Posts Tagged ‘Federal’
Posted by Heather Howland in Federal, Security Intelligence, Webinars
Government agencies, like their private sector brethren, are knee deep in IT security challenges, threats, and regulations. While that’s not much of a shock, this might be – according to the Government Accountability Office, the number of reported security incidents increased by over 650 percent during fiscal years 2006–2010. At the same time, government agencies have widespread deficiencies in security controls, leading to vulnerabilities undetected breaches, and insider fraud.
To help meet these challenges, the federal government is implementing a risk-based IT security strategy based on deploying enterprise continuous monitoring solutions. These solutions will continually assess the actual security state of agencies’ IT networks and systems, while providing scoring information that managers can use to prioritize actions needed to reduce risk and improve their security grades. Continuous monitoring will enable agencies to determine their own security health and compare it to other agencies. Scoring will also allow the different lines of business within an agency to more effectively work together, while enabling agencies to gain the same operating efficiencies from IT investments that Fortune 500 companies have realized.
Recently, along with our friends at 1105 Media and partner Accuvant, we discussed the importance of continuous monitoring and related steps agencies should take while approaching it. Security intelligence plays a critical role in achieving continuous monitoring because of its ability to centralize information into a single console from various data sources.
Most importantly, we talked about how many government agencies are successfully addressing previously disparate functions — including SIEM, risk management, log management, and network behavior analytics — into a total security intelligence solution that fits the constrained budgets and resources of government agencies. The QRadar Security Intelligence Platform enables our customers to leverage existing assets, stabilize budgets, and easily comply with new mandates while maintaining a proactive stance on risk management and security.
If you missed the webinar, or just want to revisit it, watch the whole thing HERE. For a deeper look at how security intelligence helps federal agencies adopt a continuous monitoring security program without requiring additional resources, download this white paper.
Posted by Chris Poulin in Compliance, Federal, Security Intelligence, SIEM
Last week I participated in a panel on Continuous Monitoring at FOSE. Joining me were Mark Crouter from MITRE as the moderator, John “Rick” Walsh, chief of technology and business processes in the Cybersecurity Directorate of the Army’s Office of the CIO, and Angela Orebaugh, Fellow and Senior Associate at Booz Allen Hamilton. Auspicious company indeed.
For those not tuned into the federal government’s cybersecurity initiatives, the concept of continuous monitoring evolved from the previous approach in FISMA (federal information security management act), which mandated annual reviews of federal agencies’ security programs. After a few years of implementation it was widely recognized that the reviews generated rooms full of paper, which were obsolete as soon as they were printed, but didn’t elevate information security plan effectiveness to an acceptable level. Between 2006 and 2010, the number of security incidents rose by over 650%. The resulting strategy is embodied in FISMA 2012 (2.0), which is aimed at continuous monitoring of security controls, determining gaps between current and accepted security baselines, and quantifying risk.
Rick has been facing the challenges of implementing continuous monitoring within the government, and his experience has been that the different business processes, missions, and systems create obstacles, but once overcome, the solution yields financial and process efficiencies, and improved security. One of the biggest challenges is enumerating the assets, but once done is sure to reveal duplication of systems and opportunities to consolidate systems and software licensing.
Angela framed the conversation in her intro, which was appropriate since she co-authored NIST Special Publication 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations. She has also been involved with the Security Content Automation Protocols (SCAP, pronounced ess-cap) project, which provides a set of standards for describing vulnerabilities (CVE, common vulnerabilities & exposures), systems (CPE, common platform enumeration), and configuration standards (CCE, common configuration enumeration), as well as a scoring system (CVSS), a test definition language (XCCDF), and a vulnerability definition language (OVAL). Angela advocated use of SCAP as a foundation for continuous monitoring.
Questions from the audience mainly focused on how to implement continuous monitoring, including getting buy-off from senior management and budgeting. The key is to show short-term results that are meaningful to business stakeholders. While continuous monitoring is in the process of being mandated, the danger is treating it as a checklist and doing the bare minimum to comply; whereas, when done right continuous monitoring can be the cornerstone for real security improvements, including interrupting the kill chain through early attack detection, provide total visibility to include troubleshooting operational problems, and give management a security dashboard with both technical and business gauges. The State Department was one of the first successful adopters of continuous monitoring and was able to not only ameliorate their high-risk vulnerabilities by 90%, but also slash the cost of certification and accreditation by 62%.
One of the more amorphous questions was how continuous is continuous? Does data need to be analyzed in real-time or near real-time? Does this apply to all systems? The answer is that it depends on each individual agency’s goals and the telemetry that can be collected from the systems. Organizations don’t want to have to retool systems to provide events as they occur–unless the systems are critical enough to warrant that cost and effort and there is no other way to gain the needed visibility. The panel all agreed that some systems only need to report into a central monitoring solution on an occasional basis–vulnerability scanners, for example–while network monitoring should report in near real-time, which means in one-minute intervals for most systems that create NetFlow records. Ultimately, there is no one-size-fits-all answer.
My overall impression from the panel is that continuous monitoring to the federal sector is what we call Security Intelligence in private industry, and both need to be defined and implemented per the enterprise or agency’s specific needs. The primary difference is that continuous monitoring is focused on metrics: quantifying the delta between expected state of assets and the measured states and classifying these differences as vulnerabilities. The scorecard approach provides a common baseline for different organizations to compare themselves against each other, and for management to better understand their organizational security posture at any given moment in time and compare it against past performance.
I was asked at the GTRA conference how the public and private sectors differ. My view is that the government does more up-front analysis and planning, while the private sector sees a need and builds a solution. Between well-considered frameworks, like FISMA 2.0, and tools like QRadar and OpenPages, the federal government and industry have an opportunity to collaborate on a complete Security Intelligence solution incorporating continuous monitoring and meaningful security scorecards and dashboards.
Click here to learn how Security Intelligence can help Federal organizations address continuous monitoring requirements. Find out how QRadar Risk Manager addresses the need for configuration auditing, and assessing the risk of configuration changes, across multi-vendor network environments (switches, routers, firewalls and IDS/IPS).
Posted by Phil Neray in Cybersecurity, Federal, Security Intelligence, SIEM
According to a recent report in the Wall Street Journal, a group of hackers in China broke into the U.S. Chamber of Commerce’s network around November 2009 and were not discovered until more than a year later.
The hackers likely used a spearphishing attack to install spyware on end-user machines. The spyware was used to steal employee administrative credentials, which were then used to install about a half dozen back doors which communicated with computers in China every week or two.
The hackers stole sensitive Chamber data such as trade-policy documents, meeting notes, trip reports and schedules, and emails containing the names of companies and individuals in contact with the Chamber. They even used their own search tools to locate documents containing keywords related to financial and budget information, and stole all emails from four targeted employees – who worked on Asia policy – for approximately six weeks during one portion of the attack.
And here’s an interesting twist — a thermostat at a Chamber town house on Capitol Hill was communicating with an Internet address in China, and a printer spontaneously started printing pages with Chinese characters.
The Chamber represents the interests of U.S. companies in Washington and its members include most of the nation’s largest corporations. As a result of this incident, the organization’s COO concluded that “It’s nearly impossible to keep people out. The best thing you can do is have something that tells you when they get in. It’s the new normal. I expect this to continue for the foreseeable future. I expect to be surprised again.”
So how can next-generation SIEM and Security Intelligence help?
First, we should acknowledge that even strict adherence to some compliance mandates, such as PCI-DSS and HIPAA/HITECH, won’t usually protect intellectual property (IP) such as strategic plans, product designs and proprietary algorithms. Of course, broader compliance frameworks such as ISO 27001/27002, and NIST 800-53 – as well as recent SEC guidance regarding cybersecurity risks and disclosure – will definitely help tighten controls and improve the overall security posture of your infrastructure by requiring centralized monitoring and other best practices, along with helping to address minimum “standards of due care” expectations of your board of directors, customers and shareholders.
Next-generation SIEM can certainly help in reducing the cost and effort of compliance – by centralizing and automating compliance reporting and efficiently addressing log retention requirements – but it also provides significant added value by helping to proactively detect attacks such as this one.
Second, the fact that the hackers were in the network for more than a year before being detected is not unusual. According to the 2011 Data Breach Investigations Report, more than 60% of breaches remain undiscovered for a period of months or longer (versus days or weeks). And according to Kim Peretti, former senior counsel at the U.S. Department of Justice, “Our most formidable challenge is getting companies to detect they have been compromised.”
Why? Because most organizations still rely on basic server and device logs which are widely dispersed across their infrastructures – combined with manual, after-the-fact log analysis – making it virtually impossible to detect any intruder alarms because the information simply gets lost in the noise.
Continuous real-time monitoring of all network and system activity – combined with real-time event correlation and automated behavior profiling – can help by rapidly identifying anomalous or out-of-policy events such as:
- A server (or thermostat) communicating with an IP address in China.
- An unusual Windows service starting up, such as a backdoor or spyware program.
- A spike in network traffic and/or data server activity, such as a high volume of downloads from a SharePoint server during off-hours.
- A high number of failed logins to critical servers, which can indicate a brute-force password attack.
- A configuration change, such as an unauthorized port being enabled.
- An inappropriate use of protocols and applications, such as sensitive data being exfiltrated via P2P or social media applications; in this case, detection requires application-aware (Layer 7) monitoring with flow analysis and deep examination of packet content.
More information on how organizations can leverage a unified architecture to reduce risk with continuous, real-time monitoring, can be found in this white paper, “Countering Advanced Threats.”
Graphic courtesy of the Wall Street Journal (December 21, 2011).
Posted by Melissa Stevens in Cybersecurity, Federal, In the Industry, Q1 Labs
Everyone likes recognition, especially when it comes directly from senior IT executives from across the federal government.
Yesterday it was announced that the Government Technology Research Alliance (GTRA) has named Q1 Labs the “Best Info Security Solution.” This special recognition is notable as it was the senior IT executives, deputy directors, CIOs and CTOs of major government agencies in attendance at their semi-annual council meeting that voted. These executives are tasked with improving their cyber security posture and better managing costs to do so.
This award also makes us eligible for another honor, the GovTek Award. Winners of this award will be announced on February 2, 2012, and will be selected by members of the government IT community.
Why were we chosen for this honor? GTRA explains, “Q1 Labs won the ‘Best Info Security Solution’ award for their collaboration with government in their boardroom, ‘Security Intelligence for Government Agencies,’ discussing cost-effective solutions using existing platforms in addition to integrating new applications allowing the visibility of potential vulnerabilities.”
Read more details in the GTRA announcement. Click here to learn about other ways Q1 Labs is working with government agencies to defend their infrastructure against theft, breach and vulnerabilities.
Posted by Melissa Stevens in Cybersecurity, Federal, Security Intelligence, Threat Management
In a post published earlier this week, I invited you to read the latest article written by Chris Poulin for SecurityWeek. In this article, Chris presented his belief that full breach disclosure and better collaboration among security professionals is key to thwarting today’s cyber threats.
In line with this belief, proposed breach legislation is also attempting to make disclosure and collaboration a center point of the nation’s cyber security strategy. According to an article on CNN’s Security Clearance blog, such legislation would “enable the intelligence community to share classified information with the private sector while at the same time addressing the concerns private companies have with providing information about attacks on their systems to the government.”
This addresses weaknesses outlined in an INSA study published this past summer, in which the authors suggested both private industry and public agencies have a responsibility to defend the country against cyber attack. In this proposed law, not only would businesses be required to share information about attacks with the government, the government would also share intelligence with security-cleared organizations. This would open up communication channels in the cyber-intelligence community immensely, creating the type of collaborative environment Poulin describes in his article.
What do you think? Can collaboration between the federal government and private industry help defend the country from a major cyber attack? Does it seem too idealistic to imagine that these sectors can work together? Share your thoughts below!
The latest on Cyber Security