The SANS Top 20 Control 4, Continuous Monitoring

I need to take a moment to not it has been a few years since my last blog post.  That being said, the controls have changed numbers.  Since I already discussed inventory previously, I’m going to go ahead and jump in sequence with a control I missed before.  Here is a link to the Top 20 in case anyone is interested http://www.sans.org/critical-security-controls/

What is continuous monitoring?  I recall hearing about this a few years ago, more aptly it should be called continuous automated monitoring.  This type of work usually involves some sort of product scanning an information system in an ongoing capacity.  The system then reports back to a central database.  That information is then read and reported on.  Hopefully that information can then be used to drive changes within an organization.  Some examples of free versions of this are OpenVAS http://www.openvas.org/.  While I have used this before I must admit most of my experience is with a Tenable product called Nessus.  This product does provide a free download.  However, if used in a business a license should be purchased.  Without this license automatic updates will not work.  In addition new features like passive vulnerability scanning will not become available.  Another product commonly used for this is Nexpose.  This product works in concert with backtrack or Kali Linux.  It is also quite popular. http://www.rapid7.com/products/nexpose/

Ok now I've listed a few of the possible products which can be used for this type of work.  So, how do they work?  The high level view here is they collect data about patch updates, common vulnerabilities, virus update definitions, and many other small issues.  These devices then scan networks and look for these issues.  People can then log into the system, view the result, update the systems, and confirm the result is gone.  One of the key programmatic elements here is that these scans can become part of business as usual.  For example, before a system goes into production a scan should be run.  This can ensure the system is being updated.

So what about additional features?  Many of these systems allow custom definitions or audits to be created.  These files can allow companies to look for a specific detail on systems.  I once created a file to search the registry for a specific key.  This key referenced an application which my company was using.  While these systems all find vulnerabilities they do not fix them.  In addition, they do not explain the consequences of system changes.  I recommend that these systems are viewed as a part of a larger vulnerability mitigation plan.