From: FierceGovernmentIT
The Obama administration has placed much emphasis on continuous monitoring when it comes to securing federal networks.
What it hasn’t done is provide parameters for how continuous the continuous monitoring need be in order to qualify as continuous.
Asked for a definition during a April 3 panel at the FOSE conference in Washington, D.C., Brian Varine, director of the Energy Department joint cybersecurity coordination center said he has an “unofficial…[and] undocumented” definition.
“If I’m the CISO or the CIO, I should be able to go to somebody in operations or security and say, ‘This computer, IP address, MAC address, host name, or whatever–I want to know what the current patch status is, right now’” and get the response back in 5 minutes.
“If you can’t, then you’re probably not answering the mail on continuous monitoring,” he added.
Joe Albaugh, the Federal Aviation Administration chief information security officer, said there is no single definition.
“There’s no discrete answer to that,” he said. “It really depends on schedules, production, environments.”
In an ideal world, Albaugh said, scanners would be able to display on a dashboard the patch status of machines on the network in real time, but that level of continuous monitoring could easily consume too much bandwidth.
“You set a threshold, and then you see if you can meet the threshold, and then you determine whether or not you’re getting actionable information and if you need to start reducing that threshold,” he added.
Would be setting that threshold at scans once every quarter be continuous monitoring? No, said Albaugh. But if real-time isn’t possible and quarterly clearly isn’t continuous enough for continuous monitoring, then what might be an upper parameter?
“Maybe we should start once a month,” Albaugh said. “Maybe we should then move that down to once a week and we could see whether or not we’re choking our pipes.”
Leave a Reply