Continuous Monitoring and MitigationInsights from Security Leaders on How to Maximize Today's Top Tools
What are some of the unique challenges organizations face when they move into continuous monitoring and risk mitigation? Scott Gordon of ForeScout and Ken Pfeil of Pioneer Investments offer insight.
Gordon, CMO at ForeScout, says continuous monitoring and mitigation is about how IT organizations optimize their resources in two specific ways: to have greater awareness of the threat and compliance landscape, and to have that information readily available to drive faster response to preempt threats and contain exposures.
"It's all a matter of getting better IT agility for security threats and better use of security resources," Gordon says.
The immediate benefit of such tools? "[It's] allowed us to respond a lot more quickly and a lot more effectively to things that would normally be very time-consuming," says Pfeil, CSO at Pioneer Investments in Boston. "We've had the opportunity to go through and apply an intelligent policy based on the severity of the actions or the severity of the events and the actions we need to apply, as well as the core competencies of the people that would be responding to [the events]."
In an interview about continuous monitoring and mitigation, Gordon and Pfeil discuss:
- Today's heightened need for continuous monitoring;
- Real results organizations have seen;
- Tips for tackling today's challenges.
Gordon, CISSP-ISSMP, is a seasoned enterprise systems and information security industry executive having worked with the best and brightest innovators over the past 20 years. He is chief marketing officer at ForeScout Technologies, the world's leading provider of network access control solutions. Gordon has advocated and contributed to the advancement of leading-edge products spanning NAC, event correlation, security information management, network and endpoint security, storage encryption and risk management.
Pfeil is a veteran CSO with IT security experience spanning well over two decades at companies such as Microsoft, Dell, Avaya, Identix and Merrill Lynch. While at Microsoft he coauthored Microsoft's "Best Practices for Enterprise Security" whitepaper series, and was technical contributor for the MCSE Exam and official course curriculum "Designing Security for Windows 2000." He is coauthor of the books "Hack Proofing Your Network - 2nd Edition," "Stealing the Network - How to Own the Box" and a contributing author to "Security Planning and Disaster Recovery," "Network Security - The Complete Reference" and "Network Security Assessment: From Vulnerability to Patch."
Defining Continuous Monitoring
TOM FIELD: Scott, let me toss this first question to you please. We hear a lot about continuous monitoring, or continuous diagnostics as the government likes to say today. Could you just take a moment to define continuous monitoring and mitigation in today's network context?
SCOTT GORDON: Continuous monitoring and mitigation is really about how do IT organizations optimize their resources in two ways. One is to get greater operational awareness of what potential threats there are, what their security and compliance posture is, and to have that information shared among the tools that they've invested in. Then, allow that context to drive a faster response to preempt threats or to mitigate security exposures and issues. It's all a matter of getting better IT agility for security threats and better use of security resources.
FIELD: We've talked about continuous monitoring for a number of years now. Why do you find it to be especially important to organizations today?
GORDON: We see four challenges that organizations are facing today. One, certainly networks are way more complex. Two, there's greater diversity of access to network resources. Three, [there are] broader devices, including BYOD device use. Then [there's] the trend that, because folks have invested in defense-in-depth strategies, which is a solid best practice, it has actually created a bunch of siloed tools and data. So now, more than ever, folks need to get a faster response and understanding of what's going on in their infrastructure, more coordination and control over threats, and a better way to address attacks, including sophisticated attacks and targeted attacks.
Unique Mitigation Challenges
FIELD: Ken, I want to bring you into the conversation now. If you could take just a moment, please tell us what your unique challenges are when it comes to continuous monitoring and mitigation?
KEN PFEIL: I think Scott has pretty much hit the nail right on the head. Resources are certainly not a unique challenge to us. In relation to other organizations, I'm sure everyone has their own little unique resource challenges. I mean, we're all being asked to do a lot more with a lot less and do the budget cuts [with] the changing threat landscape out there, as well as a lot of particular attacks and things of that nature that we've got to keep up with on a day-to-day basis.
Also, in a lot of organizations, we lack core competencies to address certain relevant events. We've got like 1,400 tools and 1,400 different ways of doing things in the automated perspective, and a lot of organizations lack that tie-in. They lack that sort of central brain and central nervous system in order to address all these things. Where we can kind of improve that is to try and automate certain events. We'll increase our response quality and we'll also increase our effectiveness. We're looking to do that by not only getting deeper insight into all of the endpoints; and I'm not just talking computers, but pretty much anything on the network. There are a lot of attacks, and I've seen in the past where people have actually been attacked and, for instance, the one thing that the attacker did was he had an open FTP share on the printer. Well, let's dump all my actables up there because traditional anti-malware or traditional antivirus is never going to scan it or find it and you keep your backdoor into the systems. I wouldn't say that I have specific unique challenges. I would say that a lot of folks face the same challenges.
Continuous Monitoring in Banking, Government
FIELD: That's a good perspective. Of course, Scott speaks to a lot of folks. Let me ask you Scott: Can you give us some specific examples of continuous monitoring and mitigation in the banking and the government context from what you see?
GORDON: I absolutely would like to give some examples and it very much falls in line with exactly what Ken said. How do we get greater efficiency and how do we get more effective use of the IT tools that we've made investments in? One example would be vulnerability scanners, and vulnerability assessment. These periodically scan network ranges and identify system vulnerabilities. If a new system comes online or, in a virtual instance a virtual machine comes online after a scan, it only gets picked up in the next scan. Network access control being a cornerstone for continuous monitoring and mitigation, it can pick up this new IP that has appeared and instruct the vulnerability scanner to take a response and actually scan. Conversely, [with] a vulnerability scanner the end result is a prioritized list of systems and threats.
If you read the latest Verizon Data Breach Report, the most common threats were the ones that really supported penetration inside of a system, not necessarily always zero-day attacks and new attacks. This way, there's a potential for information to be pulled out of the vulnerability scanner to instruct network access control, for example, to remediate or attempt to remediate known issues, for it to activate patch management systems such as Microsoft SCCM, to close those exposures that were picked up by the vulnerability scanner, getting greater operational efficiency and being more responsive.
I'll give you two more examples that are very similar. Let's look at BYOD. A personal or mobile device comes onto a network and instantly can be detected. A policy can be applied based on who the user is, what the device is, where they're coming on, and, based on that forced MDM enrollment, BYOD can then check to make sure the device has been MDM-enrolled and can initiate a profile check every time an MDM device touches a network resource as opposed to a periodic checking of a profile which may leave a security exposure.
As a reaction, should a device get outside of compliance for an MDM-enrolled device, network access control can receive this information and take them off the network, reassign to a guest network and inform them why they were taken off the network.
Lastly, what you can imagine is to broadly enable security information event management systems. We can take our information and send that real-time intelligence up to a SIM. A SIM can do its own cross-correlation and send information to us to directly remediate an endpoint or take a system off-network depending on the type of system it is and the role of the user. You may not want to change anything on a mission-critical server, but you may want to change something that, black and white, you absolutely don't want to have. For example, maybe a system configuration within bMotion, move the VM from inside a CPI-compliant network to something that's outside the CPI-compliant network and that would be a critical problem. There's really a broad amount of application that could be applied.
Addressing Threats, Challenges
FIELD: We've talked about a lot here in terms of threats and in terms of challenges. Ken, I can almost see you nodding your head. Can you tell us how you specifically have addressed some of the threats and challenges we've talked about here?
PFEIL: ForeScout has helped immensely, and, like any other technology that we have, we have a longer range of plans that we're working with them to update our strategy and address threats as they come out. But I would have to say, first and foremost, that ForeScout has allowed us to respond a lot more quickly and a lot more effectively to things that would normally be very time-consuming. We've had the opportunity to go through and apply an intelligent policy based on the severity of the actions or severity of the events, the actions that we need to apply as well as the core competencies of the people that would be responding to it.
FIELD: Tell us a little bit about results as well. Since you've taken these measures and deployed the solution, what results have you seen that have really made you take notice?
PFEIL: Some of the results that we have seen are not just the base-line, garden-variety-type thing, [like] is the antivirus running or is the antivirus not running. Some of the events that we've actually been able to see are in addition to new systems and built systems which were correlated to being a vulnerable state coming on the network and going off the network, which kind of speaks to what Scott had talked about with vulnerability scanners.
It has also helped us identify and track down potential events across the enterprise. A lot of the times you get a false alert from your AV system or something in that nature, but it's a good back-up to know that the threat is not as dire as you might think it would be. It could be just a configuration error; it could be something of that nature. ForeScout allows us an intelligent correlation among all that information that we get. We get flooded with information, like Scott said, from various different sources, and to have a place that could give us checks and balances, and just be able to apply that given policy, is very important to us.
Improving Continuous Monitoring, Mitigation
FIELD: Scott, Ken has given you a very good testimonial here. I've got to ask you: How is ForeScout helping all of its customers to improve their continuous monitoring and mitigation efforts?
GORDON: I'd like to add to Ken's perspective. A lot of times, certainly IT and security have made investments, for example, in host space controls. We're not just talking antivirus. Depending on the level of compliance, there may be a need for data leakage prevention systems. There may be a need for encryption. [It] may be beyond traditional patch management. These are all host-based controls, and they're absolutely necessary and a best practice. Sole reliance on host space controls for better or for worse is not good enough anymore. A host control could be misconfigured, disabled or uninstalled. It could be installed but not operating properly. It could be out of date. Any of these systems, the more of these controls you have on a system and the more systems you have, the more likely something is not operating properly. We've seen upwards of 30 percent of things that are outside compliance. Since a host control is connected to a management infrastructure, it means the management infrastructure has inaccurate information. You don't really have true security state, and that makes for a lot of exposure as you get into 1,000, 5,000, 10,000 or 100,000 endpoints or more.
What we're able to do is to be a complimentary control that essentially monitors any asset - all the users, devices, applications and the security posture of that device - and identify those gaps and those violations that compliment all the infrastructure investment that IT has made. Then we're able to offer ways to cut the exposure with limited or no IT intervention. What we're helping customers do is really automate that visibility and automate that control. Automation sometimes sounds real scary, but it's all about what Ken said; it's all about policy. If there's policies in place, if there are SLAs between security and network operations or asset management and security, then policy will dictate what reasonable black-and-white responses can be had so that IT can be responsive and you can optimize use of resources.
PFEIL: I'd like to add to that just a little bit in as far as policy goes. We've got the Windows XP evident Armageddon coming up early next year when XP goes out of support. One of the things that we're expecting from the security perspective is that, [with] zero days and exploits, people are saving them up. It's just going to be an explosion I think in zero days coming that time.
One really simple, out-of-the-box, no-brainer way is to utilize ForeScout on your XP systems to give you the additional monitoring management, additional flexibility and automation. If something does happen, something does trip or something does not look right, flip that over to a VLAN that cuts off Internet access, for instance, and sends an alert to go and look at it. There are a lot of companies that are not going to be off of Windows XP for various reasons, be it backwards compatibility, application support, whatever the case may be. There are going to be some of them in the enterprise that are just not going to have traditional recourse for remediation. This is pretty much a simple no-brainer way to utilize ForeScout to alleviate that concern. I just wanted to throw that out there.
Advice to Organizations
FIELD: It's a great and relative point Ken. I want to give you a chance to just weigh in with the last question here. As Scott says, these are common challenges to organizations everywhere. If you could give even a single piece of advice to organizations facing similar challenges to what you face and what we're discussed today, what would you advise them?
PFEIL: There are probably several things based on my experiences that I could talk about. I would say first and foremost to categorize your events and your policies. Base them on level of interaction that's needed with severity of the event. Use integration wherever integration is available with your ForeScout appliances. If there's a particular plug-in for something that you're already using in-house, marry the two. Make the best use of it and make the best use of your staff's time.
I'd also have to say to most of the folks: Don't fool yourself into thinking that any one solution is going to be a set and forget. You're never just going to drop something in there and say, "Well okay, it's going to do everything for me. I read the literature [and] it's going to wash my car, walk my dog and take care of all of my concerns." There's going to be a little bit of tuning that's involved. It's just like any other solution; you've got to tailor it and you've got to make it work for your needs. Baseline is great and, like I said, it's going to get you a lot of ability that you would normally not have otherwise, but there's a whole host of things that you can do. Just to put it in, set it and forget it would be a complete waste.
Another thing that I would have to say is ensure that your senior management is also understanding of this. A lot of times you make an investment in a product or a technology, and your senior management is going to say, "What's the return on security investment for that?" While you can't in a lot of cases immediately quantify that, you've got to understand and make them understand that the return is going to be not always necessarily one month or three months, but that your senior management is on board and that this is something that's a living product. This is a living technology, much like the threat landscape that we deal with every day, which is a living threat landscape. Threats don't stay static, threats don't stay the same, and neither should your tools and your investments.