Report Card on Continuous Monitoring

  • Bethesda, MD
  • November 3, 2016

Continuous monitoring is improving visibility and response in organizations using this technology, according to results of a new survey to be released by SANS Institute on November 15, 2016.

In it, 8% improved visibility into enterprise systems and infrastructures by initiating a continuous monitoring program, and 28% improved their ability to accurately detect and remediate malicious events.

However, the news isn’t all good. Continuous scanning, for example, is only happening at 5% of organizations surveyed. Another 3% are scanning daily, with the largest group of respondents (29%) scanning monthly or bimonthly.

“This year we presented a simple report card comparing results of the 2015 and 2016 CM surveys,” explains Barbara Filkins, SANS Analyst Program research director and author of the survey report. “While our respondents get an A+ for increasing the number of programs, the balance of the results show lack luster performance.”

Respondents to the 2016 showed no improvement in conducting active vulnerability scans on a weekly basis or better since our 2015 survey was conducted. Moreover, slightly fewer practiced continuous monitoring than in 2015. Most disturbing, 16% fewer were able to improve their ability to accurately detect and remediate malicious events than were able to in 2015, although this was still a top use case for CTI in 2016.

“Effective security has very simple roots,” continues Filkins. “However, just because the starting point is simple doesn’t mean that the process to achieving effective security is easy. Continuous monitoring has been around for a while, and it still represents a challenge for most organizations.”

A clear majority (73%) cited security misconfigurations as the leading threat to their organizations. And, most security misconfigurations should be preventable through proper hygiene. The gap between assessment frequency represents a window of opportunity for attackers to detect vulnerabilities and act on them before security and operations teams are even aware of them.

Filkins concludes, “CM has to be a business commitment–a serious part of an organization’s IT strategy–reaching well beyond security to dependencies on change and configuration management best practices. Organizations, especially larger enterprises, need to commit to recognizing change management, configuration management and continuous monitoring as key business practices, just as they do accounting and customer support.”

Full results will be shared during a webcast on November 15, 2016 at 1 PM EDT, sponsored by ForeScout Technologies, IBM Security, Qualys, and RiskIQ, and hosted by SANS. Register to attend the webcast at

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and security expert, Barbara Filkins.