Thales Blog

Cyber Security - Why Continuous Monitoring Is Not Enough

March 12, 2015

fighter jetThe recent tidal wave of data breaches across both commercial organizations and federal agencies has prompted scrutiny into what is being done to offset the most recent cyber attack methods. Analysts and vendors alike are prescribing what capabilities should be on the list by any good steward of the cyber assets they are protecting. The days when implementing strong firewalls, segmenting networks, locking down desktops and putting in place secure remote access to keep out attackers are gone. New technologies and methods are required.

We are now in an age of monitoring. This is good news, tools from a variety of vendors hold great promise. This includes aggregation of disparate content, ability to discern behavioral analytics and also some really great graphics that make patterns and attacks very clear. But, what happens when a user is doing something that they are permitted to do? How do you determine if their access has malicious intent? There are some obvious cases where identification is easy. For instance, if a user is downloading large volumes of data (albeit permitted) at an unusual time and volume, you may want to flag the incident for a deeper investigation. It may also seem obvious that an admin role performing backups, but to a different target location than their previous patterns indicate, may raise an eyebrow as well. But, wouldn’t it be better to take some of this risk off the table by adding protection to the target vs just purely watching?

ClickToTweet: Cyber Security - Why Continuous Monitoring is Not Enough @Wayne42675 #DefenderOfData

The truth is that monitoring for security purposes (even the continuous monitoring that we’re discussing here) is a great thing, and I support this as a part of any architecture. But, do you really believe that your data assets are secure by simply implementing “smart” systems to analyze patters, and hiring additional personnel to “watch” what is happening? Think about the volume alone in a large network of thousands of users. The transaction load is enormous and an exfiltration only needs to have a single exploit to get through those “monitors of the environment” to create a negative impact to your operations. Think also about the overhead that comes from “false positives”. The resources needed to investigate flagged incidents can be considerable.

Knowing this, it seems plausible to take a page out of the standard playbook used for physical security (at places like banks) into the realm of cyber security. Sure there are locks on the doors, bars on the windows, security guards, cameras and so on. But, for the really important assets there is a safe. Every bank has one. And it is usually quite impressive as well. I don’t know about you, but I probably would not go to a bank that left money out on a table behind even bullet proof glass. It seems irresponsible. So why not take a similar approach to your data?

Data needs to be protected, not just monitored. Further, why not simply remove some risks with direct protection for data in addition to data access monitoring? Critical assets are then both actively protected, and monitored. Through data security measures, privileged user accounts can be limited to managing data, but not being able to access it. Business users can be limited to specific application instances, times of day and actions to limit risks. This significantly reduces both attack surfaces and threat vectors – entirely removing some categories of threats

My hope is that more organizations realize that prevention of cyber threats needs more than just monitoring. Vigilant protection of critical assets at the data layer is required.