GTRA Roundtable Recap: How to Drive Efficiency and Improve Security
The CIA has The Farm, a secret facility somewhere in Virginia, where it trains agents in wiretapping, interrogation, and handling human “assets”. Similarly, the GTRA (Government Technology Research Alliance) convenes in remote Bedford Springs, Pennsylvania, roughly halfway between DC and Pittsburgh, in a hotel that looks like The Overlook from The Shining. Instead of how to poison an enemy operative, though, the federal delegates discuss cyber-security and collaboration between the government and industry.
I spent Sunday through Tuesday a couple of weeks ago exchanging ideas with the best and brightest in the public sector at roundtable meetings, on a panel entitled “How to Drive Efficiency and Improve Security“, and mingling in between sessions and at the Havana Nights after-hours soiree. Top of mind concerns echo those in the private sector, including secure mobile device and cloud strategies, and doing more with less. Federal agencies are also concerned with Continuous Monitoring, an initiative I’ve written about in the past here. While the private sector doesn’t have to comply with a government regulation mandating yet another set of security controls, the end of the government’s fiscal year is fast approaching, heralding the need for meeting compliance deadlines, and security managers are looking for answers on how to meet the deadline.
According to NIST SP 800-137, “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” This is close to the definition of Security Intelligence, which provides actionable and comprehensive insight for managing risks and threats, from protection and detection through remediation. Core to continuous monitoring is centralized event management, situational awareness—aka, context—and analytics, to reduce the onslaught of data into discrete, manageable, and actionable actions.
Many of the GTRA delegates are trying to reconcile the ambiguity in the continuous monitoring guidance and the confusing array of solutions offered by the security technology industry. Within SP 800-137, the terms “continuous” and “ongoing” are not prescriptive; instead, they are defined to “mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information. Data collection, no matter how frequent, is performed at discrete intervals.” Once organizations come to grips with what the terms mean to them, what needs to be monitored? Just logs from security technology like firewalls and IPSes? How about network activity? And where do they get data about external threats to add situational awareness?
The advice that I give is that it all starts with a strategy. Don’t create your security posture around the 800-137 controls; map them to your mission objectives and the security initiatives that support them. A strong security posture will often end up with total coverage and incremental security goals. With this roadmap in hand, you can start planning and organizing activities, and get started. Remember, an effective security program is constantly evolving, so the end state is not final; you don’t have to get it perfect the first go-round. And if you don’t take the first step, it’s guaranteed that you won’t succeed in complying with the Continuous Monitoring mandate.
The same is true in the private sector, whether you’re subject to government regulations like SOX or contractual obligations like PCI DSS. In many cases organizations are subject to multiple compliance mandates, and many of them have overlapping controls. Map them to each other and the union of all controls should map to organizational goals and security initiatives. As you meet the controls that intersect, you’ll quickly start to fulfill the obligations of many compliance mandates at the same time.
Even with a solid plan, government agencies are struggling with how to become or stay secure with in an increasingly complex threat landscape, with less budget and resources. The panel was asked how private industry is helping to stretch federal budgets while at the same time improving security. My view, particularly after talking with security managers, CISOs, and CIOs in government agencies, is that the complexity of existing security solutions, comprising dozens of technologies from as many vendors, is both expensive to purchase and maintain, is not effective at stopping determined attackers, and is confusing the means to achieve compliance with continuous monitoring. The answer is to evaluate the existing profusion of security technology, eliminate ineffective products, and consolidate where possible. The key to making these decisions is to monitor and measure, and the solutions that provide that capability will also give visibility to agencies, allowing them to fulfill a large part of the obligation toward Continuous Monitoring.
Government decision makers recognize this and asked during the executive meetings whether SIEM can replace some of the existing security technology. There seems to be some confusion as to what SIEM is and what it can do, as many of the roundtable attendees were there to get an orientation on the capabilities of QRadar and Security Intelligence. Some agencies don’t have SIEM at all, some have basic log management solutions, and others have first generation SIEMs that simply have not lived up to the promises made at purchase. The results were positive, the proof being that Q1 Labs/IBM was nominated as the “Best Continuous Monitoring Round Table” award. It’s gratifying to be validated from the members of GTRA, some of the most strategic and advanced leaders in federal government.
In the final analysis, the agreement about how the public and private sectors can collaborate to improve efficiency and security is to let the government work on integrating agencies and let industry work on integrating technology. Because there is a wide range of requirements in both the private and public sectors, the solutions must be flexible enough to adapt to diverse processes. Q1 Labs has been in the business of continuous monitoring for almost a decade–long before the government initiative. And now, with the entire IBM Security Systems portfolio, we have the most comprehensive security offering, integrated to reduce the total cost of ownership.
We look forward to our continued relationship with GTRA and evolving our security solutions to meet the needs of both the private and public sector, combining the research and development resources of IBM and the feedback of the entire GTRA Council.