Control "Monitoring" is Not Threat Monitoring

As I indite this locate I'm reminded of General Hayden's advice: "Cyber" is arduous to understand, so be charitable with those who don't understand it, as substantially as those who claim "expertise."It's essential to remember that plentitude of grouping are disagreeable to act in a constructive manner to defend essential assets, so in that fiber I substance the mass commentary.Thanks to Evangelist Bambanek's SANS locate I feature bureau Drafts Cybersecurity Guidance by InformationWeek's J. Nicholas Hoover. The article discusses the latest organisation of SP 800-37 Rev. 1: DRAFT Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach. I suspected this to be questionable presented NIST's arts partiality towards "controls," which I've criticized in Controls Are Not the Solution to Our Problem and Consensus Audit Guidelines Are Still Controls. The subtext for the article was:The National Institute for Standards and Technology is urging the polity to continuously guardian its own cybersecurity efforts.As presently as I feature that, I knew that NIST's definition of "monitor" and the article's definition of "monitor" did not mean the real variety of monitoring, threat monitoring, that would attain a disagreement against recent adversaries.The article continues:Special Publication 800-37 fleshes discover sextet steps federal agencies should verify to face cybersecurity: categorization, state of controls, implementation, assessment, authorization, and continuous monitoring...Finally, and perhaps most significantly, the writing advises federal agencies to locate constant monitoring in place. Software, firmware, hardware, operations, and threats modify constantly. Within that flux, section needs to be managed in a organic way, doc says."We requirement to recognize that we work in a very dynamic operational environment," doc says. "That allows us to hit an ongoing and continuing espousal and understanding of risk, and that current selection may modify our intellection on whether current controls are sufficient."The constant venture management travel strength allow use of automated organisation scanning tools, vulnerability scanning, and intrusion spotting systems, as substantially as putting in locate processes to guardian and update section counselling and assessments of grouping section requirements. Note that the preceding book mentions "intrusion spotting systems," but the rest of the book has null to do with real monitoring, i.e., sleuthing and responding to intrusions. I'm not meet conversation most network-centric approaches, by the artefact -- infrastructure, host, log, and other sources are all real monitoring, but this is not what bureau effectuation by "monitoring."To understand NIST's view of monitoring, essay datum the newborn draft. I'll insert my comments.APPENDIX GCONTINUOUS MONITORINGMANAGING AND TRACKING THE SECURITY STATE OF INFORMATION SYSTEMSA grave characteristic of managing venture from aggregation systems involves the constant monitoring of the section controls engaged within or inherited by the system.65[65 A constant monitoring aggregation within an methodicalness involves a assorted ordered of activities than Security Incident Monitoring or Security Event Monitoring programs.]So, it sounds same activities that refer actually watching systems are not within scope for "continuous monitoring."Conducting a complete point-in-time categorization of the deployed section controls is a needed but not decent aggregation to shew section cod diligence. An trenchant organizational aggregation section aggregation also includes a rigorous constant monitoring aggregation integrated into the grouping utilization chronicle cycle. The neutral of the constant monitoring aggregation is to determine if the ordered of deployed section controls move to be trenchant over time in light of the fateful changes that occur.That sounds ok so far. I same the intent of evaluations to determine if controls are trenchant over time. In the incoming section beneath we get to the heart of the problem, and ground I wrote this post.An trenchant organization-wide constant monitoring aggregation includes:• Configuration management and curb processes for organizational aggregation systems;• Security effect analyses on actual or proposed changes to organizational aggregation systems and environments of operation;67• Assessment of selected section controls (including system-specific, hybrid, and ordinary controls) supported on the organization-defined constant monitoring strategy;68• Security position news to appropriate organizational officials;69 and• Active position by authorizing officials in the current management of aggregation system-related section risks.Ok, where is danger monitoring? I wager organisation management, "control processes," news position to "officials," "active position by authorizing officials," and so on.The incoming section tells me what bureau rattling considers to be "monitoring":Priority for security curb monitoring is presented to the controls that hit the reatest irresolution and the controls that hit been identified in the organization’s organisation of state and milestones...[S]ecurity policies and procedures in a particular methodicalness may not be probable to modify from one year to the next... Security controls identified in the organisation of state and milestones are also a antecedency in the constant monitoring process, cod to the fact that these controls hit been deemed to be ineffective to some degree. Organizations also study limited danger aggregation including famous attack vectors (i.e., limited vulnerabilities misused by danger sources) when selecting the set of section controls to guardian and the oftenness of such monitoring...Have you broken the cipher yet? Security curb monitoring is a deference activity. Granted, this is an transformation from the typical certification and accreditation debacle, where "security" is assessed via paperwork exercises every three years. Instead, .gov deference teams module perform so-called "continuous monitoring," meaning more regular checks to wager if systems are in compliance. Is this rattling an improvement? I don't conceive so. bureau is absent the point. Their move advocates Control-compliant security, not field-assessed security. Their "scoreboard" is the termination of a deference audit, not the sort of systems low opponent curb or the turn of data exfiltrated or degraded by the adversary.I don't care how substantially your antitank "controls" are informed by offense. If you don't hit a Computer Incident Response Team performing constant threat monitoring for spotting and response, you don't know if your controls are working. The bureau writing has a few hints most the correct approach, at best, but the eld of the so-called "monitoring" counselling is added deference activity.Copyright 2003-2009 Richard Bejtlich and TaoSecurity (taosecurity.blogspot.com and www.taosecurity.com)