Friday, June 26, 2015

Monitor First - The Origin

As you know, I've been a proponent of Continuous Monitoring (CM) not to be confused with the  Federal  Government's CDM (Continuous Diagnostic Mitigation) program.  We've always assumed intruders are in our network so we've been looking for these intruders by monitoring outbound traffic.

I'm reposting another blog by grecs which is posted at the NovaInfoSec blog. Grecs' blog on the origins of "Monitor first" is a great article on how this concept took hold. So, here's the full blog article by Grec posted on 6/25/2015.

"Monitor First - The Origins" by grecs posted 6/25/2015

Late last year @taosecurity wrote an article that questioned spending resources on a “pen test and fix” cycle rather than monitoring for intruders that may already be in your networks. The last sentence of the post not only emphasized his theme well but also alluded to an article written by Bruce Schneier that originally stressed “monitoring first.”
I still believe that the two best words ever uttered by Bruce Schneier were “monitor first,” and I worry that organizations like those in this article are patching holes while intruders maneuver around them within the compromised network.
I searched around a bit for this statement and found a copy in an old edition of Cryptogram from way back in 2001. You can find the original article here but the first few paragraphs alone make the case of monitoring first.
You have a safe in a dilapidated building, and you need to secure it. What’s the first thing you do? Inventory the safe? Assess the security of the building? Install better locks on the doors and bars on the windows? Probably not. The first thing you do, as quickly as possible, is alarm the safe. Once the safe is being monitored, you can then afford the time and attention needed to inventory the stock, analyze the environment, and improve the security. Without monitoring, you’re vulnerable until your security is perfect. If you monitor first, you’re immediately more secure.
Network security has this backwards. Companies see monitoring as something to do after they have their security products in place. First they develop a security policy. Then they do a vulnerability analysis. Then they install a firewall, and maybe an intrusion detection system. And finally they think about monitoring. Rationally, this makes no sense.
Monitoring should be the first step in any network security plan. It’s something that a network administrator can do today to provide immediate value. Policy analysis and vulnerability assessments take time, and don’t actually improve a network’s security until they’re acted upon. Installing security products improves security, but only if they are installed correctly and in the right places. How does a CIO know what products to install, and whether they are actually working — in the actual corporate environment, not as they worked in the lab? The only way he can know is to monitor. Monitoring ensures that security products are working properly.
Monitoring first is just common sense. This practice not only allows organizations to find the threats lurking in their networks sooner but it also permits them to establish baseline metrics from which they can measure improvements in their security posture as further investments are made. And per Schneier “monitoring” does not even necessarily mean going out a buying anything initially. Start simple with logs and other data you already have (e.g., from DNS, servers, proxies, and network devices) and grow out from there.

I encourage you to read both @taosecurity and Bruce Schneier's articles list in the above post.


  1. Hi Randy, I see this is an old article. I'm currently researching the higher education space as a Product Managerin the AppSec space. I work on a web application perimeter monitoring solution.

    I realise perimeter monitoring is passe these days and for mature organisations like yourselves, I'd agree. I realise there must be large disparities in the HigherEd space but y'all are much more resource constrained than your enterprise counterparts.

    To that end, would you consider app focused perimeter monitoring still useful? Secondly, you use the word monitoring in a more DIY context using existing logs and other data sources. However, how have you advised colleagues at less mature institutions to fit that into their already busy schedules? I'm amazed by such appsec pros who are usually dealing with a crisis a day also making the time to dabble in coding/automation pursuits.


  2. Thank you for the article!
    I have read lots of researches on topic of data security and have to say that no one have invented universal protection system for cloud repositories. I also know that today virtual data rooms like Ideals data room seem to be the most reliable.