Is continuous security monitoring worth the payoff?
Moving to a risk-management model of cybersecurity with continuous monitoring of systems can be difficult on a tight budget, but if done right, the savings can make it all worth the work.
EDITOR'S NOTE: This article was updated April 4, 2012, to correct John R. Walsh's title.
Continuous monitoring is the current mantra for government cybersecurity, but the challenges of implementing it in the real world on a real budget can be daunting, according to a panel of government officials and contractors.
“We have to change our business processes,” and align them with the available tools, John R. Walsh, chief of technology and business processes in the Cybersecurity Directorate of the Army’s Office of the CIO, said April 3 at the FOSE conference in Washington. There are tools to help the process, but the real challenge is people, not technology, he said. “It takes time to bring all of the people together. It’s education and awareness.”
The difficulties of implementing continuous monitoring stem largely from the fact that each department, agency and office has different business processes, missions and systems and no single tool set can effectively cover all of them, panel members said during a discussion on continuous monitoring. Tight budgets restrict adoption of new tools, so existing products and processes have to be brought together.
On the bright side, the process can produce significant savings as well as improve security if done effectively, Walsh said.
“We don’t know what we have,” he said of the Army’s global IT infrastructure. A complete inventory of resources is expected to cut the cost of certification and accreditation of IT systems by about two thirds, from $30 million a year to about $10 million. It can also increase the use of more economical enterprise license agreements for software. “I can do it at a much reduced cost at the enterprise level,” he said of managing software.
Government is gradually moving from the compliance-based model of cybersecurity enshrined in the Federal Information Security Management Act toward one based on risk management enabled by continuous monitoring.
Mark Crouter of Mitre Corp. described continuous monitoring as the measurement of a the condition of a system, the comparison of the actual state of the system with its expected state, the identification of vulnerabilities introduced by these differences and the mitigation of the vulnerabilities.
Although this process ideally is continuous, it is not done in real time. The goal is to produce information quickly enough that useful security decisions can be made. If information comes in too slowly it is not helpful; if it comes in more quickly than it can be used it is a waste of resources. The speed and type of information to be produced will differ for each organization, depending on the systems being monitored, the tools available to monitor them and the resources to use the information.
The State Department became the poster child for continuous monitoring with a system that was able to reduce high-risk vulnerabilities in its systems by 90 percent in 2009 and cut the costs of certification and accreditation by 62 percent. Other agencies found it difficult to reproduce the State’s system, however, and it became apparent that there is no one model for successful continuous monitoring.
“There are a lot of agencies that are stepping up with their own takes” on the process, said Angela Orebaugh, of Booze Allen Hamilton and a co-author of the National Institute of Standards and Technology’s Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations.
She also has been involved with development of the Security Content Automation Protocols (SCAP), a set of standard protocols for describing and identifying security issues that is being incorporated into commercial products to enable automated monitoring and reporting.
“Security automation is the foundation that is going to help all these tools work together,” Orebaugh said. But SCAP provides only a subset of the visibility needed into IT systems for effective monitoring.
Effective monitoring and reporting will require a set of tools customized for the needs and abilities of each agency.