Proof: Continuous Monitoring Does WorksState Department's Automated Response to Aurora
At the urging of John Streufert, the State Department deputy chief information officer for security, I took a closer look at the written testimony presented this past week by Alan Paller, research director of the SANS Institute, at a hearing of the Senate Committee on Homeland Security and Governmental Affairs on continuous monitoring.
A major point Paller made was that the State Department reduced reliably measured risk by over 85 percent in less than a year by continuous monitoring its servers and PCs as compared with the traditional paper-process reporting requirements under the Federal Information Security Management Act of 2002. Said Paller:
"Look closely at the chart, and you will see what continuous monitoring means - the updated data comes in daily or every couple of days - not quarterly or annually. Had State used the longer time periods favored by the other agencies, many more State Department computers and networks would have been open to attack, for far longer periods."
What are some real results of continuous monitoring? Paller, in his testimony, referenced Operation Aurora, the computer attack first disclosed by Google earlier this year:
"State can tell, within a day, which systems have and have not been patched. When State's CISO learned of the critical problem posed by the Aurora vulnerability, he didn't have to send an e-mail. He raised the vulnerability's risk factor (the value used to weight it in the overall risk score). Every office saw immediately that their security score had fallen and their bosses also saw the fall. Within six days, 85 percent of all vulnerable systems (servers and PCs) in all embassies and in all State Department offices around the world had been patched and were safe from attacks. That's six days, not weeks or months. No e-mails had to be sent; the scoring risk system did all the work. A clear example of why daily continuous monitoring is so important: it causes rapid risk reduction with low overhead."
Paller's testimony was given at a hearing on the Protecting Cyberspace as a National Asset Act of 2010, a comprehensive cybersecurity legislation sponsored by panel chairman Joseph Lieberman, ranking Republican Susan Collins and Tom Carper, who chairs a subcommittee with IT security oversight. That bill would require federal agencies to abandon the paper-compliance process of FISMA in favor of continuous monitoring.
Few other agencies have replicated what State has done, blaming the high costs of complying with FISMA as tying up their funds, Paller said. Indeed, the State Department estimated it spent $133 million over six years to certify and accredit 150 of its major IT systems, producing 95,000 pages of documentation.
But Paller said it's not just antiquated FISMA rules that interfere with a move to continuous monitoring, but the business interest of some government contractors:
"The contractors that charge federal agencies hundreds of millions of dollars for writing the out-of-date reports are fighting to stop the move to continuous, daily monitoring, even though they and their firms can continue to be employed to enable and manage the new way of doing business. Their rear-guard actions are being supported by federal officials who appear to be uncomfortable with change or afraid of taking responsibility for active risk reduction."
That's a point made to me by Jerry Davis, deputy CIO for security at the National Aeronautics and Space Administration, which is following State's leading and moving to continuous monitoring. I asked Davis in an interview about the reaction at NASA after he issued a memo in May announcing the continuous monitoring imitative:
"I think it started off with a little bit of concern internally throughout the IT community because we had, in a sense, been more or less been caught up in the old way of doing things and this is a change, and as you know at most organizations change is very, very difficult to impart on an organization. So, we have been working through a lot of change in managements activities and really getting around and out and about to the constituency that we service internal to NASA and the folks that are actually going to be helping us move forward with this move toward automated continuous monitoring.
Where was this concern coming from? Answered Davis:
"It's really the folks in the middle ... because there is uncertainty as you move away from this third-party activity that we had been doing. It takes a lot of manpower. It takes somebody to prepare to package it, to make sure that the certification, accreditation packages, the system security packages, all of those things are updated and when you talk about going to continuous monitoring where that's not such a big focus, I think some folks don't understand.
Despite the high cost to document FISMA compliance, employing automated tools to continuous monitor critical IT systems requires significant investments, too, that must be properly managed. I've been exchanging e-mails on this topic with Streufert, and here's what he wrote:
"In place of the unacceptably wasteful spending for snapshots of process and compliance, the State Department redirected its FISMA energies 18 months ago - where ever we possibly could - toward a different outcome. We were in search of strategies that would offer a higher return on investment for time and money we spent on security, just as our CIO asked us to do.
"For us, this meant setting a long-term goal of merging our cyber policy and operational security groups into a single integrated team. Numerically, we went from 60 writers of three-ring certification and accreditation reports, to a total workforce of 4,135 technicians with significant security responsibilities working on continuous monitoring. The key seemed to be letter grades A to F-minus everyone including top executives could relate to.
"Why shift emphasis? Our adversaries have far more people. In doing so, not only did our work force applied to defensive cybersecurity dramatically increase, we can now focus the time and attention of all the information assurance professionals we have on the most damaging potential risks first through risk scoring. That is the power of a well-crafted cybersecurity dashboard, good metrics, personal accountability and the ability to focus on where you are being attacked."