– The NIST National Cybersecurity Center of Excellence (NCCoE) is seeking industry feedback on successful continuous monitoring capabilities able to automatically and efficiently detect when a malicious actor gains access to an organization’s IT infrastructure.
Currently, many organizations use a manual inspection or computer-aided audits that result in malicious activities not being detected until after unauthorized access – either internally or externally – occur. These events result in reputational, financial, and operational impacts to the organization.
For example, the American Medical Collection Agency hack, one of the largest breaches in recent healthcare history, went undetected for eight months and breached the data of up to 20 million patients. Its parent company recently filed bankruptcy after losing four of its biggest clients and is currently being investigated by multiple state attorneys general and several senators.
“NIST NCCoE is interested in supporting small- and medium-size businesses by providing cybersecurity guidance to improve their continuous monitoring programs,” NCCoE officials wrote. “This project will enhance an adopting organization’s ability to detect out-of-policy access activity as well as reduce the resources required for compliance reporting, such as certification and recertification.”
“The resulting publication can assist in evaluation or assessment, design, acquisition, and integration of a continuous monitoring effort at an adopting organization,” they added.
To NCCoE, continuous monitoring can prevent some of these losses. Continuous monitoring tech aids in the detection of privilege escalation, unauthorized access to sensitive data, malicious system-access attempts, suspicious login events, and minimization of workload. It can also support compliance and reporting efforts through real-time data.
The proposed project will explore continuous monitoring capabilities through the collection of appropriate log data from the IT infrastructure, along with how continuous monitoring tech can be used to automate reporting and analysis of log data, which can alert the IT or security teams with actionable data and guidance to inform decisions around shoring up the detected issue.
The provided feedback will also help NCCoE create a NIST Cybersecurity Practice Guide, which will include a reference architecture and a fully implemented example solution, as well as a guide with practical steps organizations will need to successfully implement the continuous monitoring tool.
Using a vendor- and technology-agnostic approach, the guide will also outline a commercial and open-source product integration based on the reference architecture and conforming to cybersecurity standards and best practices.
Other aspects of identity and access management, like vetting, credential management and provisioning will not be covered by this project, nor are functions other than logging and auditing for authorizations, authentication, and system/application access processes.
“Continuous monitoring is a desirable outcome for an organization monitoring its IT infrastructure,” NCCoE officials wrote. “NCCoE assumes that an organization will perform a risk assessment to determine the value of an investment in one or more of the continuous monitoring capabilities included in the architecture. “
“Malicious actors are known to exploit security vulnerabilities that enable access to sensitive data,” they added. “By continuously monitoring IT, [organizations] can limit their exposure to operational and compliance risks by detecting malicious activity quickly.”
Industry stakeholders can provide feedback until July 26.