Continuous Monitoring & Automated Policy Enforcement – Moving Beyond Detective IT Controls Without Restricting The Business
Is it better to implement a preventative or detective control environment that can identify and determine
the correction to a control violation? Well that depends. Which would you rather sell to management, the prevention or the cure? But remember the old saying, “what if the cure is worse than the disease?” Preventive controls are designed to stop bad things from happening. But if this approach to controls becomes too restrictive and gets in the way of business, it will either be overridden or bypassed completely – leaving organizations with the only option of implementing detective IT Controls.
The more complex a system gets, the harder it is to secure access and transaction with preventative controls. Why? Because transactions typically span across multiple systems and cloud services, which adds to the complexity of trying to implement a control framework. In these cases, even detective controls will fail due to the sheer amount of access and transaction information that has to be aggregated, normalized, standardized, correlated and analyzed across all these systems.
Context-aware continuous monitoring IT controls
There is a way to accomplish this goal. It’s called context aware continuous monitoring IT controls, which is a mechanism for applying fine-grained, dynamic security policy controls based on a real-time analysis of information where contextual data is applied to a transactional process – such as user role, location, behavior, time, applications, devices, data and more. These contextual factors are assessed based on their relationship to a baseline of acceptable use where the control is looking for patterns that would identify something that is outside of the norm, suspicious, emerging or an outright risk or policy violation.
Handling correlation and data analysis with the amount of data volume, velocity (change) and variety, veracity goes beyond the capabilities of existing SIEM and log analysis technologies. Consolidating all this data into broader analysis platforms increases the ability to correlate, explore and report behaviors or events in an integrated fashion. This requires big data analysis and is quickly becoming the new cyber-risk imperative.
But continuous monitoring is not constant monitoring. The difference between constant and continuous monitoring is determined by the frequency at which continuous assessments of the day executes varies depending on the criticality of the transaction, the volatility of the application and the degree of automation required to run an assessment in the timeframe needed to provide a decision or notification. Continuous monitoring is designed to be a proactive approach that differs from the reactive approach used by most IT organizations
Controls monitoring is a big data problem
Cybersecurity data volumes are growing at a phenomenal rate and organizations are struggling to be able to make real-time decisions to maintain the security and effective operations of their business systems. The conventional approach first requires data to be stored in a database and then queries are run after the fact to detect or determine the cause of problems. Organizations are fast realizing that the data has a shelf life and the time lost to this reactive security approach does not achieve the risk management and mitigation goals of the company.
Advanced data analytics that work with the actual data in the core systems in a real-time in memory approach will become the standard for continuous risk monitoring, and Greenlight is one of the few vendors in the market that has a solution today that uses big data analytics for real-time detection based on user, transaction and entity behavior.