Where to draw the line in cyber-security: Continuous monitoring

Dusty Wince

Like many GSN readers, I followed the story of the WikiLeaks security breach very closely. When the Web site was effectively shut down by Amazon.com’s Web servers, and then had its funding cut off by banking institutions, WikiLeaks supporters fought back -- hacking into those businesses’ systems and denying them service. 

This cyber attack, sponsored by no single government but affecting scores of companies and citizens, should give every federal agency pause. In a world where even the founder of Facebook has his Facebook page hacked, cyber-security can often seem an uphill battle. What applications are safe to use? What information is really secure? Where do you draw the line?     

In the past, cyber-security has largely been a story of compliance -- a Yes or No question. Does this system meet such-and-such security standard? But new technologies and evolving threats are now forcing a shift in the way government agencies approach this critical area of security, moving from paper-based compliance to a more pro-active, operational approach. 

Continuous monitoring is a concept that has been around for years in cyber-security circles, but has not been implemented effectively in some cases. The idea itself is simple:  rather than test a system’s compliance once, during the Certification & Accreditation (C&A) process, and then let it sit stale for three years, monitoring should be an ongoing process, so that an agency can continually understand its risk posture. With government agencies probed hundreds of thousands of times each day by cyber criminals, terrorist organizations and foreign governments, continuous monitoring is a necessity. But, the problem has always been how. 

Today, the real cyber-security shift is beginning, and it’s being led by the National Institute of Standards and Technology (NIST). NIST developed the first standards for cyber-security review back in 1997 and it has now fully integrated cyber-security into a Risk Management Framework (RMF). This disciplined and structured six-step process involves an agency’s entire organization and follows the full system development lifecycle -- from beginning to end. Continuous monitoring serves as Step Six.

The top issue in implementing continuous monitoring is one that all security practitioners face: how can threats be located and mitigated in a sea of information. For example, with thousands of visitors to an agency’s Web site every day, how do you identify malicious IP addresses from standard users? As a manual process, this can be labor-intensive and cost-prohibitive for budget-strapped agencies. But in recent years, new tools, such as sampling, common protocols and reference architectures, have been developed to automate this function. These provide agencies a real-time view into their security posture through a combination of manual and automated processes, coupled with expertise in cyber threats and vulnerabilities. 

The purpose of continuous monitoring is to provide senior leaders with actionable intelligence -- something they can use to assess real-time risks and make informed policy, investment and strategy decisions, rather than simply acting on their instincts. To achieve this, agencies must simultaneously leverage a top-down and bottom-up management approach. 

The bottom-up approach focuses on the critical security functions of every program, such as malware protection, vulnerability and configuration management. These solutions and capabilities at the bottom provide managers at the top with the right metrics to understand relevant risks -- including leading and lagging indicators – in order to make informed decisions. 

IT provides agencies with an unprecedented opportunity to improve their performance, with new tools and new ways to reach stakeholders, reduce costs and better achieve their missions. Agencies cannot afford to be left behind, but there is a risk to every new technology. Continuous monitoring does not replace the need for system reauthorization, and it cannot be achieved by automation alone. However, with a unified effort from all agency stakeholders, including top leaders, continuous monitoring can provide an unprecedented tool for assessing risks and knowing where to draw the line.