I recently caught up with Rick Doten, VP Cyber Security at DMI. (For those of you who might not be familiar with Rick, he is a leading IT security expert with prior leadership posts at Gartner, Lockheed Martin and Verizon - more about Rick’s work is at the end of this post…). While Rick is a great believer in continuous monitoring, he touched upon three types that are simply not yielding desired results. To help solve this, Rick urges both the U.S. Federal and defense communities to take a ‘back to basics’ risk-based approach, and ask the right questions to get meaningful and actionable insights. Given the topic matter and expert insight, I thought Rick would make an excellent guest blogger, and he kindly agreed to share this post with us.
The National Institute of Standards and Technology (NIST) has recommended regular additions to the Federal Information Security Management Act (FISMA) Act of 2002 to address the ever-growing number of IT security challenges faced by government agencies. However, budget and resource restrictions, as well as confusion regarding timelines and guideline interpretations make an existing challenge all the more difficult to manage. It shouldn’t be this hard. The 1st challenge: politics, and two schools of thought on continuous monitoring We are turning a corner in our interpretation of continuous monitoring. Before the fall of 2011 many of my customers had already started to accelerate monitoring efforts from once every three years to breaking the controls into thirds and test 1/3 of the controls each year. Originally, when NIST 800-137 was issued, many thought this would satisfy the requirement, figuring yearly would be “continuous.” Then came the “oh-my-God moment” when DHS recently clarified that they really meant “near real time”. Everyone sees the benefit – if one is compliant with 800-137 in accordance with the OMB, it avoids the certification and accreditation burden of FISMA reporting which is check-box, snapshot-in-time, paper-based, manual and expensive. Another school of thought or approach are the agencies that follow the SANS Institute’s Consensus Audit Guidelines (CAG) to fulfill continuous monitoring requirements. (There are 20 different security controls listed, by the way.) The Department of State (DoS) is considered the poster child where they have been sharing their experience with everyone who would listen over the last few years. DoS implemented CAG controls 1, 2, 5, 9 and 12 in a near real time way - but - they aren’t considered compliant by 800-137 guidelines. Overall one can map between the 15 technical controls and 5 more procedural-like controls in the CAG to the 11 Information domains of NIST SP 800-137-- with the exception of CAG number 9 related security skills and training, which is absent from 800-37. Interestingly, most of the large systems integrators, in anticipation, have been developing their solutions around the CAG and not the 800-37 domains. So, it will be interesting to see how this plays out. Net, net … this needs to come to a head as it will be nirvana when government programs can harmonize on these approaches and get there with 800-137 and eliminate the burden of FISMA paper based reporting.
The 2nd challenge: technical and organizational First of all, the technology is the easy part. In my interactions with government agencies both civilian and defense I see that they all have the technology – you name it, hardware and technologies such as IPS, IDS, forensics, DLP, asset management – the key challenge is of actually leveraging the potential of these tools, integrating them into a process, and coordination among the different organizations responsible for keeping the organization’s infrastructure running and secure. In an agency, one group runs the desktops, another the network, another monitors security devices, another responds to threats; each use different tools, each is usually a different contact and contractor, and they are not well integrated, or in some cases, in-fighting is encouraged because it’s thought it makes contractors work harder to keep their work. But for continuous monitoring to really work (i.e. get holistic security awareness) we need to get past the turf wars and work together. But then, who will they listen to? The network team? The asset team? (etc.). Who has overarching responsibility to organize these groups to a single goal? It comes down to establishing a culture of teamwork, and process that is both scalable and actionable.
The 3rd challenge: complexity, data and false sense of security This continues from the 2nd challenge. Many agencies are getting a false sense of security because they fulfill NIST 800-53 technical controls and went on a technology buying spree to point to the industry leading technology for each control area. What’s more is that as the threat environment keeps changing we add more defenses and burden our infrastructure even more. But in reality, this added complexity in a way has increased actual risk. The challenge is getting all the pieces to work together and having a process to make sense of it. Security and information event management (SIEM) addresses this to a certain extent but just another technology to solve a point problem; one of too much data to analyze. We are on a hamster wheel. We add more technology to bolster security defenses, more complexity and more data. People are hoarding more and more data to be relevant, but data is only relevant if it is actionable. So now we have a big data problem and folks are trying to apply business intelligence and analytics personnel to mine the data. As humans we like the data chase. The challenge is adding analytics as technology moves us away from the problem we were trying to solve in the first place. Which encourages us to pull in even more data. When will it stop? I have customers managing terabytes and petabytes of network log and event data. When we get to exabytes, what new tools will we need to buy to manage the data? At some point it will not be manageable. We need to get back to a set of risk questions that give actionable guidance. What are we trying to protect in the first place? How can we prioritize? Most organizations are slowly realizing that their technology defenses won’t prevent a bank robber from getting in but what they are looking for is a way to prevent them from getting out and keeping them away from critical assets and infrastructure. Again, I am a huge supporter of continuous monitoring guidelines and they answer ‘what is happening now’ and how to prioritize responses, and move us away from yearly check box, snapshots of our systems. But in order to make continuous monitoring work we need to solve the people and process problem: how are we going to implement this and work among the different teams to be successful. Further, we need to tune it to protect that which is identified as the most important assets to the organization. And understand what is critical to protect about those assets: confidentiality, integrity, availability--the fundamentals. We need to implement continuous monitoring with an enterprise risk-based approach, and not just as another point solution to meet compliance. - Seema Sheth-Voss, Director of Solutions Marketing, Core Security