Continuous Monitoring: Getting Past Complexity & Reducing Risk


Published on

This presentation on Continuous Monitoring was created by Bryce Schroeder, who leads Tripwire's global presales engineering team at Tripwire.

He has over 29 years of IT architectural and security expertise solving Enterprise challenges. Bryce joined Tripwire from NetApp where he led a team of Architects and Systems Engineering in enterprise Cloud infrastructure solutions.

Numerous articles on Continuous Monitoring can be found here:

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • And of course, I recently completed this chart and a detailed sub-control mapping across our blended product line. What I like about this chart is the NSA rankings and how they rank with the first four CSC as well. This is impactful. When the NSA, SANS, and mappings to both NIST and ISO support working on the first four CSC to get you significantly down the road to improved cybersecurity – AND it aligns with 2013 FISMA metrics. It’s not a bad place to start.
  • Another approach is what we call ‘Traditional Configuration Assessment,’ which can bring you up to compliance rapidly, but if changes happen after, you have no visibility or control of those changes, and it’s only when you do another scan where you will get back into compliance. And even the highest performing organizations do these ‘mega-scans’ once a month at best! The frequency of assessing IT configurations opens the door to risk and potential security breaches.
  • When you’re looking for a continuous monitoring solution – you need to consider a solution that enables 4 very specific capabilities.
  • Is it a critical asset? Medical system?
  • You need intelligent information to make risk-based decisions.
  • You cannot “turn on” continuously monitoring or real-time on everything. So you need to choose the frequency.
  • You need to feed that information to your authorizing official
  • Support the businessBe controllableIf you can't influence it, why report on it?Be quantitativeBe easy to collect and analyzeIf it takes 3 weeks to gather data you report on monthly, something is wrongToo hard to gather & interpretReporting too oftenSubject to trendingMetrics must be changeable - Things you report on will changeYour targets will change
  • So those are some of the things are going right. But let's take a look at what isn't going as well.In organizations that are stuck or stall, here are some of the things that tend to slow them down.The 1st is the use of what I referred to as a boil the ocean approach. In other words trying to do too much across too broad of a landscape of your business. Rather than trying to solve every risk problem in the organization pick one or 2 key areas, that relate to one or 2 key business processes, and start there. Remember, non-technical executives tend to think of things in terms of revenue, costs, customer satisfaction, fulfillment, or other key processes in the business. Figure out what the most important process is, what the biggest risk is that's facing that particular area, then identify what you can do from an IT risk perspective to mitigate that risk. If you're successful, those early winds can make it a lot easier to move onto future phases of your projects.Another problem I've seen is when the discussion goes to granular or too geeky very quickly. Executives have short attention spans so keep it high level, and get to the point quickly.Closely related to this, is when there is no buy-in from other parts of the organization. This can be very frustrating because it often looks like a superhero in the IT organization trying to take on the rest of the organization, and force them to adopt a risk oriented focus. If you don't have by and, you're not ready to start executing.The most effective place to get support, is as high in the organization as you can manage. I mentioned tone at the top before. If you're trying to embark on a risk management project to get risk management adopted across your organization, make sure you have an executive sponsor. This is generally either the CEO or someone reporting to the CEO in your organization.We've talked a bit about this one already, but I've also seen ineffective metrics or a complete lack of metrics, stall risk management efforts. I'll get to that in a minute.Finally as I mentioned before, too many organizations are focused on cost as the primary focus of the risk management and security programs. This has got to change.
  • Explain the roles and responsibilities of individuals in IT security, IT and the business organization have in implementing a continuous monitoring.
  • Investigating and adopting a repeatable frameworkFAIR, OCTAVE, OVAL, CAESARS, ISO, etc.Applying risk ranking/scoring methodsEngaging cross-functional “steering committees” to examine various risksStrategic & Operational, Information Security, Financial, Employment Practices, Intellectual Property, Physical, Legal, Regulatory, etc.Prioritizing projects, actions, and investments to bias toward areas of highest risk and impactEstablishing Key Risk Indicators (KRI’s) and Key Risk Objectives (KRO’s) to measure progress
  • ×