Education bucks the cyber trend, brings capabilities in-house

Tuesday - 3/4/2014, 5:14am EST

Steve Grewal, CISO, Department of Education

Download mp3

The Education Department decided the outsourcing approach to cybersecurity is no longer working. So, it brought a host of enterprise capabilities back in-house — something that is rarely done in the government.

But after years of outsourcing its security operations center to another federal agency, Education determined the move to cloud computing and mobility required a different approach to network and data security.

Steve Grewal, the Education Department's chief information security officer, said the agency recently launched an internal security operations (SOC) center as part of a broader enterprise security capability.

"Given the evolution of cloud computing and given the cloud first policy by OMB, we've started to experience this, and it will continue over the next several years. We are moving to more of an outsourced model, we are moving to off-premise installations, and we are moving to portfolio of service providers. While from a security operations perspective, these providers have the day-to-day operations responsibility, we are still accountable," he said. "So the concept of operations in working with these folks can vary. In some cases, we have full transparency. In some cases, it's process integration. And in some cases, it's management via service level agreements. But in terms of an independent validation and verification mechanism to ensure their operational practices are aligned with our policies, we are able to gain that visibility via that enterprise operational capability and the SOC being a keep component of that."

Grewal said the initial operating capability of the SOC includes six functions:

  • Intrusion detection and prevention capabilities
  • Operating system and network device vulnerability scanning
  • Web application scanning
  • Incident handling
  • Initial capability for cyber forensics
  • Data collection and analysis

"We looked at the services that were being provided by the managed security service provider arrangement, but really the key tools in our toolbox from an operational capability SOC perspective that we felt without having these tools, these capabilities live, we would not be able to do this," he said. "It was more based on needs requirements from across the enterprise."

Grewal said Education brought the SOC in-house for several reasons. First, there was the potential cost savings and efficiency gains. He said Education already is spending about 20 percent less on security operations services in the short time the SOC is run by agency employees.

"Most of the efficiencies are a result of level of effort or on the people front," he said. "The tool costs and infrastructure costs are pretty black and white."

Controlling their own destiny

Second, there was the expectation of improved network and data security. Grewal said the SOC gives his staff greater visibility into the health of Education's network and the ability to respond more quickly to threats and attacks.

"We are now really able to control our own destiny," he said. "The ability to do verification and validation against service provider practices is a tremendous benefit."

The reason why Education needed more visibility into its service providers is because it uses a contractor-owned, contractor-operated (CoCo) model for its network. Dell Federal Services runs the $400 million Educate contract after buying Perot Systems in 2009. Perot Systems won the 10-year deal in 2007.

Grewal said Education didn't have to spend a whole lot of money to set up the SOC. He said the agency already licensed many of the tools it needs for the center's capabilities. Most of the upfront costs for the SOC was for improving Education's infrastructure and hosting functions, he said.

"As we started engaging in discussing with our federal agency that was servicing us, most of the tools that were being utilized by the MSSP were licensed under the Department of Education. So as we disentangled and transitioned away, we were able to bring those tools with us," Grewal said.

Now that the SOC reached its initial launch, Grewal is focused on full operational capabilities over the next two years.

"That really entails additional sensor placement, additional intrusion detection system and intrusion protection system sensors across other environment, as well as some of our Web services providers around the country," he said. "It also includes a more robust and enhanced forensics capability and finally analytics. Across the federal government, we do a good job with data collection, but the rubber really meets the road in terms of looking at the right data, being able to slice and dice and being able to react to it. The underlying analysis capabilities is a big component of the full operating capability, and we're looking forward to that."

Grewal said Education is doing market research on the various tools across the cybersecurity industry. He said there is no specific timetable for a potential acquisition, but the agency fully intends to invest in these advanced cyber capabilities.