If the "Set it and forget it" strategy can inspire chefs to cook the perfect rotisserie chicken and investors to grow a solid portfolio, why can't we use the same strategy to harden our endpoints? While this blog post is not intended to be an infomercial for any particular product, it does outline some key tips on how to select Continuous Monitoring solution that will deliver the broadest array of benefits.
Tip #1: If you (and your scanning solution) are able to step up to a relatively continuous approach to security monitoring - i.e., a "set it and forget it" model where your solution is scanning weekly, twice a week, even daily - your benefits can multiply beyond what you traditionally look for from a point-and-shoot scanning solution.
Imagine your scans running steadily and consistently in the background, collecting detailed information on your assets, their configurations and vulnerabilities. With this as context, here are some of the things you can do. First, you can implement a self-service model for remediation. What that means is that when your sys admins have some time to work on risk reduction, the responsible system owner just pulls the data from the most recent scan and works on those vulnerabilities with the highest priority. What's more, your continuous monitoring solution provides you with powerful new tools to tackle zero-day events - since you can use the constantly refreshed results to find the newly vulnerable assets or applications instantly. And of course, you can set alerts and be notified in near real-time when something unusual is found. Finally, you can generate risk management reports for a wide variety of audiences in your organization communicating risk trend changes in the environment over time - not just security specialists and sys admins, but auditors, business owners, and executives.
So what should you look for to identify solutions that support this type of model?
Tip #2: Naturally your solution must be highly automated and scalable if it is to run continuously. And because the scans are running all the time, the scanning solution must be non-intrusive and gentle on the network. Scanners based on penetration testing methodologies may not be your best bet for continuous and comprehensive vulnerability monitoring, as the last thing you want to do is interfere with an application or knock over a device. Same goes for scanners that are designed for speed. High scan speed usually comes at the expense of bandwidth, performance of systems it is scanning, and accuracy results
Tip #3: The larger your organization, the more important the solution's analytical and prioritization capabilities are - so that you do not get buried in "Too Much Information." This also further enables the self-service model: if the solution provides the initial analytics, then your sys admins won't have to be security experts to independently interpret the scan results and respond effectively.
Tip #4: Finally, any effective solution should be able to produce actionable reports and metrics, including risk trending, for every part of your organization, not just sys admins and security experts but also auditors and senior executives. In order to support trending, the solution has to have an ability to correlate the results of one scan with those of prior scans - a fairly challenging requirement.
In a recent article in InfoSecurity Magazine, I talk about three agencies that are achieving these kinds of benefits - two of which are using nCircle's own IP360 vulnerability management solution. I am sure these agency leaders would have a few more tips to add to my list since some have been perfecting their Continuous Monitoring strategy for over eight years. As for determining the right approach and the right tools? I think Ronco inventor Ron Popeil said it best, "Set it and forget it."
