Federal CIOs Moving Cybersecurity Beyond Compliance

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.cio.com/article/751661/Federal_CIOs_Moving_Cybersecurity_Beyond_Compliance

As federal agencies struggle to keep pace with the mounting threats to
their far-flung digital systems, IT professionals must move away from
treating security as a compliance exercise and adopt dynamic, real-time
monitoring, government CIOs said in a recent panel discussion.

In many agencies, that shift toward continuous monitoring is already well
underway, as CIOs have been working to further automate their systems so
that networked assets scan for and report potential security incidents.

"There was a lot of checklists focused on looking at what type of security
controls needed to be implemented, what type of security controls actually
were implemented," says Simon Szykman, CIO at the Department of Commerce.

"We're now moving toward an era of much more automated and near real-time
situational awareness where we have systems that themselves are able to
verify that controls are being implemented, assess the state of security
across a broad infrastructure, and report in a real-time or near real-time
basis a broad security posture over a big infrastructure up to decision
makers," Szykman says.

For entities within the government with IT assets positioned around the
country or even globally, achieving that holistic view of the network can
be a particular challenge.

For instance, at the National Oceanic and Atmospheric Administration, the
division of Commerce that includes the National Weather Service, IT
staffers maintain a sprawling network that collects data from more than
20,000 devices. With the agency's shift to continuous monitoring, all of
the automated information logs those devices produce became centrally
collected and analyzed — a round-the-clock process that scrutinizes more
than 1 billion events per day, according to NOAA CIO Joe Klimavicz.

Those data points had been collected before NOAA moved to continuous
monitoring about four years ago, Klimavicz says, but the agency did nothing
with them. Now, with constant threat detection and analysis, NOAA's systems
block more than half a million malicious Web connections each week,
according to the CIO.

"At NOAA, continuous monitoring is embedded in our enterprise-level
security operations center," Klimavicz says. "We're able to see things that
we weren't able to see before."

Cybersecurity 'A Big Data Issue' for State Department

But all that monitoring and data collection can create its own set of
challenges. The State Department, for instance, maintains IT operations in
more than 200 countries. Its security personnel are swimming in data
points. That prompted the IT team to develop a system, dubbed continuous
diagnostics and mitigation, or CDM, to sift through the clutter.

"It is a big data issue. Part of it is dealing with thousands of false
positives on a daily basis," says William Lay, the State Department's
deputy CIO for information assurance. "We have hundreds of monitors,
thousands of sensors. They're all pulling data together 24/7."

Lay continues: "We can't afford to have an army of people watching all of
these monitors, so we have to have really sophisticated tools to filter for
us. But once the filtering is consistent, we really end up with a risk
management model that gets the false positives down to a point that they
are manageable — and we end up with useful information that leads to better
decisions."

Lay explains that the State Department designed the CDM program as a
proprietary, in-house product to digest the disparate feeds from networked
devices and populate a dashboard that would offer visualizations of the
various security operations such as patching and virus protection.

"The big key is being able to give situational awareness to both our
decision makers and our system owners," Lay says, "so they really know when
they're making risk-based decisions what it is they're up against, whether
it's introducing new technologies or if they're just trying to further the
mission of the department."

Now four years along, CDM has moved under the auspices of the Department of
Homeland Security, which has been working to commercialize the product and
is making it available to other federal agencies along with state, local
and tribal governments.

Through those kinds of initiatives, the feds are looking to put the era of
check-box security behind them. From the vantage point of a vendor such as
the security firm Blue Coat, that shift has entailed changes in what
government customers are expecting from the contractors they do business
with.

"With compliance, we've been dealing with solutions where we're able to
pass audits. So we get a grade on whether or not our cybersecurity posture
was meeting the minimum requirements for the government," says Aubrey
Merchant-Dest, Blue Coat's director of cybersecurity strategy.

Now, Blue Coat sees attackers trying to get assets or break into a network
with targeted attacks — and they can easily skate through perimeter
defenses and even host defenses, Merchant-Dest says. "Bottom line: We can't
stop everything. With this new automated approach that CDM provides us,
it's in fact going to give us a better handle on cyber situational
awareness."

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!