employee protected health information (PHI).
- General data protection laws: Governments around the world have followed the European Union's GDPR and introduced their own general data protection laws such as Brazil's LGPD, New York's Shield Act, or California's CCPA.
- Data breach notification laws: Alongside these general data protection laws, governments are increasingly requiring data breaches to be reported which significantly increases the reputational impact of security incidents.
- Outsourcing, on-sourcing, and subcontracting: Organizations are frequently looking to outsource non-essential parts of their business to third-party vendors who in turn may outsource to their own vendors, dramatically increasing your attack surface, and third-party and fourth-party risk.
How Does Continuous Security Monitoring Work?
Continuous monitoring solutions work by providing real-time information about an organization's security posture. According to the National Institute of Standards and Technology's white paper NIST SP 800-137, information security continuous monitoring (ISCM) works by:
- Maintaining situational awareness of all systems across the organization and its vendor ecosystem
- Maintaining an understanding of threats and threat activities
- Assessing all security controls
- Collecting, correlating, and analyzing security-related information
- Providing actionable communication of security status across all tiers of the organization; and
- Active management of risk by organizational officials.
- Integration of information security and risk management frameworks.
To do this, your continuous monitoring program must collect information in accordance with reestablished metrics that are standardized across your ecosystem, utilizing information readily available in part through implemented security controls, as well as automated scanning.
This process should be conducted on a regular basis, as often as needed for each organizational unit. Additionally, your monitoring strategy should be routinely reviewed for relevance and revised as needed to increase visibility into assets and awareness of potential risks.
In short, a robust continuous monitoring program works by helping organizations move from compliance-driven risk management to data-driven risk management by providing them with the information necessary to support risk response decisions, security status information, and ongoing insights into security control effectiveness.
How are Organizations Adopting Continuous Security Monitoring?
Continuous security monitoring provides security professionals with real-time visibility into their organization's attack surface. For reference, the attack surface is the total number of attack vectors that could be used to launch a successful cyberattack to gain unauthorized access to sensitive data or cause data loss.
This means that timely, relevant, and accurate is vital for any monitoring program, particularly when resources are limited and you must prioritize your efforts. That's why many organizations are adopting security ratings which can help instantly assess and continuously monitor the security posture of any organization in the world.
With security ratings, security teams can continuously assess their security infrastructure to ensure that it meets their needs, governance structure, mission, and core business processes.
Security ratings or cybersecurity ratings are a data-driven, objective, and dynamic measurement of an organization's security posture. They are created by a trusted, independent security rating platform making them valuable as an objective indicator of an organization's cybersecurity performance.
- Understand third-party risk and fourth-party risk (vendor risk) posed by supply chain, third-party vendor, and business partner relationships.
- Continually assess your cybersecurity posture while providing a simple and easy-to-understand rating that can be presented to important non-technical stakeholders including the C-Suite, Board, and regulators.
- Benchmark and compare industry peers, vendors, and competitors. This can assist with decision-making and provide context about what security controls or mitigations your organization needs to invest in.
- Provide assurance to customers, insurers, regulators and other stakeholders that your organization cares about preventing security issues like data breaches, malware, and ransomware.
Your monitoring strategy should account for all hardware, software, SaaS, and cloud assets that your organization uses, assign it a category based on business criticality, and alert you of any potential security threats. Toos like UpGuard BreachSight and UpGuard Vendor Risk can help you map out:
- Known assets: Inventoried and managed assets such as your corporate website, servers, and the dependencies running on them.
- Unknown assets: Such as shadow IT or orphaned IT infrastructure that was stood up outside of the purview of your security team such as forgotten development websites or marketing sites.
- Rogue assets: Malicious infrastructure spun up by threat actors such as malware, typosquatted domains, or a website or mobile app that impersonates your domain.
- Vendors: Your attack surface doesn't stop with your organization, third-party and fourth-party vendors introduce significant third-party risk and fourth-party risk. Even small vendors can lead to large data breaches, look at the HVAC vendor that eventually led to Target's exposure of credit card and personal data on more than 110 million consumers.
Whatever tool you pick, ensure that it integrates with your organization's infrastructure and can detect new infrastructure as it is spun up. Ideally, it should have a way to classify infrastructure based on the data it processes, internal ownership, operating system, or by the vendor.
Organizations of all sizes need to take steps to secure their data and systems and continuous security monitoring is a great way for organizations to gauge their and their vendor's security postures in real-time to identify weaknesses or potential compromises.
What are the Benefits of Continuous Security Monitoring?
As continuous security monitoring provides real-time visibility into IT security data it provides a range of benefits such as:
- A clear understanding of organizational risk tolerance and helps set priorities and manage risk consistently throughout the organization
- Cybersecurity metrics that provide meaningful indications of security status at all organizational tiers
- Continued effectiveness of all security controls
- Verification of compliance with information security policies derived from organizational missions/business functions, federal legislation, directives, regulations, policies, standards, guidelines, and best practices
- Information and visibility of all IT assets
- Assurance that knowledge and control of changes to systems and environments
- Awareness of threats and vulnerabilities
In short, continuous security monitoring can help reduce cybersecurity risk, reduce the impact of successful cyberattacks, and reduce the cost of data breaches by mitigating the three main ways that data can be compromised:
- External attacks: i.e. an attacker bypassing your data protection controls.
- Insider attacks: i.e. a trusted employee or company insider willingly exposing data or falling for a social engineering attack such as phishing, spear phishing, or whaling.
- Supply chain or third-party ecosystem attacks: i.e. a vendor exposing your critical business data for months because they have no intrusion detection or incident response planning in place.
In other words, continuous security management helps you discover and protect your digital assets and sensitive data such as PII, PHI, and trade secrets. Remember, these assets could be owned or operated by your organization, or by a third-party such as cloud providers, IaaS and SaaS, business partners, suppliers, or external contractors.
What are Continuous Security Monitoring Best Practices?
Any good continuous security monitoring solution will start with the discovery of all digital assets that contain or process sensitive data, regardless of whether they are managed by your organization or a third-party.
Here is a non-exhaustive list of digital assets that should be monitored:
- Web applications, services, and APIs
- Mobile applications and their backends
- Cloud storage and network devices
- Domain names, SSL certificates, and IP addresses
- IoT and connected devices
- Public code repositories such as GitHub, BitBucket, and Gitlab
- Email servers
Depending on what continuous security solution you choose, the discovery process can range from manual input of domains and IP addresses to automated scanning based on open source intelligence and dark web crawling.
What makes UpGuard different from other continuous security providers is our unparalleled ability to detected leaked credentials and exposed data before it falls into the wrong hands.
For example, we were able to detect data exposed in a GitHub repository by an AWS engineer in 30 minutes, which led to alerting AWS and securing the repository the same day. This repo contained personal identity documents and system credentials including passwords, AWS key pairs, and private keys. Read more about this AWS data leak here.
We were able to do this because we actively discover exposed datasets on the open and deep web, scouring open S3 buckets, public Github repos, unsecured RSync, and FTP servers. But don't just take our word for it. The New York Times, Bloomberg, Washington Post, Forbes, and TechCrunch have featured our security research.
In addition to asset discovery, a continuous security monitoring solution should be able to help monitor the following security risks:
- Unnecessary open ports: An open port refers to a TCP or UDP port number that is configured to accept packets. In contrast, a closed port rejects connections or ignores the packets. While open ports aren't necessarily dangerous, they can be. Open ports can be dangerous when the service listening on the port is misconfigured, unpatched, vulnerable to exploits, or has poor network security rules. Of particular danger are wormable ports that are open by default on some operating systems, such as the SMB protocol which was exploited by a zero-day exploit called EternalBlue that resulted in the WannaCry ransomware worm. You can read more about open ports here.
- Susceptibility to man-in-the-middle attacks: A man-in-the-middle attack (MITM attack) is a cyber-attack where an attacker relays and possibly alters the communication between two parties who believe they are communicating directly. This allows the attacker to relay communication, listen in, and even modify what each party is saying. Read more about MITM attacks here.
- Poor email security: A lack of SPF, DKIM, and DMARC can leave your organization open to email spoofing. Read our guide on email security and our email security checklist for more information.
- Susceptibility to domain hijacking: Domain hijacking is the act of changing the registration of a domain name without the permission of the original owner, or by abuse of privileges on domain hosting and domain registrar systems. Read more about domain hijacking here.
- Lack of DNSSEC: The Domain Name System Security Extensions (DNSSEC or DNS Security Extensions) is a set of Internet Engineering Task Force (IETF) specifications for securing certain kinds of information provided by the Domain Name System (DNS) as used on Internet Protocol (IP) networks. Read more about DNSSEC here.
- Vulnerabilities: A vulnerability is a weakness that can be exploited by a cyber attack to gain unauthorized access to or perform unauthorized actions on a computer system. Vulnerabilities can allow attackers to run code, access a system's memory, install malware, and steal, destroy or modify sensitive data. A good continuous security monitoring tool can help with vulnerability scanning, vulnerability assessment, and vulnerability patching. Read more about vulnerabilities and vulnerability management here.
- Vulnerability to XSS attacks: Cross-site scripting (XSS) is a type of security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users and may be used to bypass access control, such as the same-origin policy. Read more about XSS attacks here.
- Leaked credentials: Most organizations have exposed credentials due to the large number of third-party data breaches that occur. If employees don't change their passwords or reuse their passwords this can be one of the most damaging attack vectors into an organization.
- Data leaks: Due to the increasing proliferation of cloud storage, many organizations accidentally expose sensitive data in S3 buckets, GitHub repositories, Rsnyc servers, FTP servers, and more. For example, UpGuard was able to find data exposed by an AWS engineer in 30 minutes by using the technology behind UpGuard BreachSight. AWS was notified the same day and the repository was secured. You can read more about this AWS data leak here.
- Typosquatted domains: Typosquatting is a form of cybersquatting where someone sits on similar domain names to those owned by another brand or copyright, targeting Internet users who incorrectly type in a website address into their web browser, rather than using a search engine. Typosquatting is also known as URL hijacking, domain mimicry, a sting site, or a fake URL. Read more about typosquatting here.