Continuous diagnostics and mitigation: Improving security through visibility
Wallace Sann, ForeScout
By Wallace Sann, public sector Chief Technology Officer, ForeScout Technologies, Inc.
The number of cyber incidents reported by federal agencies to the United States Computer Emergency Readiness Team (US-CERT) has risen sharply over the last decade, from 5,500 in fiscal 2006 to more than 67,000 in fiscal 2014. But the significance of these incidents goes far beyond their numbers. The data put at risk in government breaches includes, but is not limited to, classified national security intelligence, key US infrastructure information and sensitive personal information. Recent breaches at the Internal Revenue Service (IRS) and the Office of Personnel Management exposed data on millions of taxpayers as well as tens of millions of current and former federal employees and their families. These incidents not only create national security risks and enable wholesale identity theft, but they can also end the careers of those responsible for security.
The potential exists for a perfect storm. Governmental staff members struggle to maintain increasingly complex IT systems as cyberattacks are becoming cheaper and easier to perform, while our cyber adversaries remain highly motivated, sophisticated and well-funded. Federal Chief Information Officers (CIOs), Chief Information Security Officers (CISOs) and IT administrators now are working to get ahead of these threats to ensure our national security and to protect the privacy of citizens.
Continuous monitoring and mitigation (CMM) has emerged as the primary vehicle for meeting this goal of privacy protection. The ability to make IT networks, endpoints and applications visible; to identify malicious activity; and to respond immediately is critical to defending federal information systems and networks.
The Evolving Response
The government’s response to cyber threats has been laid out in legislation via the Federal Information Security Modernization Act, or FISMA. In the Department of Defense (DoD), the Defense Information Systems Agency and the U.S. Cyber Command have initiated the Command Cyber Readiness Inspection, or CCRI, program. This program is a comprehensive review of DoD cybersecurity posture for both classified and unclassified information systems, and agencies are using the Comply to Connect initiative, remotely scanning and remediating devices connecting to .mil networks to ensure they are in compliance with security requirements.
The CCRI assessments evaluate all aspects of network security and information assurance programs, including all endpoints connecting either directly or through wireless access. Failure to meet CCRI requirements can result in a network being disconnected from the DoD’s Global Information Grid.
Civilian legislators and regulators have recognized that laws and mandates cannot keep pace with fast-changing technology. Legislation such as Health Insurance Portability and Accountability Act (HIPAA) and FISMA set out broad, technology-neutral goals for agencies, and requirements for compliance are based on agency needs and the threats they face. This means technical specifications continue to evolve.
As the limitations of reactive, perimeter-based security have become apparent, civilian requirements have followed the lead of DoD, shifting their focus from checklist compliance to effectively measuring cybersecurity. FISMA guidance from the Office of Management and Budget has moved from periodic assessment of static security controls to continuous monitoring of IT resources and activities. This can ensure not only that required controls are in place, but also that the IT environment is being effectively defended. The culmination of this shift is the Department of Homeland Security’s Continuous Diagnostics and Mitigation, or CDM, program.
The CDM enables better real-time visibility of all IT networks and systems. It provides off-the-shelf technology to help agencies in the .gov domain perform continuous assessments of status, threats and activity. The program specifies 15 monitoring capabilities, which can be either performed by agency sensors or provided as a service.
Phase 1 of the CDM program went into effect in 2013 and focused on endpoint security; phase 2, called Least Privilege and Infrastructure Integrity, began in 2014 and focuses on identity and access management and puts a premium on an agency’s ability to see and respond to network activity.
No one product provides complete CDM capability by itself. The key to achieving the goals of the program is the ability to take full advantage of the various security products already deployed in the network.
Leveraging Existing Security Infrastructure
Agencies have already invested in security products to provide defense that is in-depth for their networks. Unfortunately, these products often fall short of their promised value because they operate independently, cannot adequately discover assets they are supposed to protect and do not collaborate. They can provide periodic assessments, logging and alerts, but when working on their own, they do not provide the context, real-time monitoring, information sharing and automated response needed to meet modern security requirements.
Agencies can take full advantage of their installed security infrastructure by implementing a set of network, security and management interoperability technologies that enable information sharing between different security products and management systems. Agencies should look for technology that supports a broad range of third-party networking and security hardware and software, interoperating with many popular vendors and working in a variety of network environments. This not only creates visibility, but also enables automated incident response and mitigation, leveraging existing security investments to achieve continuous diagnostics and mitigation.
By sharing contextual information from various IT security and management products, an architecture of this type helps solve the problem of standalone systems and information silos. It also extends real-time control and automated remediation capabilities to IT systems that before had been limited to collecting, generating, analyzing or storing information without making it actionable.
This set-up not only enforces policies to allow DoD and civilian systems to remain compliant and secure, it also provides operational intelligence and policy-based mitigation. This allows agencies to move beyond mere regulatory compliance and ensure that systems actually are secured.
Adding a Security Platform
Successfully completing a security audit or meeting ongoing regulatory requirements for continuous monitoring requires more than having security products in place. It requires the proper security policy, a trained staff to implement that policy and the technology to bring the products together.
The benefit of a policy-based security platform is that it leverages these elements to help automate regulatory compliance tasks while providing real-time security. It generates high-level compliance reports for C-level officials and frees IT staffers so they can focus on mission-critical activities rather than responding to routine security alerts. The result is proactive rather than reactive security, which reduces costs through common task automation.
A Matter of National Security
Each day, government agencies process vast amounts of information that is vital to national security and sensitive personal information on millions of employees, contractors and taxpayers. The consequences of loss of or unauthorized access to this data can range from identity theft to loss of public confidence and economic or political turmoil. As recent incidents in both the government and private sectors have demonstrated, executives are being held accountable for breaches and a lack of adequate IT security, and response can quickly derail or even end a career.
Both civilian and defense IT organizations must safeguard their information as well as the networks and systems housing it. At the same time, this information must be readily available to those with legitimate needs for it. Federal IT organizations must maintain compliance not only with accepted industry best practices for information security, but also with government regulations and guidelines for continuous monitoring.
About the Author:
Wallace Sann joined ForeScout Technologies in 2006 and currently serves as ForeScout's Public Sector CTO and Regional VP of Systems Engineering. In this role he provides technical leadership for ForeScout's Public Sector programs and Product & Certification roadmap, while also overseeing the Public Sector Systems Engineering team. He participates in numerous industry panels and speaking engagements on continuous monitoring, visibility, access control and automation. Prior to joining ForeScout Technologies, Mr. Sann worked in various capacities with the D.C. Government, Dept. of Interior and Dept. of Homeland Security. He spent the first 6 years of his career as a Communications Electronics Chief in the United States Marine Corps. Mr. Sann has a B.S. in Information Assurance from the University of Maryland University College.