Table of Contents
There is a lot of chatter and noise when it comes to “continuous monitoring” for organizations to consume and then determine how to implement it. Yes, you get a fair amount of intel and data from monitoring the activity within your environment, from cloud apps, to network traffic, to what’s occurring on your endpoints. And even though you can correlate activity that’s there, potentially allowing yourself to see activity that allows you to be proactive, focusing solely on those intel sources creates a myopic view of your organization.
Threats do not exist in a vacuum. There can be direct impact to physical security from a cyber threat, and the same is true of a physical security threat implicating our cyber security. A strong monitoring program accounts for all potential threat vectors and ingests that information to greatly expand their sources of information. It is not uncommon for cybersecurity teams to become hyper-focused on only the digital threat landscape, forgetting that there is a physical element and physical world where we all exist.
What’s more, maintaining focus and awareness in both worlds provides for more information to be consumed, corroborated, and hidden connections or new insights to be obtained.
It’s not just your monitoring that needs to be continuous, but you should be able to have your response be continuous too. We often pigeon-hole response into specific circumstances; this is how we “respond” when we see this attack occurring or this incident is in progress. But Response truly goes beyond that paradigm. Every bit of information and intelligence that we take in offers us the ability to Respond in some manner. We can strengthen defenses, updates settings and configurations, create a period of hyper focus on an area of our environment, create awareness among our people for what to be on the lookout for, extrapolate information across the whole of our environment. Acting on new information received to proactively improve our security posture or increase our monitoring focus is a part of the whole Response paradigm.
Our Response to this new intel information and cross-referencing across our environment, review our defenses, puts us in a stronger position than we would have been to respond once the event or incident does occur. It’s the old saying, “failing to plan, is planning to fail.” You can’t plan without information, without knowing all the factors that you’re up against, and how you want to set yourself up for success.
There are plenty of alerts and “chatter” that we will come across as we gather intel to learn what new threat is out there, or how an existing one is modifying its approach. Simply taking that information and sharing it, or filing it away for awareness, is not a full approach to securing our stacks. We have to act upon that information.
Read the Tales from the SOC eBook.
