Continuus: A Continuous Monitoring Solution

From the founder to the latest hire, technology is in our company DNA.

Background

The Federal Information Security Management Act (FISMA) designates the National Institute of Standards and Technology (NIST) as the cognizant authority for defining FISMA compliance. The foundational document for this compliance is NIST Special Publication (SP) SP 800-37, “Risk Management Framework for Information Systems and Organizations.” This document describes a six-step risk management framework (RMF), the final (sixth) step of which is monitoring. 

The goal of this step is to “… maintain an ongoing situational awareness about the security and privacy posture of the information system and the organization in support of risk management decisions.”  

Compliance

The implementation of RMF Monitoring is characterized in NIST 800-37 as continuous monitoring, which organizations are instructed to implement in a manner consistent with a well-developed organization-wide compliance strategy. NIST has additionally released a set of continuous monitoring requirements for the federal government, published under NIST SP 800-137, “Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations.” This guidance provides direction to civilian government and the US military for implementing a FISMA compliant continuous monitoring program, via a clear seven-step pathway to ISCM compliance:

  1. Define an ISCM strategy based on risk tolerance that maintains clear visibility into assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts.

  1. Establish an ISCM program determining metrics, status monitoring frequencies, control assessment frequencies, and an ISCM technical architecture.
  2. Implement an ISCM program and collect the security-related information required for metrics, assessments, and reporting.
  3. Automate collection, analysis, and reporting of data where possible.
  4. Analyze the data collected and Report findings, determining the appropriate response.
  5. Respond to findings with technical, management, and operational mitigating activities or acceptance, transference/sharing, or avoidance/rejection.
  6. Review and update the monitoring program, adjusting the ISCM strategy and maturing measurement capabilities to increase visibility into assets and awareness of vulnerabilities, further enable data-driven control of the security of an organization’s information infrastructure, and increase organizational resilience. 

NIST 800-137 additionally recommends implementing continuous monitoring controls around a set of eleven (11) core security domains:

  • Asset Management. Validate compliance with agency asset tracking requirements.
  • Configuration Management. Ensure agency baseline compliance with applicable policy.
  • Event Management. Ensure that endpoint events are tracked and monitored.
  • Incident Management. Ensure that security incidents are remediated. 
  • Information Management. Ensure implementation of data loss prevention (DLP).
  • License Management. Ensure that all deployed software is licensed.
  • Malware Detection. Ensure that anti-malware software is deployed and up-to-date.
  • Network Management. Ensure that all agency network devices are tracked and managed.
  • Patch Management. Ensure that all endpoints are patched.
  • Software Assurance. Ensure that all deployed software is approved for use.
  • Vulnerability Management. Ensure that all endpoints are scanned and remediated. 

BLACKSPOKE

Challenges

There are a number of key challenges associated with implementing
a workable continuous monitoring (“conmon”) program. These challenges include:

Organizational Mandate

As a successful continuous monitoring program requires collaboration across multiple lines of responsibility, it is imperative that agency leadership properly empower the conmon team to implement a compliant solution. This includes directing data owners to support the central collection of key datasets, and to work with the conmon team to model data as needed to evaluate ISCM controls.

Drilldown

An ISCM solution should be designed to be useful at all levels of the organization. This includes organization-level rollup for senior leadership, program and asset level compliance reporting for program managers, and specific remediation guidance for system engineers.

Toolsets

Noting the massive array of software, programming languages, and platforms available for data storage, modeling, and visualization, organizations are advised to carefully consider the total cost of ownership of any given solution – including costs of acquisition, implementation, and operation. At the heart of this calculus is a build or buy decision, which should be made only after careful evaluation of available COTS solutions, alongside discussions with agencies operating more mature ISCM programs.

Automation

As advised by NIST guidance, a successful ISCM program should be automated to the greatest extent possible. In many cases, however, key metrics for some ISCM domains are not captured by existing organizational processes or systems. This requires the careful integration of both automated and attested controls. 

Exceptions

Noting that some assets and systems are exempt from certain aspects of continuous monitoring, a mechanism for requesting and approving case-by-case exceptions must be built into a successful ISCM solution.

Scalability

. As an ISCM solution matures, the associated datasets will grow. This growth may place a strain on both data storage and data modeling, and can lead to significantly higher costs in especially cloud-based environments. Approaches must be considered for storage growth and periodic data archival.

Introducing Continuus

Blackspoke, in collaboration with government leadership at the National Geospatial-Intelligence Agency (NGA), has developed a software toolset that complies with the instruction in NIST SP 800-137, and which has recently catapulted NGA to FISMA Level 3 (“Consistently Implemented”) for Continuous Monitoring following the agency’s FISMA audit, conducted by auditors representing the US Cybersecurity & Infrastructure Security Agency (CISA).

100%

Satisfaction

24/7

Support

+40k

Products

Continuus is a browser-based on-prem solution that provides automated dashboard tracking of critical cybersecurity compliance criteria across the 11 cybersecurity domains defined in NIST SP 800-137, providing system owners, risk management, and information assurance officers the ability to assess security compliance down to the asset level, across the enterprise, on all agency network fabrics. Continuus uses security data from dozens of security sensors and databases to validate compliance with individual security controls and conditions, and tracks historical compliance. Continuus ultimately determines a risk score for each authorized system based on exposure and impact variables. Continuus runs on a Microsoft technology platform, including Microsoft SQL Server and Microsoft Share Point, thus minimizing organization TCO.

Photo by Dane Deaner

Continuus Homepage

This shows the Continuus landing page, with network fabric rollup and historicals by conmon domain, as well as compliance down to the security condition level.

Continuus Explorer

This shows the Continuus Explorer page, showing system-level drilldown by conmon domain, with additional drilldown to asset-level compliance.

Photo by Dane Deaner
Photo by Dane Deaner

Continuus Risk Explorer

This shows the Continuusv Risk dashboard, plotting individual systems on a grid based on Exposure and Impact.

Conclusion

Blackspoke Continuus is a turnkey ISCM solution that can quickly be implemented in most organizational environments. It leverages common off-the-shelf capabilities, including Microsoft SQL Server and Microsoft SharePoint, alongside common scripting languages such as Powershell, Javascript, and T-SQL. Continuus is a modularized solution that allows organizations to define conmon security controls against a customized set of enterprise security databases and sensors, with highly sophistication visualization and drilldown capabilities. Continuus represents a massive leap forward for compliance, risk assessment, and security remediation, in terms of:

  • Compliance. Continuus fully complies with spirit and letter of NIST 800-137
  • Cost. Continuus is cloud-hosted, and requires no additional software or hardware purchase
  • Compatibility. Continuus is built on Microsoft SQL Server and SharePoint
  • Sustainment. Continuus leverages in-house development capabilities of most agencies
  • Extensibility. Continuus can support additional risk management functions
  • Security. Continuus uses Windows-based authentication and role-based authorization
  • Enablement. Supports ongoing risk identification and remediation 

Contact 

For more information on Continuus, contact Jason Winder, jason.winder@blackspoke.com