Agencies must put more emphasis on automation
- By Shawn McCarthy
- Aug 30, 2013
If agencies expect to halt the steady increase of cyberattacks, they need to focus on implementing continuous monitoring and automated responses, even at the expense of staff salaries.
Granted, proper staffing will remain a key component in making sure security efforts are up to snuff. But better software tools and enterprisewide automation could very well become a top priority.
Here's the issue. Earlier this year the White House reported that 90 percent of federal IT security spending goes to security staff salaries. In contrast, only 5 percent goes to security tools and software, and less than 3 percent goes to coordinating risk management (mostly NIST SP 800-37 implementation).
This allocation could change because automated tools have become one of the best ways to address security issues. Here are some examples:
Malicious code. Launching of malicious code represents about 5 percent of security issues. These types of attacks may or may not be related to the phishing issue, but they involve the installation of suspicious software that has not immediately been identified, quarantined and cleaned by preventative antivirus tools. It can also be the source of suspicious network activity and unauthorized monitoring. Anomaly detection tools can help recognize and halt such activity.
Authentication. Only a handful of agencies, including the Defense Department and General Services Administration, require employees to have personal identity verification cards for most network access. Several agencies, including the Energy and Justice departments, had almost no use of PIV cards at the end of the last fiscal year. Requiring this level of authentication greatly controls who has network access and what they can do. Most agencies are headed in this direction, though some are lagging in implementation.
By not automating monitoring and automatic responses capabilities, agencies may end up dedicating more people to security, which in turn makes it difficult to find the funds for advanced security solutions. That's the conundrum agencies face at the moment.
While Federal Information Security Management Act standards play a key role in assuring that IT solutions meet specific levels of security before they are purchased, such rules do not guarantee that security issues won't crop up once an IT solution is in place and operating. That’s where continuous monitoring tools can help IT managers can keep a closer watch on operations. CM is focused on three main areas at the moment:
Asset monitoring includes asset discovery, rule setting and hardware and software management related to known vulnerabilities, patches, updates and more. It also can include asset evaluation, situational awareness and scoring related to risk management of the various monitored devices.
Configuration monitoring often includes tools for assessing security configuration compliance, plus automated monitoring to look for configuration changes. Hardware and software changes can be done accidentally (such as when updating software or adjusting hardware) or on purpose (sometimes with malicious intent). Configuration monitoring records details on required configuration settings across an enterprise, monitors any changes to those settings and offers alerts if configuration rules are violated. Some tools allow for automated resetting of required configurations.
Vulnerability monitoring includes a multi-level approach. Hackers often exploit government systems by breaking in through software holes where known vulnerabilities can be exploited. Any government system connected to the Internet must conduct ongoing vulnerability assessments. This includes both external assessments (looking into the network from outside the firewall to identify vulnerabilities) and internal assessments (looking for known holes and issues within the network).
All of the automated tools or continuous monitoring efforts mentioned here require investment in specific software, hardware or specific commercial services. This may mean that reallocation of how security money is spent could be on the horizon for many federal agencies.
There is no single right or wrong answer for IT security. The real measure is how effectively a system can be buttoned up against unauthorized tampering. If that can be done strictly through staff efforts, then that might be the best solution for some agencies. But others may need to take a much more automated approach, and that could very well mean reallocation of IT security investments.