Continuous monitoring takes compliance to the next level
Continuous monitoring emerges as critical element of the defensive game plan for security
If many of the problems with federal IT security come from the snapshot effect of adhering to yearly audit requirements of the Federal Information Security Management Act and other regulations, one answer might be to increase the frequency of those audits. Continuous monitoring of agency systems and security configurations is the new target for Congress and the Obama administration.
In March, Rep. James Langevin (D-R.I.) introduced the Executive Cyberspace Coordination Act, a House companion measure to the similar Cybersecurity and Internet Freedom Act introduced in the Senate in February. The measure would require agencies to undertake automated and continuous monitoring of their systems to ensure compliance and identify deficiencies in their IT security and risks to that security.
In its report on the fiscal 2010 implementation of FISMA, the Office of Management and Budget said agencies need to be able to monitor security-related information across the enterprise “in a manageable and actionable way,” and a well-designed and well-managed continuous monitoring program “can effectively transform an otherwise static security control assessment and risk determination process into a dynamic process that provides essential, near real-time security status-related information.”
In a December 2010 draft of its Special Publication 800-137, "Information Security Continuous Monitoring for Federal Information Systems and Organizations," the National Institute of Standards and Technology described continuous, ongoing monitoring as a critical part of its overall risk management framework for information security.
A primary goal of continuous monitoring is, as much as is practicable, to apply automated remediation to security vulnerabilities that are found. That takes the need for human intervention out of the picture. Human intervention and the errors and delays that result from it are credited for many of the lapses in IT security.
Continuous monitoring is the right direction for agencies to take because, with the way things are going now with advanced persistent threats and other modern vulnerabilities, security is no longer about what you know — it’s about what you don’t know, Iron Bow Technologies' Prem Iyer said. And that’s a complete switch from the mindset of the past 15 years of IT security, which has been organized around recognizing the signatures of known methods of attack.
“When we talk to customers it’s about why they have all of these security solutions and processes in the first place,” he said. “And then we point out that, if they are not being monitored in real time, the organization is probably not seeing the main thing that this security is catching, which is the zero-day threat.”
Zero-day threats are malware that exploit unknown vulnerabilities in an organization’s security, breaching defenses during the time the malware detects the vulnerability and when software developers create a patch for it. In the case of stealthy APTs, which are designed to be undetectable once inside a network or system, that first breach is all they need to be effective.
Along with using best practices, such as intrusion detection and malware protection technologies, continuous monitoring will need others such as security information and event management suites of event-logging tools and centralized security management dashboards that consolidate information provided by all of the automated scanning. Those tools would give network and security management personnel a near real-time view of the enterprise security status.
However, before that is possible, standards such as the Secure Content Automation Protocol (SCAP) have to be recognized and used throughout the security industry. SCAP is a suite of specifications that standardizes the way security software products recognize and name security vulnerabilities and configurations.
“SCAP is not one of those sexy security issues,” said Shon Harris, president of Logical Security. “But until we can get a standardized way to call the same vulnerability and the same asset by the same name, we are never going to get our stuff together and we are never going to be able to do continuous monitoring.”
Now, if a security professional were to do a certification and accreditation on a system, a checklist of different configurations of Web browsers, operating systems and so on must be completed, Harris said. That can take hours or even days, and further delays then happen because of paper work that has to be filed and an approval process that has to be navigated.
SCAP and other automation protocols ensure that this can happen continuously in a standardized way, and all the necessary reports are generated and communicated in a standard fashion, no matter what security products are being used.
Despite OMB’s assertion in its FISMA report that, in fiscal 2010, the federal government “shifted from periodic security reviews to continuously monitoring and remediating IT security vulnerabilities,” most agencies clearly have some way to go before they get there. According to the inspectors general at the 24 agencies covered by the Chief Financial Officers Act of 1990, nearly two-thirds of those agencies need improvement in continuous monitoring.
But that's something they likely won’t be able to dodge, even if they wanted to, because several new federal reporting and implementation tools will require it.
Cyberscope, which was launched in fiscal 2010, is an interactive data collection tool that can capture the kinds of feeds produced through continuous monitoring and assess agency security postures. In April 2010, OMB directed that all agencies develop an approach for reporting their security compliance through Cyberscope, to include direct feeds from monitoring systems.
CyberStat, which will be introduced in fiscal 2011, is a management model that will enable the Homeland Security Department to quickly evolve new security metrics to gauge the effectiveness of agency security. Together, Cyberscope and CyberStat are expected to give the federal government a new level of information about risks to information systems.