Breaking the Chains

062910cisoSPOTLIGHTinsNG (Jul. 6) - The State Department's John Streufert, Government Executive's CISO of the Year, launched a continuous monitoring program and reduced his agency's cyber risk.

The first half of 2010 significantly changed the responsibilities of federal chief information security officers. Cyber threats continued to increase in number and sophistication. President Obama appointed the first cybersecurity coordinator. And CISOs were asked to approach threat monitoring and management in a whole new way.

For years agencies handled security on a long-term, big-picture basis, but in April the Office of Management and Budget outlined a new continuous monitoring strategy. Now security procedures require agencies to digitally screen their computer systems regularly and report their findings on a central website.

As cyber threats increase, the potential consequences for government organizations become more serious. At the State Department, the number of hacker attacks reported to its monitoring center rose 112 percent from fiscal 2008 to 2009, and the department expects those attempts to increase 300 percent in fiscal 2010. Some 80 percent of successful attacks target security vulnerabilities that already have been identified. When State began monitoring its computer systems regularly, it was able to decrease the number of risk points through which attackers could enter servers by 90 percent over 12 months.

Under the 2002 Federal Information Security Management Act, agencies must submit labor-intensive annual reports showing compliance with mandates for preventive measures such as security awareness training and systems testing. Critics say the exercise is costly and distracts from the real mission of securing networks. In addition, cyber threats change daily, even hourly, rendering annual reports obsolete almost instantly.

Now agencies will feed details about their inventory of systems and software, external connections, security training and user access profiles into one portal. The process will be "based on real-time information as opposed to a snapshot in time," says White House Cybersecurity Coordinator Howard Schmidt. The website, CyberScope, in its current form is a data collection tool for FISMA-related information. In the future, that data will be analyzed and weighted to score agency performance.

"We're at the moment where technology has changed enough where people need to think about security in a new way," says James Lewis, senior fellow and director of the technology and public policy program at the Center for Strategic and International Studies. "We are at the point where we can move from snapshot to flow." The transition away from paper-based monitoring will create situational awareness of existing threats and allow agencies to better manage security, he adds.

Nowhere to Hide

Many agencies already have the technical tools for continuous monitoring but lack clearly defined metrics, making it difficult to measure progress - or lack thereof - and hold their operating units accountable. When the State Department launched a real-time reporting process at embassies worldwide, it published security metrics for all personnel to see.

The key is to celebrate successes and highlight areas that are lagging, says Alan Paller, director of research at the SANS Institute. "In making my progress visible in an area, I can't hide."

Nuclear Regulatory Commission CISO Patrick D. Howard agrees it's helpful to see how various parts of the agency stack up against known standards, but only if they can address shortfalls. "If it's done well and opportunities are given to managers to weigh in on metrics, then the chance of success goes up," he says. "It's never effective when surprising them with the findings." Security monitoring depends largely on agencies' ability to measure and evaluate progress. The creation of dashboards and other data-collection tools must be combined with good metrics, which haven't always been developed.

"In the past we misused metrics, and our direction wasn't always well-focused on what the objectives were to improve security," says John Gilligan, president of consulting firm Gilligan Group Inc. and former CIO at the Air Force and Energy Department.

Since FISMA passed, agencies have relied on metrics that were easily measured but not highly correlated with performance, Gilligan says, adding that the focus was on completing documents rather than genuinely improving security.

The next big game-changer will be a "common set of measuring sticks for what is good security across government," says State Department CISO John Streufert. "We're only starting to decide what the whole government should do. What the State Department experience has shown is that if you create good metrics, good accountability can follow." OMB and the Homeland Security Department National Cyber Security Division's Federal Network Security Branch will be leading the charge to define metrics and create accountability. The White House budget office is contemplating a federal score card model similar to the one State uses, says Matt Coose, DHS' director of federal network security. OMB will have the authority to push agencies when needed and DHS will provide a picture of agencies' progress in deploying monitoring capabilities, he adds.

Legislation, White House directives and a greater emphasis on performance can push agencies to make progress, says Lewis of the Center for Strategic and International Studies, noting they "can't just say 'we'll do better next year.' "

'Best of Breed'

In addition to greater accountability, the tilt toward automated monitoring will require intense coordination both inside agencies and across government, observers say. One way to speed the process is to share tools and procedures as they are established so individual agencies don't have to reinvent the wheel.

"As threats grow more diverse and effective, it's better if the guy down the street has already solved the problem so that you don't have to figure it out on your own," says Dan Chenok, senior vice president for IT solutions company Pragmatics and former branch chief for information policy and technology at OMB. Agencies can work through the Chief Information Officers Council, the National Institutes of Standards and Technology, and the private sector to improve security, he adds.

DHS' Coose says his office is working to identify the "best of breed" organizations in managing assets, configuration and vulnerability, and aims to package and publish those solutions for use governmentwide. Programs at State, the Internal Revenue Service and the Justice Department top the list.

"For any of this to be successful, it's really about working with all the departments and agencies and leveraging the brilliance that is out there," he adds.

Another key challenge in overhauling threat reporting is getting employees to develop a new skill set and to overcome the cultural resistance at organizations that want to manage their own information technology infrastructure, simply because that is what they've always done.

"Being asked to do something new is very hard," says Paller. "And once you ask people to do something new, a large percentage of contractors don't have the technical skills to make the transition."

The key is to make everyone from top leadership all the way down to people operating data centers and running IT systems aware that things are changing, says Jerry Davis, deputy CIO for IT security at NASA. The administration's leadership is critical to shifting agency operations, he adds. In May, Davis announced NASA's IT managers no longer will produce the certification and accreditation reports required every three years under the nearly decade-old FISMA guidelines. Instead, the agency will rely on a continuous monitoring strategy similar to State's. Davis says he believes the April OMB memo provides support for this new approach.

"The baseline foundational documents written years ago are going to have to change, and we need to make sure the guidance of yesterday is modified to reflect the conditions of today," he says.

Individuals and offices will be required to break down silos and cooperate at a higher level than before. CISOs, who generally don't manage operations, will have to acquire certain tools or work with those entities that have the necessary technologies. Acquiring patches to fix system vulnerabilities isn't traditionally a CISO responsibility, for example, but gathering data for broader security decisions will require coordination with the owners of those tools.

Making people aware of potential cost savings and improved security and holding them accountable are ways to change agency culture, says Gilligan, adding leadership changes could be necessary in the process. "If I were in DHS and OMB, those would be the organizations largely responsible for assessing how we're doing. "

Counting the Savings

A significant reduction in reporting costs is one benefit to automation, some observers say. According to Paller, the certification and accreditation documents FISMA requires run $1,400 per page, while automation costs very little and improves security. CISOs already feel a strain on the funding for their programs. A recent survey from security education consortium (ISC)2, technology provider Cisco Systems and security consultant Garcia Strategies found federal CISOs' top wish was more money for cybersecurity initiatives.

"Resources are constantly an issue," says NRC's Howard. "We're getting to the point where most agencies have flat budgets and have to learn to do more with less and make some hard choices about what we can do."

FISMA reports cost State between $30,000 and $2.5 million every three years - $130 million in total. With continuous monitoring, the department reduced its cost by 56 percent the first year and an additional 6 percent in the second.

State was able to reinvest the savings in the program to build toolkits that allowed employees to monitor threats more efficiently.

"Continuous monitoring is a better use of agency security dollars," says Chenok. "Agencies have always said they are underinvesting in certain areas of security, like real-time response. This allows them to redirect funds to higher value activities rather than cut costs per se."

According to Gilligan, labor is one potential area for cost-cutting. "If you can have standard configurations, the deployment costs are dramatically reduced," he says. "If you can automatically update patch systems, the numbers of people you need to do this, network and systems administrators, are far fewer. Generally, organizations have lots of tools but didn't use them in a cohesive fashion. The big savings is far fewer people."

But most agencies don't yet know what their savings will be since the shift from annual reporting is in such an early stage and the results aren't clear-cut.

"On one hand, trying to automate as much as possible is going to reduce resource requirements," says Howard. "But more resources may be needed, for instance, for a DHS security specialist to come out annually, and we don't know what that's going to look like at this point."

Government and industry observers acknowledge the shift to continuous monitoring won't be immediate. The State Department took 23 months to integrate tools across the organization and an additional year to achieve results, and Streufert says it could take five years to deploy all the capabilities envisioned.

Paller projects basic progress will be made governmentwide in the first six to nine months as departments increase the visibility of data across their divisions. But it will take at least two to three years to complete automation and up to five to collect the information and make it available among more facets of the security landscape, he adds.

According to the April OMB memo, agencies must submit information to CyberScope by Nov. 15, and begin filing monthly reports in 2011. Even so, reporting could always be a mix of annual and continuous, says Coose. The intent is to get the most accurate data, but some functions might not lend themselves to automation. But wherever possible, automation is the way to go, he adds.

John Streufert

Chief Information Security Officer

State Department

John Streufert is ahead of the game when it comes to managing cyber threats. While other agencies are just starting to shift from the costly annual reports required by the 2002 Federal Information Security Management Act, under Streufert's leadership, State is evaluating its information technology systems every two to 15 days and has reduced security risks by 90 percent.

State's continuous monitoring process relies on a grading system that assigns values to threats, such as missing security patches or failed security compliance checks. Each embassy or office is evaluated on its ability to mitigate those risks, and its performance is made public for the rest of the department to see. In the upcoming months, Streufert's team expects to make top marks three times more difficult to achieve.

"Everyone in the organization gets graded on their progress in the last 30 days, and ambassadors know their rank across the department and within their region," Streufert says. "We're leaning on the fact that everyone wants to do the right thing but just can't figure out which problems to address first."

Streufert incentivized action by providing performance reviews that are shared across the department, says Matt Coose, the Homeland Security Department's director of federal network security. "I'm a big fan of John's approach to leveraging human nature to drive progress. It's natural human behavior to be competitive and want to succeed," he adds.

According to Streufert, better collaboration and a departmentwide emphasis on security is another significant factor in State's success. In only 11 months, his plan integrated the work of more than 4,000 employees across 24 time zones to achieve the 90 percent reduction in the number of security risk points on personal computers and servers at overseas sites and 89 percent at domestic sites.

"The idea that you could bring an organization together to work in harmony for these results is one of the important take-aways from the State Department experience," he says. "All that was necessary was to set the goals and set up a mechanism so people could concentrate their energies on the most serious problems."

And Streufert isn't keeping those methods to himself. He has shared State's documents and tools with other agencies, and he regularly works with CIOs and CISOs across government to troubleshoot their monitoring processes.

"He's giving away the stuff he built," says Alan Paller, director of research at the SANS Institute. "He spent the money, but he's happy to help. He's not asking people to buy software."