Analysis: Cybersecurity's Double-Edged Sword

IT managers should arm networks to not only fight off attacks, but also to stop them in advance.

New guidelines requiring continuous monitoring of federal networks are based on a wealth of real-world experience and highlight the necessity of using new tools to push agencies' cyber defenses to the next level. As envisioned in guidance released by the National Institute of Standards and Technology in June 2010, continuous monitoring enables organizations to proactively identify security issues that can be mitigated or plugged in advance of cyber intrusions or attacks.

In the dynamic and ever-changing networks in which agencies operate, continuous monitoring simply can't be performed manually; it must be supported by software that provides powerful new weapons for defending against and thwarting attacks.

To give real meaning to continuous monitoring and to implement effective enterprise defenses, chief information officers and chief security officers need to be cognizant of the promises and pitfalls their agencies face. One risk is that enterprises will embrace a reactive, narrow view of continuous monitoring that emphasizes only the tactical angle, giving short shrift to the proactive, and more important, meaning of the term. The result could be the illusion of 24-7 proactive protection, but not the reality.

Two emerging technologies, each employing continuous monitoring, address this challenge. To bolster security, organizations must differentiate between the two and employ both.

The first approach is reactive, focusing on intrusion and attack detection. It is designed to sense attacks once they are in progress, but before they overcome a network's defenses. This method is akin to using a burglar alarm, constantly sensing and tracking activity within the IT infrastructure to identify breaches, malware and worms as they occur. This tactical defensive mechanism, which provides a snapshot of the here and now, is a necessary element of a sound IT security structure. But by itself, the approach is insufficient.

Such a tactical-warning approach could encourage a false sense of security. It addresses only ongoing malicious activity, while failing to address areas that are vulnerable to future attacks. Also, it really does not deal with the more proactive requirements specified in the NIST guidelines.

The more important method of continuous monitoring envisioned by NIST essentially is proactive. It actively analyzes a network--scanning it for threats, vulnerabilities and deviations from enterprise policies--and allows managers to take action in advance of an intrusion or attack. The approach enables managers to plug holes and boost defenses to limit the number and intensity of intrusions. It provides deep insight into the enterprise, so security and IT managers identify and address dangerous pathways.

Security breaches are expensive. Cleaning up the Defense Department's Global Information Grid after it was attacked cost the military services more than $100 million in the first six months of 2009. The network supports all military, national security and related intelligence missions and functions. As Army Brig. Gen. John A. Davis, deputy commander of Joint Task Force-Global Network Operations, observed: "Pay me now or pay me later. . . . In the last six months, we spent more than $100 million reacting to things on our networks after the fact." Continuous monitoring would have allowed holes to be plugged in advance.

The recently released 2010 Verizon Data Breach Investigations Report, along with data supplied by U.S. Strategic Command, underscores the need for continuous monitoring. They indicate an overwhelming 87 percent of security breaches could have been avoided if organizations had followed basic security practices. Identifying threats, vulnerabilities and deviations from policy in advance will help avoid such breaches and ultimately save money.

To quote the Chinese military strategist Sun Tzu: "If you know others and know yourself, you will not be imperiled in a hundred battles." In other words, if you know what your potential gaps are in advance, then you can take action to plug them. This is no different from what a battlefield commander might do to reposition and enhance defenses based on knowing his force's disposition and that of the adversary.

Government and businesses will benefit from investing in and operating both types of continuous monitoring software. The reactive approach provides tactical warning and a snapshot-in-time of activities within the IT enterprise so that managers can react to specific events. More important, the proactive approach, which NIST recommends, assesses the entire IT enterprise, identifies potential avenues of attack and enables managers to take defensive actions well in advance.

Don't be lulled into a false sense of security by relying on the first method of continuous monitoring, while blissfully ignoring the second.

Retired Maj. Gen. John P. Casciano served as Air Force director of intelligence, surveillance and reconnaissance, deputy chief of staff, air and space operations. He is president and CEO of GrayStar Associates LLC, and consults on cybersecurity issues.