Continuous monitoring: A piece of the IT security puzzle
Continuous monitoring is replacing periodic certification of government information systems as the federal standard for IT security, but it is a means to an end rather than an end in itself, say government security pros.
“Continuous monitoring is a tactic in a larger strategy,” said Ron Ross, senior computer scientist at the National Institute of Standards and Technology.
The larger strategy is a comprehensive approach to the growing number of vulnerabilities, threats and attacks targeting government systems, which have put information security on the Government Accountability Office’s list of high risk activities since 1997.
To be effective, the systems being monitored must be fundamentally sound, Ross said. Frequently checking a broken lock does not make it any more effective. “We can’t get ourselves out of this problem by counting things faster.”
Agencies must simplify their IT environments through the use of tools such as cloud computing and enterprise architectures to make them more manageable and then invest in the needed security to make them resilient.
Ross, who heads NIST’s Federal Information Security Management Act compliance program, made his comments at Symantec’s Government Security Symposium in Washington Nov. 7.
FISMA calls for agencies to monitor the security status of IT systems, but the details of how to do it has been left to the Office of Management and Budget. OMB initially established a requirement for periodic security authorization, with certification and accreditation of IT systems done every three years. With the pace of change in IT and in the cyber threat landscape it has become apparent that this is inadequate, however, and in the past three years the focus has moved toward continuous monitoring of systems as a replacement for triennial reauthorization.
In 2010, the Homeland Security Department, which has been delegated responsibility for overseeing FISMA compliance, began requiring that agencies use the Cyberscope automated reporting tool for security reporting. Cyberscope receives recurring data feeds to assess the security posture of IT systems, and the goal is to produce a more timely and useful view of security status. Initial Cyberscope reports were to be made quarterly, and beginning in 2011 agencies were required to report data on a monthly basis.
This shift has generally been welcomed by security professionals. Tony Sager of the SANS Institute, who until June was COO of the National Security Agency’s Information Assurance Directorate, called it “one of the best ideas in information security” he has seen from the government, although he prefers the term “continuous measurement and management” to “continuous monitoring.”
But Sager pointed out that for measurement to be effective, agencies need something to measure. The Top 20 Critical Security Controls, a set of high-value controls identified by a coalition of government and private industry as critical security investments, is emerging as the standard for such measurement. Sager, who was involved in developing the Top 20 while at NSA, now heads the critical controls efforts at SANS.
Sager is a fan of the move from episodic evaluation to continuous monitoring, and sees the prioritization of a finite but effective set of security controls a valuable place to begin monitoring.
The Top 20 Controls are not intended to be comprehensive and do not replace the set of more than 600 controls in NISTS’s Recommended Security Controls for Federal Information Systems Rather, they represent a starting baseline, part of the recognition that complete security is neither possible nor necessary.
In the 1970s and 1980s government believed in a provable assertion that an IT system was secure, Sager said. But, “the goal is not perfection any more.” The goal today is “a state of known security properties,” that lets system owners understand the risks in a system so that the risks can be either mitigated or accepted.
Despite its promise, continuous monitoring is not easy to achieve, although automated tools are being developed by industry using standards such as the Security Content Automation Protocol to ease the job. And although it is called continuous, monitoring everything all of the time is not feasible. Agencies have to decide what needs to be monitored and how often.
Security controls applied to a system should reflect the mission of the system and the threats to it. Systems then should be monitored for those controls at a frequency that reflects the agency’s available resources and tolerance for risk. The result should be a picture of an IT system’s status that can be used to maintain and improve security and comply with FISMA requirements.
And although compliance does not necessarily equal security, it is not a bad thing.
“Compliance has turned into a bad word in this town,” Ross said. “But it is not a bad thing.” Added Sager: “We live in a world of compliance, and that is not evil.”