This document discusses continuous monitoring and real-time risk scoring. It describes how continuous monitoring can detect vulnerabilities and potential threats by monitoring network changes and comparing configurations to network activity. A two-phased compliance timeline is mentioned. Continuous monitoring provides a single console view of risk exposure needed to meet federal requirements. Metrics and risk-relevant data are discussed. The benefits of security intelligence across infrastructure for anomaly detection and actionable, informative outputs are presented.

1. Continuous Monitoring
and Real Time Risk
Scoring
Erich Baumgartner, VP Federal
Q1 Labs – An IBM Company
J.R. Cunningham, Director of
Federal Strategy
Accuvant

2. Meeting the Information Requirements of
Federal Agencies
Two-phased compliance and security timeline
2

3. Security Intelligence for Continuous
Monitoring
 Monitors network changes to detect vulnerabilities in the
network
 Changes may be potential threats and policy/compliance
violations, resulting in security gaps
 Compares configuration data from network security devices
with layer 7 network activity analysis
 Continuously checks rule policy effectiveness and raises alerts
 Provides single console view of risk exposure needed to
meet continuous monitoring requirements (risk management,
log management, SIEM, network behavior analysis)
3

4. Continuously Manage Risk with
Security Intelligence
Move beyond traditionally reactive security management
Multi-vendor network Automated compliance Predictive threat
configuration monitoring & and risk assessment modeling &
simulation
audit
Risk Indicators
Configuration/ 
Topology
Network 
Activity
Vulnerability 
Management
Network & 
vulnerability
context
4

5. Accuvant & Q1 Labs
Traditional SVARs
Technology Driven
Traditional Consulting
Audit/Compliance Driven
5

6. J.R. Cunningham
Accuvant
6

7. What is Continuous Monitoring?
“…determine if the
complete set of
planned, required,
and deployed
security controls
within
an information
system or
inherited by the
system continue
to be effective
over time…” NIST
SP 800-37
7

8. Why is Continuous Monitoring Critical?
(Beyond the Obvious Answer – “It’s Required”)
Intelligent Cyber Security- Applying
countermeasures to only systems needing those
controls
Threat Intelligence – Understanding as much
about the enemy and threat vectors as possible
Acquisition excellence – find the “big ROI”
Situational Awareness – decision superiority
delivered with “speed of need”
“If an agency has $1 to spend today, where
should they spend it and why?”
8

9. Continuous Monitoring and Situational
Awareness
Endpoint Protection
Network Defenses
Encryption
DLP
SIEM
Countermeasure
RBAC
Situational
Threat
Awareness
Malware
Insider Threat
Device/Data Theft
Leakage
DDoS
Espionage
9

10. Choosing Meaningful Metrics
Organizational
Data • Accurate
Vulnerability & Patch • Repeatable
• Potential for Risk Relevance
Management
Software & Data Asset
(either alone or with other
Management
data)
Network &
Configuration
• Should be known in industry
Management
• Not Necessarily Actionable
Compliance & Audit • Can sometimes validate or
Management
invalidate other data
Security Information &
Event Management
10

11. Industry Standard Metrics
(measurablesecurity.mitre.org)
11

12. Finding the Risk Relevant Data
Organizational
Data
Vulnerability & Patch
Management
Software & Data Asset • Some level of aggregation
Management • Also a repeatable process
Risk Relevant • Begins to inform SA
Network & Data • Not necessarily actionable
Configuration
Management • Centrally managed
Compliance & Audit
Management
Security Information &
Event Management
12

13. Security Intelligence Across the
Infrastructure – Anomaly Detection
13

14. Squelching the Noise
14

15. Informative and Actionable Output
Q1 Report Screen Here
15

16. Pre-built NIST reporting
16

17. Risk Based Decisions
* NIST SP 800-39
17

18. What to do next?
 Watch our recent webcasts http://q1labs.com/resource-
center/media-center.aspx
 Download the “Gartner SIEM Critical Capabilities” report
http://q1labs.com/resource-center/analyst-
reports/details.aspx?id=17
 Download the “Continuous Monitoring for Government
Agencies” paper http://q1labs.com/resource-center/white-
papers/details.aspx?id=137
 Read our blog http://blog.q1labs.com/
 Follow us on Twitter: @q1labs @ibmsecurity
18

19. Thank You!
More info: info@Q1Labs.com
Twitter: @q1labs @accuvant
Blog: blog.q1labs.com
19