720-891-1663
Synopsis: Cybersecurity professionals review IT infrastructure monitoring tools in an effort to find those that provide the best monitoring capabilities for the least amount of money and effort for our clients.
Introduction :You probably have noticed that regulators, insurance companies, and customers are increasingly expecting (and requiring) companies like yours to monitor your IT infrastructure for cybersecurity problems. Such monitoring is part of any professional cybersecurity program and it will cost you money and time. We know many companies like yours who struggle to find and vet such third-party technical tools...and you are not trained to make this decision. This white paper makes your life a lot easier. We have done the work and have found tools that reduce cyber and financial risk for our clients.
Why Monitoring is Now Required:
There are multiple reasons why you will soon decide to set up some kind of system to monitor your IT infrastructure. They include:
1. Your executive management has come to a point where it now views cybersecurity risk the same way regulators and others do. Management understands that your company is responsible for the data it collects and not protecting it correctly increases company risk and lowers company valuation.
2. Depending on your industry, you may have specific regulatory compliance requirements for monitoring your network (seebelow).
3. Cybersecurity insurance. Most cybersecurity insurance underwriters now demand some form of monitoring before they will insure your company. Note that even if they don't require YOU to deploy monitoring tools, almost 100% of insurance companies run these tools themselves during the entire time your policy is in effect. They use the results from these tools to decide whether to provide you insurance initially and whether they should cancel your insurance after you get it.
4. Requirements from customers and vendors. Many customers and vendors now perform cybersecurity due diligence on partners and vendors before they engage with them. This is part of their own risk management programs. Who wants to risk that a vendor or partner with bad cybersecurity practices will cause their data to be compromised?
If your customers, vendors, regulators and the general public are all monitoring your security profile and you are the only one who is not monitoring it, where does that leave you?
NOTE: Hackers are also using such tools to reconnoiter and monitor your IT infrastructure.
Examples of Compliance Requirements:
The tables below provide some specific compliance requirement language related to monitoring. The examples we show are for NIST 800-171 (Federal guidance) and NY DFS 500 (financial services guidance).Note that they don't tell you whether the monitoring needs to be internal monitoring or external monitoring. In lime the standards and/or regulations may become more specific, but now they are just trying to get SOME KIND of monitoring into place.
1. NIST CSF Monitoring Requirements. Virtually every company in the U.S. is covered in one way or another by this standard for the U.S. federal government.
| Asset Management |
|---|
| ID.AM-1: Physical devices and systems within the organization are inventoried |
| Detect-Security Continuous Monitoring |
|---|
| DE.CM-1: The network is monitored to detect potential cybersecurity events |
| DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events |
| DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed |
| DE.CM-8: Vulnerability scans are performed |
2. New York Department of Financial Services (NY DFS 500) Monitoring Requirements. This is currently the pre eminent regulatory standard for financial services companies in the U.S.
500.05: The cybersecurity program for each covered entity shall include monitoring and testing, developed in accordance with the covered entity’s risk assessment, designed to assess the effectiveness of the covered entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in information systems that may create or indicate vulnerabilities, covered entities shall conduct:
(a) annual penetration testing of the covered entity’s information systems determined each given year based on relevant identified risks in accordance with the risk assessment; and
(b) bi-annual vulnerability assessments, including any systematic scans or reviews of information systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the covered entity’s information systems based on the risk assessment.
3. HIPAA
NOTE : There are multiple references within HIPAA to monitoring…too many to list here. If this is a requirement for you, please contact us and we will provide you with the documentation.
4. FTC Safeguards Rule applies to anyone who has to comply with GLBA
Continuous monitoring of information systems or annual penetration testing and twice-yearly vulnerability assessments.
Different Types of Monitoring Tools
System monitoring tools fall into three categories:
1. Internal monitoring tools. These are monitoring tools that require that code be placed inside the perimeter of your environment. These tools are designed to monitor your systems for unusual activity and the existence of different kinds of malware. They can also perform an inventory of your IT infrastructure and systems. This is an important capability of internal monitoring tools that meets other compliance requirements…like knowing what IT assets comprise your environment. How can you protect your IT environment without knowing what comprises it?
2. External monitoring tools. These are monitoring tools that do not require ANY access to your systems or environments. They are placed outside the perimeter of your infrastructure and environment. Previously referred to as external monitoring tools, professionals are now referring to them as External Attack Surface Management (EASM) tools. EASM tools collect what is referred to as Open Source Intelligence (OSINT) and they can collect data related to both internal and external systems that communicate with other systems on the Internet. A huge amount of information can be gleaned from this type of monitoring/surveillance. This is what hackers use to get a picture of the health and security of your systems.
3. Cloud monitoring tools. Many of us operate mostly or wholly in the cloud, i.e. we use third-party applications to operate our companies (Microsoft O 365, Google Workspace, accounting systems, industry specific cloud applications, etc.) Different monitoring tools monitor different cloud providers. Do they monitor your cloud providers? EASM tools can be used to assess cloud based systems.
4. Dark web monitoring tools. Did you know that the dark web is MANY times larger than the surface web that Google and other search engines crawl? Dark web monitoring tools search for stolen access credentials related to your company and its people and also other information about your company that can be used to attack you. If you learn that your email passwords have been posted and made available…you can change them. Here is a great 4 min video made by our CISO Mitch Tanenbaum that explains the dark web issue: https://drive.google.com/file/d/1ZvqeE7qeWPpd75ekM_k640iwL4IgWBod/view?usp=sharing
NOTE: For most companies, EASM tools is what you need to start with. They are faster to deploy, require limited to no participation on your part to set up and manage, less expensive, and do not require access to your systems (which is a security issue in its own right).
Monitoring and/or surveillance of personnel for insider threats and other issues is another kind of IT monitoring capability that companies are employing. We do not address that kind of monitoring in this article. Give us a call and we’ll provide you with info on this topic.
It is important to have a complete inventory of the different types of IT infrastructures and applications that your company, employees and your critical vendors may be using, because that particular infrastructure may only accommodate certain types of monitoring tools.
1. Internal systems - These are systems that are located in your office. This is sometimes referred to as “on premise” or “on prem” systems. This also applies to “COLO” (or collocated) systems. A COLO is a building or portion of a building that provides you physical space, physical security, power, air conditioning and an Internet connection. In both cases you own and manage the hardware and software systems and you manage them. You can typically run any kind of monitoring tools on them that you want
2. Cloud hosted systems - These are systems like Amazon web services (AWS) or Google Compute Cloud (GCC). In these cases, the vendor provides you with a “virtual server” and probably an operating system of your choice, but after that you are on your own. For the most part, as long as it doesn’t violate your terms of service, you can run any monitoring tools that you choose to run.
3. Software as a Service (SaaS) - - This is the most challenging type. Examples of this type of system are Dropbox and Salesforce. For these systems, you can only do what the vendor lets you do and since they are shared systems, that list is very short. You need to make sure that whatever the vendor allows you to do meets your compliance and risk management requirements.
Monitoring is not a one-size fits all. Likely there are several tools that could give you insight into your security. On the other hand, you have a limited budget. Therefore, we recommend that you start with the easiest and least expensive solution that provides you value and add to that over time if you need to. The first tool you implement will likely give you the most bang for the buck and anything you add after that is likely incremental in value. The opposite of this is to start with the most comprehensive tool (which is likely also the most expensive and difficult to implement one). Our practical experience is that this method is much more error prone, time consuming and financially wasteful.
Note: You want to find monitoring services and tools and do not require you to hire additional people to install, run, maintain, and monitor the system. We specialize in finding such services.
We have been vetting monitoring systems for years in order to help our clients find the right products for their businesses. Our vetting process is roughly as follows:
1. Some External Monitoring System Capabilities.
a- Requires no additional personnel and can easily be replicated.
b- All scanning performed externally with no access to client's network(s)
c- Powerful, continuous monitoring of security of all critical vendors
d-Asset discovery and inventory
2. Some Internal Monitoring System Capabilities.
a- 100% of the data is being monitored 24/7
b- Monitor for threats such as malware, ransomware and software vulnerabilities-including human behavioral
anomalie.
c- Asset discovery, vulnerability assessment, intrusion detection, behavior monitoring, log management via a
powerful cloud-based SIEM (security information and event management) process
d- Identify and detect risks across your network, could platforms, endpoints and software applications
e- Machine learning and user behavior analytics
f- Ability to see all security log data in the monitoring tool
g- On demand access to retained activity logs
3. Some Cloud Monitoring System Capabilities.
a-Integrates with cloud system being monitoring via vendor API
b-Data limited to whatever that system can provide
c-Monitors 24/7
d-Identifies and alerts on risks found
e-Provides reports and access to raw data
NOTE: You may be able to use internal and external monitoring tools in the cloud in addition to tools a cloud provider offers. You can use EASM tools if the cloud application is visible from the Internet.
It only makes sense. We are a full-service cybersecurity company and we vet technical products for a living. We understand the process so well, we are developing an automated tool to help folks make better decisions regarding technical products. More information here: https://www.vendorassessmentasaservice.com
Additional benefits include:
We have engineered a process to understand and document the client’s monitoring requirements and we use these to assess applicable tools. Based on that assessment, we will recommend one or more tools.
NOTE:Each client’s requirements are unique and we consider those requirements in identifying a possible monitoring solution for that client.
Our process includes the following: