Continuous monitoring: Don’t take it lightly

Without a doubt, the practice of continuous monitoring has the potential to dramatically improve the security of federal systems -- but only if federal IT managers commit themselves to it in a big way.

The principle of continuous monitoring is simple enough. By assessing the state of essential information security controls across the enterprise on an ongoing basis, agencies can ensure that their cyber defenses are in place and up-to-date.

Better yet, automated tools, which are widely available in commercial products, can go a long way toward simplifying the process of collecting and analyzing security data by providing security officials with near-real-time information on their security posture.

But continuous monitoring is not to be undertaken lightly, as numerous agencies have discovered. The most common problem is a lack of thoroughness. Any systems that are not routinely scanned are in essence cybersecurity blind spots.

The State Department, one of the pioneers of continuous monitoring in the federal government, has run into that problem with its groundbreaking iPost system. In 2012, State’s inspector general reported that a number of essential systems -- including the department’s most common database, its Unix servers and several common network components -- were not covered by iPost.

The lack of an enterpris-ewide continuous monitoring program “prevents the department from understanding the security state of the information system,” the IG wrote. “It also prevents the department from effectively monitoring a highly dynamic network environment with changing threats, vulnerabilities, technologies, and missions/business functions.”

That’s not to say that every system needs to be monitored. That is a sure recipe for data overload, which would do nothing to improve security. The key is deciding which systems need to be monitored based on the impact that would result from a system breach or failure.

Security experts at the SANS Institute, a cooperative research and education organization, recommend doing some good old-fashioned investigative reporting as part of the requirements analysis. That includes conducting interviews with officials in the organization, digging up any information available on past security incidents, and reviewing old audit reports or automated assessments.

“The more thorough and accurate the requirements analysis is, the more effective the continuous monitoring effort will be,” the institute’s white paper states.

As with any enterprisewide initiative, continuous monitoring works best when driven from the top down within an agency. The Department of Homeland Security is a good case study. According to the department’s IG, DHS has improved the overall security of its systems by holding component agencies accountable for cybersecurity.

DHS provided its agencies with a standardized monthly feed template, ensuring that their security monitoring efforts are in sync with the department’s goals. The department’s chief information security officer also meets monthly with component officials to discuss the continuous monitoring strategy and any issues that arise.

Officials at the Office of Personnel Management realized that they needed to take more of a top-down approach. In the past, information security efforts largely have been managed by various designated security officers scattered throughout the organization.

This decentralized structure created several problems, according to the IG. First, the CISO, having no direct “managerial leverage” over the designated security officers, could not hold them accountable for meeting the mandates of the Federal Information Security Management Act, such as conducting security control tests on their systems. Second, the CISO had no way to ensure that the the security officers had the skills they needed to do their jobs, and in fact, according to the IG, many did not.

But those problems should soon be a thing of the past. In August 2012, the OPM director issued a memo transferring security duties from the designated security officers to a centralized team of information system security officers that reports to the agency’s CIO.

The IG believes OPM is heading in the right direction. “Once this transition is fully complete, we expect to close the audit recommendations related to IT security governance and remove the material weakness,” the IG concluded.

As agencies refine their continuous monitoring strategies, they should begin to realize the real benefits: the ability to put their personnel resources where they are needed most.

In a traditional environment, security experts spend a lot of time on the run responding to breaches. With continuous monitoring, however, they should be able to identify and fix vulnerabilities before they become problems, wrote James Lewis, a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies, in a whitepaper titled “Raising the Bar for Cybersecurity.”

“The combination of mitigation strategies linked to continuous monitoring [frees] up IT resources and personnel to focus on higher-end challenges,” he wrote.