Continuous Controls Monitoring 101
Phil Venables recently posted a well thought out thread on twitter, where he highlighted the importance of Continuous Controls Monitoring, a new approach to controls assurance. He knows a thing or two about security – 20+ years of experience in CISO roles at global financial institutions have led him to Board Director and Senior Risk and Cybersecurity Advisor at Goldman Sachs.
He summarises by saying that many incidents are due to failures of expected controls and the fundamental answer is to ‘validate continuously’.
So, what is Continuous Controls Monitoring?
Continuous Controls Monitoring (CCM) is an emerging area of security automation that focuses on making sure that all of our security tools are present and actually working as intended. In this context ‘monitoring’ refers to a perspective over our security tooling: monitoring the tools themselves as a preventative measure rather than monitoring the environment for breaches with 24/7 detect and respond capabilities.
If we look at cybersecurity like healthcare, the emergency room (read: detect and respond) is the most expensive place to be in the hospital. Why wait until the heart attack has already happened to start eating healthily and exercising regularly? CCM invests in maximising prevention to reduce emergency care to a minimum.
In one of Phil’s tweets, he wrote: ‘a remarkably common pattern is that the control or controls that would have stopped the attack (or otherwise detected/contained it) were thought to be present and operational but for some reason were actually not – just when they were most needed.’
The purpose of CCM is to minimise the chances of this happening. The failures that Phil highlights are commonplace. They are compounded by the explosion of new security tools in recent years, justifiably to address the emerging threat landscape. According to our data, security teams are using 50+ controls, which can often lead to a false sense of confidence in their coverage. For example, how do we know our Endpoint Detection & Response (EDR) is deployed, configured and active on every endpoint? Do we know we’re vulnerability scanning every critical endpoint? Is our Configuration Management Database (CMDB) complete and accurate? Volume of tools does not always equate to enhanced security. The gaps are all but guaranteed given the variety of environments we need to secure.
Continuous monitoring of all assets enterprise-wide allows teams to identify exposures and control gaps, then treat these risks through measured, time-boxed remediation campaigns. Teams can then use this data to demonstrate quantified, risk reduction success. Each asset is linked to accountable and responsible stakeholders, providing further visibility and trust in the data. With an effective CCM platform, teams get clear and present data with tangible insights on risk.
On top of this, CCM allows security teams to create up-to-date reports and present to relevant stakeholders with confidence in the data. The plethora of tools means that data collection can be an arduous process – by the time all the relevant data is collected from all the relevant tools, cleaned, normalized, correlated, joined, it is already out of date. With CCM, this process is automated with the fusion of information across data sources creating the best version of the truth available.
What is the benefit of CCM?
With CCM, it is possible to maintain an ideal security posture given the investments made – complete asset knowledge, control coverage, and control operation within the established risk appetite.
Teams are empowered to maximise the ROI on their tools. By highlighting control gaps, CCM ensures that tools are achieving optimal coverage: what if your CrowdStrike roll-out last year only covered 82% of your devices? Expected losses can be reduced overall – minimising or even eliminating the threat from unmanaged assets improves the expected loss from a breach. Security teams gain estate-wide visibility on inventory and controls allowing them to regulate coverage gaps across security functions, whether this is inventory management, vulnerability management, endpoint security, privileged access, identity and access control, patching, application security, or user awareness. They can now view a comprehensive list of assets across the organization (i.e. devices, applications, databases, people, privileges, and vulnerabilities).
Phil puts it like this: ‘assure the continued correct operation of controls at run time and ensure completion of deployment’.
Fundamentally, establishing CCM allows teams to change their approach to security from reactive to proactive, and maximises the available ROI from security investments.
Endnote: Look out for a follow up to this, with more on the key capabilities required, architectures and processes needed to establish CCM.