From: Government Security News
By: Sanjay Castelino
The Federal Information Security Management Act, often called FISMA, was once looked at as purely a “box checking” procedure. The infamous “report cards” were often inaccurate, and rewarded agencies that could best play the paperwork game, rather than actually implement effective security.
This is no longer the case, as FISMA now emphasizes proactivity in security, rather than simply reacting to breaches as they occur.
There is no truer representation of FISMA’s new approach to agency IT security than FISMA’s requirement for “automated and continuous monitoring” of IT systems. Enacted in March 2012, this requirement is a new concept for agency IT, especially as previous regulations centered on secure patching, breach remediation and hardening, not pure proactivity.
Unlike standard reactive security approaches, true proactivity, not just threat anticipation, is not commonly found in a security plan, especially from a monitoring standpoint. To better prepare themselves for the realities of proactive monitoring, agency security teams need to turn to the one IT role that routinely deals with proactivity: the systems administrator (sysadmin). In fact, many of the tools that security teams need to use to achieve continuous monitoring are already proven in the sysadmin world. But what exactly are these tools?
Network configuration and change management toolsets — Just as the name implies, network configuration and change management (NCCM) tools watch for unanticipated or unauthorized changes to network devices. While unauthorized change can sometimes be the work of an ignorant end-user, far too often it is a symptom of a malware or Black Hat attack. The NCCM tools used by sysadmins can alert IT security teams in real time to these changes, potentially stopping serious breaches before they even occur. Best of all, NCCM tools are highly customizable, allowing security teams to ignore non-critical network components and focus solely on the aspects that matter to security.
User device trackers — The Bring-Your-Own-Device, or BYOD, trend certainly does not help agency IT security teams when it comes to FISMA compliance. The rising tide of newly-proven and unproven devices on federal networks can become a nightmare from a security and compliance standpoint. Luckily, another tool in the sysadmin box can be the saving grace for IT security in the face of these seemingly overwhelming odds: user device trackers (UDTs).
Typically used by sysadmins to determine if a specific device is causing network stability issues, security teams can use UDTs to assess device-specific threats against the network. Rather than just telling teams that a security problem is evolving, a UDT allows for the forensic tracking of a specific IP address across the network, making it easy for security teams to home in on the source of a given problem.
Traffic analysis and bandwidth monitoring tools — Used by IT operations teams for years, traffic analysis and bandwidth monitoring can quickly pinpoint areas of the network with unusually high traffic loads or suspect packets. These symptoms are often indicative of an intrusion or breach, and help IT security teams easily recognize areas of the network where security is at risk.
The sysadmin — Finally, agency IT security teams would be remiss if they did not recognize a readily available tool to help address the need for continuous monitoring: the sysadmin. No longer just a “network grunt,” sysadmin roles have greatly expanded in the federal government, encompassing previously specialty roles like IT operations and, in some extreme cases, security.
If agency security teams really want to walk the talk when it comes to continuous monitoring, they need look no further than the sysadmin. Already familiar with the required tools and strategies, sysadmins, not their tools, can be the biggest benefit to agency security teams dealing with slashed budgets and evolving threats.
Sanjay Castelino is vice president at SolarWinds, an IT management software provider.
Leave a Reply