From: HSToday.US
By: Mickey McCarter
On Sept. 28, President Barack Obama signed the 2013 Continuing Appropriations Resolution (Public Law 112-175) that largely funded the government temporarily for six months at the previous year’s levels.
The continuing resolution made a few key exceptions to holding spending steady, and one of those exceptions was cybersecurity efforts at the Department of Homeland Security (DHS). The department would be allowed more spending, particularly in support of efforts to continuously monitor federal networks as a defense against intrusions.
Under the spending law, Infrastructure Protection and Information Security at the National Protection and Programs Directorate would receive $1.17 billion, including $328 million for network security deployment and $218 million for federal network security “to establish and sustain essential cybersecurity activities, including procurement and operations of continuous monitoring and diagnostics systems and intrusion detection systems for civilian federal computer networks.”
Speaking on a panel at the Symantec Government Symposium in Washington, DC, Wednesday, Ron Ross, senior computer scientist at the National Institute of Standards and Technology (NIST), called continuous monitoring a first necessary step given rapidly expanding information technology assets throughout the government.
“Along the way, technology exploded. It got better. It got more powerful. It got more affordable. And we kept buying more and more of it. And we started hooking these very powerful components to include our new mobile devices — the tablets and the smartphones — into vast networks,” Ross stated.
But “Today we find ourselves in a place where we are pretty much addicted to this great technology,” Ross said. “It makes us more productive. It changes the way we do business. That is all framed in the climate of the increasing sophistication of adversaries and the types of cyberattacks and threats we know exist today.”
Federal workers, however, must apply continuous monitoring to solve the right problem, Ross cautioned, noting that continuous monitoring is useful for determining what adversaries are doing and how to protect federal networks. As such, it is a tactic in a larger strategy, he said.
Continuous monitoring also helps federal agencies understand the effectiveness of IT controls, manage change to improve overall defenses, and comply with legislation and policy.
But continuous monitoring only remains effective if a network becomes more resilient over time, Ross said. Agencies must improve their infrastructure continually. Patching networks only solves perhaps 80 percent of the problems, and experts must simplify infrastructure in order to make it more resilient. The keys to simplification lie in cloud computing, enterprise architecture and the integration of security requirements into mainstream processes.
If a lock is broken, it will be broken when you look at it once, Ross said by way of analogy. If you look at the lock 1,000 times without taking further action, it will remain broken.
Also speaking on the panel was Anjalique Lawrence, assistant director of information security at the Government Accountability Office (GAO). She emphasized federal systems contain persistent information security control weaknesses.
In previous years, 18 of the 24 major federal agencies report weaknesses and deficiencies in financial reporting; 22 of 24 also reported information security as major management challenge.
Recurring areas that pose challenges include access control, configuration management, segregation of duties, continuity of operations and agencywide security programs, Lawrence said. GAO has made recommendations to address those weaknesses.
Meanwhile, DHS has a goal to help agencies across government achieve a 95 percent continuous monitoring rate by the end of the fiscal year, Lawrence said. In 2010, the US Office of Management and Budget (OMB) rolled out its Cyberscope tool to provide agencies with an automated reporting solution for measuring their capabilities for continuous monitoring.
In 2010, only two agencies achieved a level of continuous monitoring at 90 to 100 percent; in 2011, four reached that level.
Tony Sager of The SANS Institute told the panel that the National Security Agency (NSA) would once conduct penetration testing on federal networks every three years.
“That doesn’t match our world anymore. It’s not realistic. We are constantly bombarded with new information,” Sager pointed out.
Federal agencies must assess the value of new information and measure their progress against set expectations in continuous monitoring.
Agencies must manage assets to improve them and achieve a state where they have known security problems they can mitigate, Sager said.
The final speaker on the panel, Van Ristau, chief technology officer at DLT Solutions, called for more automation. He noted the federal government spent $13 billion on information security in fiscal year 2011 and employed 84,000 full-time employees.
Automation could make some of those people available for other things like addressing infrastructure challenges, Ristau said. Still, workers must now administer integrated solutions working in tandem because no single solution can resolve security challenges.
“You cannot go out and buy a solution that will protect you 100 percent. You have to think in terms of how your infrastructure looks and make sure the information security systems that you procure, put in place, modify and customize are built on open standards and capable of evolving as technology changes,” Ristau said.
“Continuous monitoring is more of an ideal,” Ristau said. “I think we are approaching continual monitoring,” but “it’s not 100 percent and it won’t be until you do real-time network monitoring and analysis of log files and threat interception and counteraction in a real-time environment.”
Leave a Reply