Agencies struggle with continuous monitoring mandate

Friday - 12/23/2011, 5:09am EST

Jason Miller, executive editor, Federal News Radio

Download mp3

Federal cybersecurity managers are unprepared and struggling to implement continuous monitoring.

A recent survey of more than 200 federal cyber managers found only 27 percent are currently putting the capabilities in place to analyze their computer networks in real time.

The Office of Management and Budget set a Sept. 30, 2012 deadline for agencies to have these functionalities in place. Agencies also must put all their data in the CyberScope tool run by the Homeland Security Department. OMB set a Nov. 15 deadline to start to use CyberScope.

"We found only a minority say they expect to be ready in time," said Mike Lloyd, chief technology officer of RedSeal Networks, which conducted the survey at the GFirst conference in Nashville, Tenn. "We found organizations are not entirely clear what exactly they will do, but they are aware it's a good thing. People are having great difficulty figuring out how to meet the [requirements]."

Lloyd said the biggest problem is agencies are unsure how they will meet the continuous monitoring mandate. Federal managers say they will use one or a combination of several tools, including intrusion detection and protection systems, security event and information management software, network security device configuration audit tools and/or vulnerability assessment software.

RedSeal found 15 percent of the respondents didn't know what they would use.

Mike Lloyd, CTO, RedSeal Networks (RedSeal)

"People are aware of the objectives, but when you map it down to practical technical concerns, people don't even agree on which technologies they will do the continuous monitoring in," he said. "There doesn't seem to be agreement that what we need to do is get, what those with a military background would call, situational awareness. We understand we need the situational awareness, but it is not a well settled question how to do that. These environments are extremely complex."

It's all about the data

Lloyd said agencies need to understand how to take all the data about their network and analyze it as part of the continuous monitoring process.

John Casciano, a consultant for RedSeal and owner of GrayStar Associates, said one of the problems is there is no agreed upon definition of what continuous monitoring is.

"Some people think it's watching packets as they transit the enterprise in real time," said Casciano, a retired Air Force major general. "Others believe, and I think this is where the NIST guidance comes down, continuous monitoring is something you do of the whole IT enterprise, but you do it in essence offline so you identify where your holes are, where you greatest vulnerabilities and risks are. I think that is one of the problems."

He said another problem is training employees to understand how continuous monitoring works.

Casciano said many agencies still are tracking down work tickets mode where they go after vulnerabilities or problems as they find them. He added many are not looking at their enterprise as a whole to figure out where their biggest risks exist and prioritizing them from a management standpoint.

Lloyd compared agencies' current approach to continuous monitoring to having a fire alarm instead of fire prevention. He said fire alarms are necessary, but agencies need to do more to prevent fires from occurring in the first place.

"The point of these mandates is to reduce the total number of fires, not get really good at detecting them," he said. "

Automation is key to meeting the edict

The survey found 45 percent said they would have continuous monitoring in place by September, while 40 percent said they would. Fifteen percent were unsure if they would or not.

RedSeal also learned the more senior a manager was the less confident he was that his agency could meet the deadline. Only 28 percent of the chief information officers or chief information security officers had confidence, while more than 50 percent of the network security or security manager or auditor felt the mandate was achievable.

"The magnitude of the task really requires some kind of automation" Casciano said. "If you have over 100 or 1,000 devices on your enterprise, there is no way you can manually do that and do it in a continuous way. You've got to have some kind of automated tools, of which there are several out there, that take a snapshot of your enterprise and identify where you're deviating from policy, where you're deviating from known threats and known vulnerabilities. It gives you the management data to make decisions for how to apply resources. Otherwise, it's kind of like flying blind."

Lloyd added attackers are using automated tools for discovering weaknesses in network defenses. To defend against them, automation puts the agency on near-equal footing.

All of this comes back to the need for better data integration to help agencies identify major risks.

"All these organizations have mountains of facts. We're not short of facts," Lloyd said. "We are short of the ability to turn a mountain of facts into information."

Casciano said agencies can use the software tools to make sure firewalls, intrusion detection, intrusion prevention and other network hardware are properly configured.

"All the requirements coming out of OMB, they are trying to set the bar high enough so you couldn't possibly do it as a human, sitting down and reading all the firewalls every day, or checking the intrusion detection system every day or going through the vulnerability and asset scans every day. The mountains of data are too big and move too fast," Lloyd said. "The people who are setting the regulations know that and what they are trying to do is set the regulations to a level where you will have to use automation to meet these objectives. These security defenses are just too complicated."

This story is part of Federal News Radio's daily Cybersecurity Update. For more cybersecurity news, click here.

RELATED STORIES:

EXCLUSIVE: OMB uses budget to set cyber deadlines

Agencies figuring out how to take network vitals

Agencies must use Cyberscope tool for FISMA reports