​The Four Pillars of Continuous Monitoring and Analytics in Security

Nathan Lowe, Managing Director, ASI Solutions

In today's world, no one can really afford to be reactive when it comes to security; it's now all about rapidly responding to security risks through ongoing, real-time monitoring, with analytics to spot the anomalies and potential threats.

Designing an adaptive security architecture can help your organisation provide a continuous response to threats.

Continuous monitoring and analytics is watching all assets and devices across a distributed network and acting on potential threats in an automated way. A system may automatically identify an indication of a risk and immediately act on it with a set of incident response procedures. Risk scoring algorithms may also be used to identify which potential threats are of higher risk and need acting on straight away.

Here are the key four pillars of continuous monitoring and analytics systems which can enhance your security footing.

Data integration

A continuous monitoring and analytics system needs to be able to piece together all the data coming from the organisation's mobile devices, applications and hardware. These items could have different ways of identifying themselves – either through IP address, hostname or MAC address, for example – which could make it challenging to bring all the data together. One way to solve this challenge is by using cross-referencing or a defined master table that contains all identifiers for an entity.

The system also needs to be able to handle multiple data formats such as Comma Separated Values (CSV) files, Extensive Markup Language (XML), and log files, as well as different access routes. Access could be though APIs (application programming interfaces), directly through a database, or by manually exporting the data. When there are multiple tools with different ways of access to the data, the system needs to be able to integrate all of them.

Data architecture

If there’s a database or repository taking in data from hundreds of sensors or devices then being able to consolidate data from all these sources is also crucial in a continuous monitoring and analytics system. This requires a model that can transform the data, consolidate it and correlate it.

The system also needs to feed the data to a real-time dashboard, which could be through a dimensional database and then using Online Analytical Processing cubes.


This is probably the most important pillar, as these systems depend on the analytics capability to spot potential threats and give them a risk score.

Sophisticated algorithms are needed to be able to deal with missing data, inconsistent data and different time intervals of when sensors and devices generate data. It needs to be able to fill in missing data with the mean or most frequent value or predict the value using other relevant data values. The analytics also need to be able to look across different time windows and understand which data is most recent and which has been superseded.


With large volumes of data coming from many different devices and assets, scalability also needs to be taken into account with a continuous monitoring and analytics system. Some organisations have thousands to millions of assets and devices, with hundreds to thousands of software applications, patches, configuration settings, and so on.

Being able to process this data efficiently is crucial so that there's no window of opportunity for an undetected threat to occur while processing is being fixed. Fast streaming XML parsers to quickly write the data to a database, with separate jobs tackling the data consolidation and correlation is a way to solve this challenge.

Ask yourself: should I be looking into ways of being more proactive with threat mitigation?

Join the CSO newsletter!

Error: Please check your email address.

Tags continuous monitoringASI Solutionscybersecuritycyber crime

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Nathan Lowe

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place