Posts Tagged ‘government’
The CIA has The Farm, a secret facility somewhere in Virginia, where it trains agents in wiretapping, interrogation, and handling human “assets”. Similarly, the GTRA (Government Technology Research Alliance) convenes in remote Bedford Springs, Pennsylvania, roughly halfway between DC and Pittsburgh, in a hotel that looks like The Overlook from The Shining. Instead of how to poison an enemy operative, though, the federal delegates discuss cyber-security and collaboration between the government and industry.
I spent Sunday through Tuesday a couple of weeks ago exchanging ideas with the best and brightest in the public sector at roundtable meetings, on a panel entitled “How to Drive Efficiency and Improve Security“, and mingling in between sessions and at the Havana Nights after-hours soiree. Top of mind concerns echo those in the private sector, including secure mobile device and cloud strategies, and doing more with less. Federal agencies are also concerned with Continuous Monitoring, an initiative I’ve written about in the past here. While the private sector doesn’t have to comply with a government regulation mandating yet another set of security controls, the end of the government’s fiscal year is fast approaching, heralding the need for meeting compliance deadlines, and security managers are looking for answers on how to meet the deadline.
According to NIST SP 800-137, “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.” This is close to the definition of Security Intelligence, which provides actionable and comprehensive insight for managing risks and threats, from protection and detection through remediation. Core to continuous monitoring is centralized event management, situational awareness—aka, context—and analytics, to reduce the onslaught of data into discrete, manageable, and actionable actions.
Many of the GTRA delegates are trying to reconcile the ambiguity in the continuous monitoring guidance and the confusing array of solutions offered by the security technology industry. Within SP 800-137, the terms “continuous” and “ongoing” are not prescriptive; instead, they are defined to “mean that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions to adequately protect organization information. Data collection, no matter how frequent, is performed at discrete intervals.” Once organizations come to grips with what the terms mean to them, what needs to be monitored? Just logs from security technology like firewalls and IPSes? How about network activity? And where do they get data about external threats to add situational awareness?
The advice that I give is that it all starts with a strategy. Don’t create your security posture around the 800-137 controls; map them to your mission objectives and the security initiatives that support them. A strong security posture will often end up with total coverage and incremental security goals. With this roadmap in hand, you can start planning and organizing activities, and get started. Remember, an effective security program is constantly evolving, so the end state is not final; you don’t have to get it perfect the first go-round. And if you don’t take the first step, it’s guaranteed that you won’t succeed in complying with the Continuous Monitoring mandate.
The same is true in the private sector, whether you’re subject to government regulations like SOX or contractual obligations like PCI DSS. In many cases organizations are subject to multiple compliance mandates, and many of them have overlapping controls. Map them to each other and the union of all controls should map to organizational goals and security initiatives. As you meet the controls that intersect, you’ll quickly start to fulfill the obligations of many compliance mandates at the same time.
Even with a solid plan, government agencies are struggling with how to become or stay secure with in an increasingly complex threat landscape, with less budget and resources. The panel was asked how private industry is helping to stretch federal budgets while at the same time improving security. My view, particularly after talking with security managers, CISOs, and CIOs in government agencies, is that the complexity of existing security solutions, comprising dozens of technologies from as many vendors, is both expensive to purchase and maintain, is not effective at stopping determined attackers, and is confusing the means to achieve compliance with continuous monitoring. The answer is to evaluate the existing profusion of security technology, eliminate ineffective products, and consolidate where possible. The key to making these decisions is to monitor and measure, and the solutions that provide that capability will also give visibility to agencies, allowing them to fulfill a large part of the obligation toward Continuous Monitoring.
Government decision makers recognize this and asked during the executive meetings whether SIEM can replace some of the existing security technology. There seems to be some confusion as to what SIEM is and what it can do, as many of the roundtable attendees were there to get an orientation on the capabilities of QRadar and Security Intelligence. Some agencies don’t have SIEM at all, some have basic log management solutions, and others have first generation SIEMs that simply have not lived up to the promises made at purchase. The results were positive, the proof being that Q1 Labs/IBM was nominated as the “Best Continuous Monitoring Round Table” award. It’s gratifying to be validated from the members of GTRA, some of the most strategic and advanced leaders in federal government.
In the final analysis, the agreement about how the public and private sectors can collaborate to improve efficiency and security is to let the government work on integrating agencies and let industry work on integrating technology. Because there is a wide range of requirements in both the private and public sectors, the solutions must be flexible enough to adapt to diverse processes. Q1 Labs has been in the business of continuous monitoring for almost a decade–long before the government initiative. And now, with the entire IBM Security Systems portfolio, we have the most comprehensive security offering, integrated to reduce the total cost of ownership.
We look forward to our continued relationship with GTRA and evolving our security solutions to meet the needs of both the private and public sector, combining the research and development resources of IBM and the feedback of the entire GTRA Council.
Government agencies, like their private sector brethren, are knee deep in IT security challenges, threats, and regulations. While that’s not much of a shock, this might be – according to the Government Accountability Office, the number of reported security incidents increased by over 650 percent during fiscal years 2006–2010. At the same time, government agencies have widespread deficiencies in security controls, leading to vulnerabilities undetected breaches, and insider fraud.
To help meet these challenges, the federal government is implementing a risk-based IT security strategy based on deploying enterprise continuous monitoring solutions. These solutions will continually assess the actual security state of agencies’ IT networks and systems, while providing scoring information that managers can use to prioritize actions needed to reduce risk and improve their security grades. Continuous monitoring will enable agencies to determine their own security health and compare it to other agencies. Scoring will also allow the different lines of business within an agency to more effectively work together, while enabling agencies to gain the same operating efficiencies from IT investments that Fortune 500 companies have realized.
Recently, along with our friends at 1105 Media and partner Accuvant, we discussed the importance of continuous monitoring and related steps agencies should take while approaching it. Security intelligence plays a critical role in achieving continuous monitoring because of its ability to centralize information into a single console from various data sources.
Most importantly, we talked about how many government agencies are successfully addressing previously disparate functions — including SIEM, risk management, log management, and network behavior analytics — into a total security intelligence solution that fits the constrained budgets and resources of government agencies. The QRadar Security Intelligence Platform enables our customers to leverage existing assets, stabilize budgets, and easily comply with new mandates while maintaining a proactive stance on risk management and security.
If you missed the webinar, or just want to revisit it, watch the whole thing HERE. For a deeper look at how security intelligence helps federal agencies adopt a continuous monitoring security program without requiring additional resources, download this white paper.
In a post published earlier this week, I invited you to read the latest article written by Chris Poulin for SecurityWeek. In this article, Chris presented his belief that full breach disclosure and better collaboration among security professionals is key to thwarting today’s cyber threats.
In line with this belief, proposed breach legislation is also attempting to make disclosure and collaboration a center point of the nation’s cyber security strategy. According to an article on CNN’s Security Clearance blog, such legislation would “enable the intelligence community to share classified information with the private sector while at the same time addressing the concerns private companies have with providing information about attacks on their systems to the government.”
This addresses weaknesses outlined in an INSA study published this past summer, in which the authors suggested both private industry and public agencies have a responsibility to defend the country against cyber attack. In this proposed law, not only would businesses be required to share information about attacks with the government, the government would also share intelligence with security-cleared organizations. This would open up communication channels in the cyber-intelligence community immensely, creating the type of collaborative environment Poulin describes in his article.
What do you think? Can collaboration between the federal government and private industry help defend the country from a major cyber attack? Does it seem too idealistic to imagine that these sectors can work together? Share your thoughts below!
Posted by Heather Howland in Security Intelligence
During the Gulf War, the distance weapon of choice was the surface-to-air Patriot missile. It was the missile the US and it’s allies used to intercept Iraq SCUD missiles intended for civilian locations. All of the video on CNN featured the night vision shots, narrated by Wolf Blitzer, with missiles zipping across the horizon. Well, one of the manufacturers of those missiles, Mitsubishi Heavy Industries, was hacked. It’s reported that the attacks took place on August 11 and roughly 80 infected systems were discovered.
What information was stolen? How much? There are no confirmed reports yet. Fact is, most breaches go unreported. It’s quite impressive that Mitsubishi detected, measured (roughly), and reported on this breach so quickly. Many larger breaches take months (in the least) to report – if reported at all. As I was reading through a few related articles, a quote from a Mitsubishi Heavy Industries spokesperson stood out:
“We’ve found out that some system information such as IP addresses have been leaked and that’s creepy enough … We can’t rule out small possibilities of further information leakage but so far crucial data about our products or technologies have been kept safe …”
So, what’s the silver bullet? There really isn’t one. It’s amazing how many clues even a basic log management solution can provide, such as firewall deny events, log source, source IP, geographic information, and depending on your solution in place, event magnitude. Of course, a complete security intelligence solution can provide the deepest insight by looking at the most sources and gathering the most intelligence for providing actionable insight and the ability to see every action taking place on your network.
This might give a breached organization just enough information to determine if the suspected attack came from a neighboring country … <cough> China <cough> or not.
Federal government agencies are no strangers to budget hassles. But with the cyber-security landscape becoming much more sophisticated and the volume of high profile breaches infiltrating the news on an almost daily basis, government agencies need to continually raise the bar on how they predict risk and protect their, and their partners’, data. And in many cases, they have to do it with the same amount of resources, or less resources, than they currently have.
In a recent conversation with a director of security at one of our Defense customers, we asked what processes they undertook when implementing a continuous monitoring strategy. The key takeaway was that it came down to shifting priorities and internal education. With attacks being more specifically targeted, using more detailed knowledge of what does and doesn’t work, who they are going after and recently leveraging social engineering techniques and trickery, it takes more education, intelligence and the perspective that “security is a process, not a destination,” in order to protect the organization’s ecosystem.
Here are some observations from the conversation:
With security, it’s important to continue to improve as you go along: changing offense and shifting defense. This doesn’t come without challenges. Organizations need a certain amount of flexibility in order for people to do their jobs, and as mobility and work from home programs increase, it makes it trickier for the “security bar” not to get in the way, because risk shifts from being something that can be completely controlled to something that has to be more open and flexible. This is where education comes in to play. Maintaining good relations with staff on different security issues and keeping them informed of issues and how attacks are successful is important, as they are often the first line of defense. As social engineering attacks become more prevalent, it becomes increasingly important to be diligent in educating staff and make them more aware of risks.
Continuous Monitoring is now the top priority for this federal organization. As a matter of fact, they started implementing it before the term Continuous Monitoring (we call it FISMA 2.0) was even born, back when FISMA was primarily focused on annual audits. They also needed to figure out how to get the most value out of what they already had from a technology, resource and budgetary perspective. With techniques by attackers continuously changing, they needed to implement continuous monitoring so that they could better understand what’s known, what they are looking for, and proactively close down things as problems and vulnerabilities come up. Managing risk is a key driver.
For this organization, when it came down to implementing Continuous Monitoring, it was all about tradeoffs and shifting priorities. Without additional budget for more resources, they needed to reposition staff to make continuous monitoring the new top priority and other things became lower priority. Like many organizations, they had a lot of individual devices that did their own things and provided their own data. The effort to bring the data all together for correlation was required to provide greater security intelligence and situational awareness.
Since they made Continuous Monitoring their top priority, they have found a number of situations where they were able to prevent some incidents and compromises from occurring. One of the challenges of course is that it’s not always easy to sell to management, because making it a priority comes at the expense of something else. So, it’s important to prove value and show a rapid ROI so that tradeoffs are understood. Helping management better understand the “behind the scenes” is important so they can see the real value by knowing what was prevented, protected, etc. Security Intelligence answers the four fundamental questions demanded by Continuous Monitoring:
1.) What are the internal and external threats now being faced?
2.) Are we properly configured to protect against these threats?
3.) What is happening right now?
4.) What was the impact?
Where does our defense customer see itself in 3-5 years? As stated earlier, security is a process and they hope to find the right balance. They want to increase the capabilities to better protect data and get to a stable configuration. The reality they understand is that security will continue to evolve and they hope that some of the legacy technologies and silos begin to evaporate. Their mission is to protect their organization’s data while the methods continuously evolve.
Learn more about developing a comprehensive security strategy, which includes continuous monitoring, in this on-demand webinar, “No One is Immune to Being Hacked: Strategies for Managing Advanced Threats.”