Continuous Monitoring is a methodology by which evidence collection is “baked into” the network. Critical observations are made and recorded continuously and quickly available when needed. The idea is to pre-collect evidence that will support your investigative processes. The power of continuous monitoring is significant, and I encourage all businesses and organizations to adopt the notion of an investigable network—one that incorporates pre-collected evidence into the environment.
By pre-staging evidence collection that supports the investigative and forensic processes, you can dramatically increase the speed and decisiveness of your on-staff or contracted forensic team. This results in lower costs and a faster return to normal operations. It’s also a great complement to Red Canary Managed Endpoint Detection & Response, which we’ve seen drive down our customers’ incident response costs.
What Types of Evidence Should You Collect?
There are several categories of evidence that are easiest to collect and tend to provide the most value. As any seasoned forensicator knows, you don’t know what evidence you’ll need until you really need it.
The most common form of continuous monitoring tends to be system log aggregation. This may be as a part of a domain infrastructure using Microsoft Windows Eventing, *NIX Syslog, or a more comprehensive solution such as a Security Information and Event Manager (SIEM). These platforms collect log information from devices such as servers and network infrastructure including routers, switches, firewalls, and proxies. By centralizing this information, a forensicator can go to a single source of evidence to complete a significant portion of their investigation. By analyzing a variety of log evidence in a single location, investigators have the benefit of seeing an incident from multiple vantage points. Evidence associated with a single compromise incident may come through logs from the web proxy, firewall, passive DNS monitors, intrusion detection systems, and more. This diversified evidence collection ensures a maximum of opportunities to view the event of interest with as many different platforms as possible.
Another critical component of continuous monitoring is network evidence. Important network observations can come from NetFlow (or similar) traffic abstractions that are invaluable to the network-focused forensicator. NetFlow records consist of metadata, volume, and timing information about network connections. They are often retained far longer than log entries due to their compact size and lack of packet content. NetFlow can be helpful in hunt teaming, incident scoping, and identifying events of interest against a baseline of normal traffic patterns. Outlier traffic sessions are often useful investigative leads that alert security teams to an incident and help identify compromised systems within the environment.
Recent innovations in endpoint security technology are resulting in organizations being able to collect endpoint observations from all of the laptop and desktop computers, servers, and even mobile devices across the enterprise. This endpoint visibility includes millions of low-level events such as file creation/modifications, Windows registry activity, network resolver and socket operations, module loads, cross-process injections, and more. These provide microscopic insight to the behaviors of applications and utilities that continually run on each endpoint.
The endpoint market as a whole has a promising future. Carbon Black continues to be a pioneer in this field, delivering an enterprise sensor and collector package that provides incident responders the critical information they need to conduct fast and decisive investigations. This visibility is one of the several reasons Red Canary selected Carbon Black as our endpoint sensor. That sensor feeds our Threat Detection Engine that continuously analyzes endpoint events to identify conditions that need SOC analysis, enrichment, and confirmation. Our SOC-confirmed threat detections give our customers the ability to remediate before an attacker can cause significant damage to their environment and data.
The Time is Now
The notion of continuous monitoring is not new—every convenience store and bank teller in the world has collected security camera footage for decades. This evidence is extremely valuable to an investigator during an incident response. Advancements in automated hunting and continuous analysis are making massive progress toward minimizing the time between an incident’s occurrence and its detection—at a level of detail that enables decisive remediation. Continuous monitoring enables it all—so what are you waiting for?