@CloudExpo Authors: Liz McMillan, Karthick Viswanathan, Jason Bloomberg, Pat Romanski, Yeshim Deniz

Related Topics: @CloudExpo, Microservices Expo, Containers Expo Blog, Cloud Security, @BigDataExpo, SDN Journal

@CloudExpo: Article

Sailing the Seven Cs of Security Monitoring

Establishing alliterative best practices for watching over your IT environment: from continuous to cloud!

What is it your mom used to say? “A watched pot never boils.” This might be true, but a watched pot also never spills; it never allows your younger sister to stick her hand in the hot water; prevents Uncle Jack from tasting before dinner is ready; and if something unforeseen happens, there is time to mitigate the problems.

One of the established best practices in InfoSec is monitoring. People, products and companies get paid a great deal of money and expend a great deal of resources to watch pots. Monitoring simply is the central component to any security initiative. If you don’t watch it, it still happens, (trees in forest fall and still make sounds), you’re simply not aware to possibly prevent the issue, to control the damage, or protect the assets for spiraling beyond your control. Monitoring is the baseline to accountability and responsibility. It provides the necessary information to make risk-based decisions regarding assets supporting core missions and business functions.

But with all best practices, there are variables. How much to monitor? What priorities matter? Where are my greatest vulnerabilities? To this end, I have boiled down monitoring to seven best practices…The 7 Cs of security monitoring:

  1. Consistency
  2. Continuous
  3. Correlation
  4. Contextual
  5. Compliant
  6. Centralization
  7. Cloud

Consistency – Every company is different. Each has their own thresholds of organizational risk. A credit union or health clinic is much more likely to need a higher bar than an air and heating contractor. However, this doesn’t mean the smaller company can ignore risk. It simply means (typically) the levels and layers that require monitoring are less complex. The key to consistency is process. And to divine a process you must first define a strategy, agree on the measures and metrics and follow through with a monitoring program. Start with understanding how your users interact with the network and the various risk that proposes. Once you know what needs to be monitored and the baselines (risk tolerance) of what constitutes alerts and other suspicious activity, then you can build a program and standardize that configuration and analyze the results to make adjustments. From there it is wash, rinse and repeat.

Recently the Department of Homeland Security director of federal network resilience noted: as you move to standardize configurations networks are not only more secure but they lower operational costs. “There is almost a trifecta of controlling cost, increasing service and improving security, he said.

Continuous –Hackers don’t sleep, so why should your security?  It is understood that continuous monitoring is the best method to prevent breaches, discover anomalies and, and control assets. However, there are differences of opinion as to what does continuous mean. Are you to hire a dedicated analyst to watch every ping, blurp and log? Guards armed with wiener dog lasers in front of your server room? Of course not. In this case, our working definition of “continuous” is unique for every organization and needs to be commensurate with their risk and resources. NIST (National Institute of Standards and Technology) recommends an ongoing “frequency sufficient to support risk-based security decisions as needed to adequately protect organization information.” Despite the variable vagueness of that statement, the goal nonetheless must be 7/24/365 coverage. To achieve this degree of continuity, an initiative requires a series of automated processes and controls combined with the expertise to analyze vulnerability and initiate action. Yet the lynchpin for effectiveness of a round-the-clock strategy is that it is doing in real time. See the “C” for cloud, to show you this approach is affordable, efficient and manageable. If there are issues, as you define them, you get the alerts immediately, not a week later as you look through log transcripts. Continuous monitoring is about proactivity, as much as it is about response. In that it allows for such immediacy in action mitigates any potential threat.

Continuous monitoring has been defined by NIST and the SANS 20 Critical Security Controls as key to reducing risk in IT environments. Now I am not saying continuous monitoring is a silver bullet, but it certainly lessens the possibility of attack, carelessness and operational failure.

Correlation: In the modern enterprise, there are simply too many silos of information, too many endpoints for access, too many variables of risk and not enough visibility or resources to properly protect all the assets of an enterprise. Monitoring in its simplest form looks at one of the silos, one of the applications– it examines possible events, or log-ins, or credentials. To enhance the effectiveness, there needs to be a tight collaboration of all the resources. This expands the visibility and creates a more accurate view of all online and network assets. Correlation needs to tie together the cooperative capabilities of such tools as SIEM, Log Management, Identity and Access Management, malware scanning, etc… If security is about maintaining visibility, correlation would be its magnifying glass. Or to mix my metaphors, it’s like a lens on a camera that can bring blurry visions into sharp focus. For example good correlation removes the specter of false positives and more. Consider, the entitlement management configuration from an Access Management feature set is part of the correlation engine of SIEM to help distinguish authorized access from suspicious activity. The resulting alerts happen in real time and provide the directed response necessary to remediate any issues. Additionally, all of this detail is historically recorded for various reports and compliance regulations through the log management capabilities.

Correlation is rooted in the aspects of consistency. You first need to know the landscape in order to create the rules. The rules of correlation create the baseline in which to manage a consistent initiative. This also goes a long way in underscoring the next 2 C’s Context and Compliance.

Context: Automation can make the process of continuous monitoring more cost-effective, consistent, and efficient. But continuous monitoring without intelligence can result in simply more data. For example, the network processes an application log in request from an approved user name and password. That in itself is not remarkable. However, the IP address doesn’t match the user’s usual location or a device’s usual behavior. This one is coming from Zagreb. Is Mike from sales in Zagreb? The system says no, because only 4 short hours ago he was logging off from an office in Denver. This situational awareness raises a red flag and escalates an alert. And because this is done in real time, IT catches the activity and is able to block access.

Compliance: The common thread for the alphabet soup that is compliance (HIPAA, PCI, FISMA, FFIEC, CIP, SOX, etc…) is the need to know who is logging in, accessing what assets and ensuring only the appropriately credentialed users can do those things. When you are dealing with sensitive information like credit card numbers, social security numbers, patient history/records, and the like, the need to have a strong and continuous monitoring initiative is not just a driving force to avoid fines, but it is the basis of good and trustworthy operation.

So much has been written about compliance and network security, so that all I will add is understand the responsibility you have towards customers, partners, employees, users, accurately calculate the risk in maintaining their information and vigilantly maintain the monitoring process that makes you a good steward of their trust. And of course, a solid monitoring strategy will provide the industry regulators the reporting and evidence of your compliance.

Centralization: With all the moving parts and all the silos, device types and elements to monitor, without a means to centralize, a security infrastructure becomes disjointed, uncoordinated and considerably harder to manage. The continual increase in daily network threats and attacks makes it challenging to maintain not only a complex heterogeneous environment but to also ensure compliancy by deploying network-wide security policies. The ability to forensically analyze the infrastructure under a single pane of glass is not just a convenience factor, but one that seals up the vulnerability cracks.

Cloud: Best practice monitoring requires more than just a pair of eyes. The strategy includes investment in a variety of solutions, tools, servers, analysts and more. For many companies, this is not tenable in terms of human resources, budgets and core competencies. This is why continuous monitoring from the cloud (aka security-as-a-service) provides the great equalizer. Through the application of cloud-based security, a small health clinic in Bozeman, Montana can wrangle to same enterprise capabilities as New York Presbyterian. The only difference is the necessary scale to achieve a strong deployment and sustainable initiative.

Addressing the issue from the cloud solves several pressing issues while providing the necessary heft to create the visibility to govern credentialing policies, remediate threats and satisfy compliance requirements across any sized enterprise. What’s more, all the solutions noted from above – from SIEM to Access Management—are available from the cloud. And there are a few providers that can harness all the solutions collectively and centralize them under that single pain of glass.

As you embark to set sail on the 7 Cs, leave a note for your mother to watch the pot.

Kevin Nikkhoo
Captain of Continuous Monitoring

More Stories By Kevin Nikkhoo

With more than 32 years of experience in information technology, and an extensive and successful entrepreneurial background, Kevin Nikkhoo is the CEO of the dynamic security-as-a-service startup Cloud Access. CloudAccess is at the forefront of the latest evolution of IT asset protection--the cloud.

Kevin holds a Bachelor of Science in Computer Engineering from McGill University, Master of Computer Engineering at California State University, Los Angeles, and an MBA from the University of Southern California with emphasis in entrepreneurial studies.

@CloudExpo Stories
yperConvergence came to market with the objective of being simple, flexible and to help drive down operating expenses. It reduced the footprint by bundling the compute/storage/network into one box. This brought a new set of challenges as the HyperConverged vendors are very focused on their own proprietary building blocks. If you want to scale in a certain way, let’s say you identified a need for more storage and want to add a device that is not sold by the HyperConverged vendor, forget about it....
SYS-CON Events announced today that Pulzze Systems will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Pulzze Systems Inc, provides the software product "The Interactor" that uniquely simplifies building IoT, Web and Smart Enterprise Solutions. It is a Silicon Valley startup funded by US government agencies, NSF and DHS to bring innovative solutions to market.
With Cloud Foundry you can easily deploy and use apps utilizing websocket technology, but not everybody realizes that scaling them out is not that trivial. In his session at 21st Cloud Expo, Roman Swoszowski, CTO and VP, Cloud Foundry Services, at Grape Up, will show you an example of how to deal with this issue. He will demonstrate a cloud-native Spring Boot app running in Cloud Foundry and communicating with clients over websocket protocol that can be easily scaled horizontally and coordinate...
SYS-CON Events announced today that Elastifile will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Elastifile Cloud File System (ECFS) is software-defined data infrastructure designed for seamless and efficient management of dynamic workloads across heterogeneous environments. Elastifile provides the architecture needed to optimize your hybrid cloud environment, by facilitating efficient...
For financial firms, the cloud is going to increasingly become a crucial part of dealing with customers over the next five years and beyond, particularly with the growing use and acceptance of virtual currencies. There are new data storage paradigms on the horizon that will deliver secure solutions for storing and moving sensitive financial data around the world without touching terrestrial networks. In his session at 20th Cloud Expo, Cliff Beek, President of Cloud Constellation Corporation, d...
Businesses and business units of all sizes can benefit from cloud computing, but many don't want the cost, performance and security concerns of public cloud nor the complexity of building their own private clouds. Today, some cloud vendors are using artificial intelligence (AI) to simplify cloud deployment and management. In his session at 20th Cloud Expo, Ajay Gulati, Co-founder and CEO of ZeroStack, discussed how AI can simplify cloud operations. He covered the following topics: why cloud mana...
As more and more companies are making the shift from on-premises to public cloud, the standard approach to DevOps is evolving. From encryption, compliance and regulations like GDPR, security in the cloud has become a hot topic. Many DevOps-focused companies have hired dedicated staff to fulfill these requirements, often creating further siloes, complexity and cost. This session aims to highlight existing DevOps cultural approaches, tooling and how security can be wrapped in every facet of the bu...
DevOps at Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, is co-located with 21st Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to w...
SYS-CON Events announced today that CAST Software will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CAST was founded more than 25 years ago to make the invisible visible. Built around the idea that even the best analytics on the market still leave blind spots for technical teams looking to deliver better software and prevent outages, CAST provides the software intelligence that matter ...
SYS-CON Events announced today that Golden Gate University will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Since 1901, non-profit Golden Gate University (GGU) has been helping adults achieve their professional goals by providing high quality, practice-based undergraduate and graduate educational programs in law, taxation, business and related professions. Many of its courses are taug...
Vulnerability management is vital for large companies that need to secure containers across thousands of hosts, but many struggle to understand how exposed they are when they discover a new high security vulnerability. In his session at 21st Cloud Expo, John Morello, CTO of Twistlock, will address this pressing concern by introducing the concept of the “Vulnerability Risk Tree API,” which brings all the data together in a simple REST endpoint, allowing companies to easily grasp the severity of t...
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
Translating agile methodology into real-world best practices within the modern software factory has driven widespread DevOps adoption, yet much work remains to expand workflows and tooling across the enterprise. As models evolve from pockets of experimentation into wholescale organizational reinvention, practitioners find themselves challenged to incorporate the culture and architecture necessary to support DevOps at scale.
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From planning to development to management to security, CA creates software that fuels transformation for companies in the applic...
When shopping for a new data processing platform for IoT solutions, many development teams want to be able to test-drive options before making a choice. Yet when evaluating an IoT solution, it’s simply not feasible to do so at scale with physical devices. Building a sensor simulator is the next best choice; however, generating a realistic simulation at very high TPS with ease of configurability is a formidable challenge. When dealing with multiple application or transport protocols, you would be...
In his session at 20th Cloud Expo, Scott Davis, CTO of Embotics, discussed how automation can provide the dynamic management required to cost-effectively deliver microservices and container solutions at scale. He also discussed how flexible automation is the key to effectively bridging and seamlessly coordinating both IT and developer needs for component orchestration across disparate clouds – an increasingly important requirement at today’s multi-cloud enterprise.
WebRTC is the future of browser-to-browser communications, and continues to make inroads into the traditional, difficult, plug-in web communications world. The 6th WebRTC Summit continues our tradition of delivering the latest and greatest presentations within the world of WebRTC. Topics include voice calling, video chat, P2P file sharing, and use cases that have already leveraged the power and convenience of WebRTC.
IT organizations are moving to the cloud in hopes to approve efficiency, increase agility and save money. Migrating workloads might seem like a simple task, but what many businesses don’t realize is that application migration criteria differs across organizations, making it difficult for architects to arrive at an accurate TCO number. In his session at 21st Cloud Expo, Joe Kinsella, CTO of CloudHealth Technologies, will offer a systematic approach to understanding the TCO of a cloud application...
"With Digital Experience Monitoring what used to be a simple visit to a web page has exploded into app on phones, data from social media feeds, competitive benchmarking - these are all components that are only available because of some type of digital asset," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that Secure Channels, a cybersecurity firm, will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Secure Channels, Inc. offers several products and solutions to its many clients, helping them protect critical data from being compromised and access to computer networks from the unauthorized. The company develops comprehensive data encryption security strategie...