Marines driving toward more active approach to cyber

Friday - 5/30/2014, 1:35pm EDT

Jason Miller, Executive Editor, Federal News Radio

Download mp3

The Marine Corps is reducing the likelihood of a computer or laptop introducing a virus or malware to its network. The Marines are employing a new approach to cybersecurity that goes beyond continuous monitoring.

Ray Letteer, the chief of the cybersecurity division for the Marine Corps, said the comply-to-connect initiative is about removing much of the people challenges by automating the software patching and updating the cyber processes in real time.

"A lot of people are using continuous monitoring, there are some tools and policies out there already. But we kind of thought continuous monitoring was admiring the problem. And I personally didn't want to admire the problem. I wanted something more active," Letteer said after a panel discussion at the AFCEA Washington, D.C., chapter's Cybersecurity Summit in Washington Wednesday. "So we set up this program to do a comply-to-connect construct, when you plug it in [to the network] , your box will get remediated based on the current requirements that DoD tells us."

Letteer said to test out the comply-to-connect concept, the Marines bought a PC from a local retailer and plugged it into the network. He said within about 45 seconds the tools running the comply-to-connect initiative updated the new PC to meet the Marines and the Defense Department's cybersecurity requirements.

He said the real value of the tool comes when a Marine brings back a laptop or device after spending a few days or weeks in the field.

"The problem has always been when you are on an enterprise network or on a garrison network, whenever you needed to do any patches or updates, it goes over and over, it does reboots and it takes time. In some cases, you go away for three or four hours and come back before it's done, or sometimes you have to leave it for the weekend to get done," Letteer said. "This approach we've been able to show it's doing it in minutes rather than hours and days. That's important when you come in and connect your system into the network, you want to make sure that it's being done in such a way that it's not going to unnecessarily impact what the user is trying to do."

Letteer said the comply-to-connect approach doesn't just update computers and laptops as they come onto the network, but also ensures those running on the network continuously that they have all the right configuration settings and software patches, and if not, the device is updated immediately.

Many cyber experts say patch management is one of the easiest things an organization can do to protect its systems and networks from vulnerabilities.

The SANS Institute listed patch management among its 20 critical cyber controls and labeled it a "quick win."

"Implement automated patching tools and processes for both applications and for operating system software," SANS wrote. "When outdated systems can no longer be patched, update to the latest version of application software. Remove outdated, older, and unused software from the system."

But many agencies do not take enough advantage of automated tools.

The Office of Management and Budget found in its more recent annual Federal Information Security Management Act (FISMA) report to Congress that only 81 percent of all agencies used automated vulnerability management systems that scan agency IT hardware for common vulnerabilities, such as software flaws or required patches, and facilitate remediation of those vulnerabilities to protect against intentional or unintentional misuse or malicious exploits.

Additionally, agency inspectors general found 15 departments still hadn't developed a mature patch management process despite the fact that 16.3 percent of all cybersecurity incidents reported to the Homeland Security Department's U.S. Computer Emergency Readiness Team (U.S. CERT) in fiscal 2013 by the largest agencies were related to malicious code attacks. ` Letteer said the Marines, who have been working on this concept for more than two years, said bad actors don't have to work too hard because so many agencies don't do the easy stuff such as patching. He said it's akin to leaving the door unlocked and letting burglars walk right in to your house.

"We found people aren't really skilled in how to use the tools. They don't understand things like permissions, certificates and access to the systems. We found in some cases 99 percent of all the patches were never done," he said. "So how do I get beyond this part of workers who may not be skilled enough and I want to make sure that it's human proof. That's why we set up this process to say let's get these things done so we fix the simple issues."