Continuous Asset Monitoring

Last week, during a consulting engagement at a client, this question became an animated discussion for a considerable amount of time. We have been strong supporters of continuous monitoring from an asset standpoint, hence the topic of this article.

What does continuous monitoring from an asset standpoint mean anyway? From a conceptual level this means:

• Having a unified asset repository that multiple cybersecurity products might contribute into (SIEM, WAF, Vulnerability Scanners, etc.)
• Having a set of historical baselines so that deviations can be noticed
• Having a correlation framework in place to continuously give feedback to the baselines, to monitor and to alert

In order to answer the question in the title, you do not need all of this. A simple framework that compares past "discovery" scans with the current one would technically suffice (a lot of the vulnerability scanner products will allow you to do that to some extent). But then, you run into the question of how often do you need to run these scans for it to become "continuous": monthly, weekly, daily, hourly? In today's world of quick starting and stopping containers you could have an asset occasionally startup to do its dirty work and then terminate itself before being detected. Also, you would be doing yourself a disservice if you just looked for asset changes from such a narrow perspective.

What are the barriers to getting truly continuous asset monitoring? From our perspective, they are the following:

• Currently deployed cybersecurity products most likely do not share data with each other, especially what an asset means to the product.
• Chances are your products are able to only correlate events from an intra-product standpoint, missing out on the cross-product correlation.
• The various products' data does not end up in a central "data-lake" for holistic asset analysis and baselining.
• And the products' data alone isn't enough to truly detect all new assets: you would also need data from switches and other such hardware devices to get the full picture.

Where does your cyber framework stand from a continuous monitoring standpoint? Ask yourself the following questions: would you get alerted ...

• If a new asset shows up in your environment? If yes, how quickly would that happen?
• If an asset disappears from your environment? If yes, how quickly?
• If an assets suddenly starts to communicate with new partners? Perhaps even a known bad actor?
• Do you know what "normal" behavior for your asset means? If yes, would you know what "abnormal" behavior is? Would you get alerted?

To sum it up, if your cybersecurity monitoring framework is able to alert on the discovery of a new asset then you're ahead of the game already, give yourself a pat on the back and ask the follow up question: would you know if an asset behaved abnormally (i.e. let's say its event logging rate multiplied by 5x)?