Author Archive
Posted by Erich Baumgartner in Threat Management
As I wrote in a previous blog, cybersecurity continues to be a preeminent issue in Washington D.C. and across the political spectrum, a broad coalition of elected officials and government agencies are moving quickly to drive agencies and federal contractors to get a better handle on genuine network security – and they are starting with continuous, real-time reporting.
The latest ball to drop was Wednesday’s (April 21, 2010) announcement by the OMB regarding significant changes that apply to all government agencies as part of their FY 2010 reporting requirements, including:
- Conduct government-wide benchmarking study on the current state of cybersecurity
- All civilian government agencies are required to submit real-time data on their network’s security
- Conduct agency specific interviews to begin the process of tailoring cybersecurity requirements to meet the needs of each agency
Of these, the new requirement for all agencies to begin reporting on a continuous, real-time basis is the most far reaching, and shows a real shift in direction from a “paperwork culture” to genuine security intelligence. These new requirements pose serious challenges to agency heads as they will now be required to make reporting a bi-product of the systems they are deploying and make sure they are continuously monitoring how their information systems are being protected. Specifically, agencies will be required to submit reports via the CyberScope system (run by the Department of Homeland Security) either through a direct data feed or through and Excel xml file upload. They will have to do so by November 15, 2010 in order to be in compliance.
With legislation that includes provisions for continuous, real time reporting already making its way through both chambers of Congress, it will be critical for agency heads to stay in front of new reporting requirements as well as other mandates that will be coming their way. In order to comply with these new requirements, let alone what FISMA 2.0 will require, agencies will need to have in place a solution that enables them to collect and store massive amounts of data, generate a real-time report on their network’s security status and then submit that information.
As Federal CIO Vivek Kundra said in his press briefing, “The FISMA guidance we issued today is a significant departure from how we operated in the past.” It is important to recognize that these new requirements do not call on agencies to invest in a mere reporting tool – it goes far beyond that. If you look deeper into the pending legislation and Executive-level initiatives, it is clear that government agencies are at the early stages of a new paradigm where they are being required (or perhaps being given the resources) to do what network security professionals have long said needed to be the focus of FISMA: a genuine, well-resourced mandate to protect the government’s networks from cyberattacks. Reporting is going to still be key, but it is going to be output that is produced through the process of protecting the network.
For agency CIOs and CISOs, they will need to arm themselves with comprehensive tools that will allow them to:
- Monitor their network and security-related activity through a single console, or “One Console Security”
- Utilize data to establish benchmarks and best practices
- Ensure best practices are adhered to and policies are being actively monitored
- Automate the creation and availability of continuous, real-time reports
- Scale their network security solution so that devices throughout their distributed networks can be monitored
- Enable proactive decision making and intrusion prevention capabilities
While this may seam like a daunting challenge, the technology already exists and has been implemented by over 1,000 private and public sector organizations, customers of Q1 Labs.
QRadar is certified as a technology product for government deployments, including Common Criteria or (CC) – an international standard. (ISO/IEC 15408) for computer security certification and a Evaluation Assurance Level (EAL) – claimed security assurance rating.
Posted by Erich Baumgartner in Cybersecurity, SIEM
Last month, Washington State became the third state to enact legislation that aims to protect consumers and financial institutions from security breaches by incorporating PCI requirements on their books, and also by placing additional financial consequences on payment card processors who are deemed “negligent” by the new law. For businesses that are not based in Washington State, this new legislation may have passed well below the radar – but non-compliance could have serious ramifications to any processor or vendor’s bottom line.
Washington’s new law allows for regulated entities to be held financially responsible for losses incurred through fraud or data breaches if the entity merely offers or sells goods or services to Washington residents. The Information Law Group has a great post about the details of this legislation, but two things really jump out at me here:
- PCI compliance, and penalties for non-compliance, are becoming a patchwork of laws being created at the state level
- There is a trend starting here, with a possible domino effect taking place as more states begin to take a closer look at implementing legislation to proactively protect consumers’ personal information
Minnesota kicked off legislating PCI compliance at the state level in 2007 by requiring all entities accepting credit and debit card transactions to implement a set of 12 security controls to protect payment card data against compromise. If they don’t comply, they may have to reimburse banks and credit unions that are affected. Nevada was next, when in 2009, that state passed a bill that mandated PCI compliance for businesses accepting payment cards; again, to any covered entity doing business in the state.
While the Washington, Nevada and Minnesota laws attempt to achieve a similar objective, they have different definitions for what a “covered entity” is, what requirements payment processors must undertake, what penalties can be assessed, and what is considered a safe harbor. If this trend is anything like data breach notification laws, where a wave of other states passed laws shortly after California passed theirs, there could be another wave coming.
The challenge for the payment card industry will be to keep up with all of these new requirements and demonstrate that they were in compliance if a breach occurs. After all, an out of compliance breach could result in millions of dollars in reimbursable payments to financial institutions – and the difference between having to make a reimbursable payment or not could come down to compliance and reporting.
Posted by Erich Baumgartner in Cybersecurity, Federal, Threat Management
It has been a busy couple of weeks in Washington, and not all regarding healthcare – it’s because of the increasing drain on GDP from cyber-crime and attacks. In stark contrast to the recent divisions found in the nation’s capital on some issues, there appears to be a great deal of consensus on the need to improve the nation’s ability to prevent and defend against cyber attacks.
Just yesterday, the Senate Commerce Committee approved the Cybersecurity Act (S.773), a bi-partisan introduced by Senator Rockefeller (D-W.VA) and Senator Snowe (R-Me), that is aimed at improving both public sector and private sector preparedness. The bill would mandate that the President and those responsible for critical infrastructure systems work to identify and classify IT systems that, if successfully attacked, would threaten strategic national interests. Federal agencies would also be required to:
- share information with the private sector concerning critical infrastructure networks
- increase the numbers of trained and certified cybersecurity professionals
- fund research related to cyber security.
Also on Wednesday, H.R. 4900 was introduced by Rep. Diane E. Watson (D-CA) that would rewrite provisions in the 2002 Federal Information Security and Management Act (FISMA) including establishing a “National Office for Cyberspace” within the Executive Office of the President (the EOP is a QRadar user) , a Federal Cyberspace Practice Board that would be responsible for updating policies and procedures, as well as implement an agency-wide information security program to monitor network security and ensure compliance. The bill would also place security requirements on IT products that the federal government procures.
In testimony given Wednesday by public and private industry experts, many argued that the current FISMA requirements focus too much on compliance and so have actually hamstrung security professionals.
“In my view, the implementation of FISMA has been like getting on a treadmill,” said John Gilligan, the Air Force’s CIO at the time FISMA was implemented “A treadmill is great if all you want is exercise, but it is not the way to reach a destination. The federal government has certainly burned a lot of calories, but we are still a long way from reaching our destination of dramatically improved security.” This supports the growing practice that tends to confuse “compliance” with “security”.
Alan Paller, founder of the SANS Institute, gave praise to government reforms that would require continuous monitoring but also pointed out that the 2002 FISMA legislation “rewarded ineffective behavior” and generated “reports that answered the wrong questions”.
At the same time as significant revisions to FISMA are being considered, FY 2010 FISMA performance metrics look to drive agencies and federal contractors to get an even better handle on real-time, automated cyber security and compliance reporting today. The focus of many of these reforms is to move from a compliance and reporting driven system to one that focuses on actually defending IT networks.
A third piece of legislation, The Grid Reliability and Infrastructure Defense Act, was unanimously approved by a House subcommittee on Wednesday as well. This bill directs the Federal Energy Regulatory Committee (FERC) to take measures to protect the electricity grid from telecommunications intrusions. This is on top of the $4.5 billion included in the 2009 stimulus to modernize the electric grid.
For government agencies and covered contractors, this sea change in regulation may leave some questions as to what direction each should take now, as they look to meet both current and future mandates, while also working to better defend their IT networks. In other words, how to leverage increasing compliance mandates (budget creation) to drive security best-practices.
Two points of emphasis arise:
First, compliance & reporting mandates may change but they won’t go away. Following Gartner and other research firms and security consultants advice, compliance initiatives should involve these key audit guidelines:
- Transparency - Providing visibility into the security controls, the business applications, and the assets that are being protected
- Accountability - Proving who did what and when
- Measurability - Metrics and reporting around risk within your organization
Second, any organization, public or private, needs to be able to scale their solutions to meet what is likely to be the centerpiece of the newest crop of cyber security regulations – actually securing networks. To do this, security teams will need to be able to monitor their entire network and gain total visibility across systems, security devices, and the network and then apply event correlation, including behavior analysis, and intelligent application of context—network architecture, system profiles, identity information, and 3rd party security intelligence sources— to event data.
QRadar is certified as a technology product for government deployments, including Common Criteria or (CC) – an international standard. (ISO/IEC 15408) for computer security certification and a Evaluation Assurance Level (EAL) – claimed security assurance rating.
QRadar surveys the entire network, using native flow sources in a customer’s routing/switching infrastructure or from distributed collectors to gather a detailed history of all network flow activity.
Leveraging the total visibility across systems, security devices, and the network, QRadar then applies industry-leading event correlation, including behavior analysis, and intelligent application of context—network architecture, system profiles, identity information, and 3rd party security intelligence sources— to event data.
Posted by Erich Baumgartner in Cybersecurity, Federal, Threat Management
On January 29, 2010, the U.S. Navy announced the commissioning of the U.S. Fleet Cyber Command (FCC) and recommissioned the U.S. 10 th Fleet. Headquartered at Fort Meade, MD, the FCC is responsible for global Navy cyberspace operations throughout cyberspace. The Navy’s new cyber-warfare unit comes on the heels of the June 25, 2009, announcement of USCYBERCOM, a centralized cyber-warfare office headed by the director of the National Security Agency. The DOD spends roughly $30 billion a year on information technology through roughly 15,000 networks, which includes seven million computers, laptops, servers, and devices.
“This is not an emerging threat; this is not some future contingency. The cyber threat is here today. It’s here now,” said Deputy Secretary of Defense William J. Lynn, III, in a speech given November 12, 2009, at the Defense Information Technology Acquisition Summit. “There are more than 100 intelligence organizations trying to hack into U.S. systems even today. Foreign governments are developing offensive cyber capabilities. Russia and China already have the capacity to disrupt elements of U.S. information infrastructure. And the cyber threat does not end with states. Organized criminal groups and individual hackers are building global networks of compromised computers, botnets, and zombies, and renting them to the highest bidder, in essence becoming 21st century cyber mercenaries. And terrorist groups are active on thousands of websites. Al Qaeda and others have expressed a desire to unleash coordinated cyber attacks on the United States….so our defense networks are already under attack. They are probed thousands of times each day; they are scanned millions of times each day, and the frequency and the sophistication of those attacks are increasing exponentially.”
The move to centralize and expand the military’s effort to protect the nation’s critical IT infrastructure is in response to the growing threats and the potential devastation a widespread, coordinated cyber attack would inflict. The lingering question is: Is the nation – both private and public entities – prepared in the event of a cyber war?
Not according to high-level current and former government officials who participated in the “Cyber ShockWave” event hosted by the Bipartisan Policy Center on February 16, 2010. In this simulated attack, a virus attached itself to a “March Madness” basketball phone application and replicated through smart phone contact lists until it brought down cellular service for most U.S. subscribers. At the same time, widespread outages took out power in the eastern U.S., causing massive disruption and economic loss – yet there was very little anyone could do. They could not even identify the attacker.
At the macro level there remain significant issues in defending each and every network on a nationwide basis. However, next-generation network security solutions exist today and are helping to protect organizations like the Naval Air Systems Command and U.S. Joint Chiefs Command. Next-generation network security solutions, including SIEM and Log Management, will continue to be in high demand as new initiatives, like the Navy’s FCC and USCYBERCOM, along with legislation pending in the Congress, require public and private organizations to enhance their security profile.
There are several key aspects that next-generation network security solutions offer over legacy, last-generation systems including:
- Time/cost to implement. Next-generation systems are designed to be up and running in hours or days, not weeks or months. Cost to implement also can be a factor, as evidenced when several federal customers recently came to Q1 Labs looking to replace their last-generation systems after failed implementations and professional services cost overruns made continuing the project with the last-generation system cost-prohibitive.
- Iterative & intelligent solutions. Network security solutions built on last-generation architecture can’t keep pace with the rapidly evolving techniques used by the hackers of today, let alone the hackers of tomorrow. Solutions that have an architecture that enables rapid iteration allow network security teams to always have the latest technology without tearing down and rebuilding infrastructure.
- Scalability. From our own experience at Q1 Labs – where we implemented the world’s largest SIEM deployment – being able to scale is critical. As in the DOD’s case (mentioned above), with 15,000 networks to protect, implementation will need to occur over time. Only true next-generation systems can offer the scalability to protect an entire network while delivering key intelligence through a single interface – no matter the size.
Posted by Erich Baumgartner in Cybersecurity, Federal
On Thursday, February 4, 2010, the House passed H.R. 4061, the Cybersecurity Enhancement Act of 2009, by a vote of 422 to 5. This vote follows Director of National Intelligence Dennis Blair’s recent testimony that the United States is at risk of a “crippling cyber attack,” the recent Google attack sourced from China, and the January 28, 2010, hack of the web sites of 50 members of the House.
This legislation, as well as S.773, the Senate’s more comprehensive version of the bill, would dramatically increase the government’s investment in cybersecurity beyond the roughly $6 billion it spends today and would require the National Institute of Standards and Technology to deliver a plan describing a cybersecurity awareness and education program, as well as a comprehensive plan to participate in international cybersecurity technical standards development. The details of the respective House and Senate bills show the direction the legislative climate is heading, including:
- Enhanced standardization and reporting
- Education funding and research grants
- A national licensing, certification, and periodic recertification program for cybersecurity professionals
- Mandatory licensing for anyone providing cybersecurity services to any federal agency or an information system or network designated as a critical infrastructure information system or network
- Broader cybersecurity implementation through state and regional cybersecurity enhancement programs that are aimed at transferring cybersecurity standards and practices to small- and medium-sized companies
- A real-time intelligence through cybersecurity dashboard that will provide dynamic, comprehensive, real-time cybersecurity status and vulnerability information of all federal government, beginning with the Department of Commerce
- A Secure Products and Services Acquisitions Board that will be responsible for cybersecurity review and approval of high value products and services acquisition and contribute to the establishment of appropriate standards for the validation of software acquired by the federal government
While the details of these bills still need to be hammered out, it is clear that the federal government wants to get serious about cybersecurity and is willing to fund it. In the 2011 budget request, $866 million has been requested to protect networks and data and that legislation will be making its way through Congress this year. The cost of this legislation is significant, but the alternative – like a successful attack on an electric grid – would be even more costly.
“If I were an attacker and I wanted to do strategic damage to the United States, I would either take the cold of winter or the heat of summer, I probably would sack electric power on the U.S. East Cost, maybe the West Coast, and attempt to cause a cascading effect. All of those things are in the art of the possible from a sophisticated attacker.” – Retired Admiral Mike McConnell, former Chief of National Intelligence, quote from CBS News
The latest on Cyber Security