Are high-level views the answer to getting managers the cybersecurity status information they need to make decisions?
- By Brian Robinson
- Nov 07, 2005
Cybersecurity used to be one of those low-profile practices that agency executives could safely leave to basement-dwelling techies, but not anymore. With legislation such as the Federal Information Security Management Act
(FISMA) and the accompanying raft of compliance issues executives are required to sign off on, information technology security has finally penetrated the corner office.
That leaves IT managers with another problem to solve. How do they provide those executives with the information they need to accurately assess the agency's security status without forcing them to wade through the mass of technical details security professionals are accustomed to using?
The burden on executives can be significant. FISMA requires that each government agency file yearly status reports with the Office of Management and Budget to document how it is implementing security programs. Agencies must also report on specific computer security incidents to OMB and the Homeland Security Department, each of which has different reporting
A recent survey by systems integrator Intelligent Decisions found that federal chief information security officers spend an average of 3.75 hours a day on security reports required by FISMA. So, presumably, any help is welcome.
Installing dashboards that show an at-a-glance view of an agency's security status is one solution. The dashboards collect data from the same devices that IT security professionals monitor, such as firewalls and patch management systems, and then correlate it with business-related information, such as the status of servers that run key business applications. Dashboards then present the summarized information as simply as possible, using graphics such as red/yellow/green traffic lights, bar graphs or pie charts.
However, some experts say the technology has yet to gel. Although demand for such dashboards is growing and a number of vendors offer them, observers say an understanding of the necessary features has yet to catch up with the technology.
"People love to talk about the need for these dashboards and the metrics that should be applied, but so far, security people have not done a great job of understanding what the business value is of security," said Pete Lindstrom, research director at Spire Security, an industry analyst firm.
He added that one of the main reasons it's been hard to pull these kinds of executive dashboards together is because it's difficult to provide the necessary context.
Security professionals traditionally focus on the systems that have been attacked, how and where the attack happened, what kind of attack it was, and so on. But high-level executives need to know more about how those attacks will affect the organization's overall business flows.
"It's proven very difficult to put that kind of context in place," Lindstrom said.
Some product options
The field of security dashboards is in the early pioneering stage, said Gerhard Eschelbeck, chief technology officer and vice president of engineering at security vendor Qualys. No solution on the market today is ready to deal with those higher-level security needs, he added.
"The biggest lag is in developing specific metrics that make sense and then finding ways to present that data in a meaningful way," he said.
Security tools are adept at identifying specific problems, such as those found on a given computer, and explaining them to IT managers, he said. But how those problems relate to an organization's business processes and prioritizing their effects "is a little more vague," he said.
"There aren't a lot of mature resources out there now for describing the business properties of an enterprise and how security affects them," he said, adding that this kind of view will take time to develop.
But that's not stopping some from trying. For example, security vendor Intellitactics introduced a product this month called Intellitactics SAM, short for security assurance metrics, that it said offers managers more context for judging the effectiveness of security efforts.
The software provides trend analysis by comparing point-in-time measures of security data with previous time periods and computing averages. It can then show how effective security measures have been.
According to the company, executives can use configurable dashboard templates to see a number of views of enterprise security, which allows them to identify areas of high and low performance compared with various targets and measure the progress of security initiatives.
Another vendor, Preventsys, tackles security by casting it as a standard business risk, an approach that it said helps executives adopt a more proactive stance on security threats.
"Being reactive is too late," said Brian Grayek, Preventsys' CTO. "But if you can be proactive and get to the threats as they are coming, then you have a much better chance of stopping an event."
The company offers what it calls, appropriately, a proactive risk dashboard that aggregates data from the same security devices that the IT and security professionals use. Then it shows, through a series of colored pie charts and bar graphs, what vulnerabilities, threats and compliance risks exist, along with potential deviations from a predefined security architecture.
The dashboard also alerts executives to situations that might require action.
It presents the enterprise view Preventsys officials believe executives want, Grayek said.
"Most people are measuring their security today by such things as the number of viruses stopped or spyware removed, but these are operational rather than security measurements," he said. "The real measurement is risk."
Skybox Security also approaches the dashboard issue as a problem of risk evaluation. It uses modeling and attack simulations to calculate possible attack paths on a network and then uses the results to highlight which of the organization's critical assets are exposed to the greatest risk. It also ranks the vulnerabilities by severity.
The Skybox View dashboard presents all of this information as a customizable daily score card that shows executives how well their security defenses are performing.
That approach meets executives' need for a proactive stance on security, said Felix Santos, Skybox's program manager for audit and risk management.
"We put the vulnerabilities in the context of network design and the value of the organization's assets," said Ed Cooper, vice president of worldwide marketing at Skybox. "That means they only have to mitigate a certain number of vulnerabilities," which they can see immediately on the dashboard.
Seeking a better view
The Treasury Department is one government agency that's begun looking for tools that can provide a broad, high-level view of its security.
Of course, a top objective for such a capability is providing a way to more easily produce data for FISMA reports. But generally the goal is to get a sense of what's going on across Treasury, said Ed Roback, the agency's associate CIO for cybersecurity.
"When one of our executives sees on CNN that a worm or virus is spreading, then they'll want to know what's going on at Treasury," he said. "Also, vendors will put out patches from time to time, and management wants to know if those have been deployed and how many of the boxes have yet to be patched."
Roback said an important aspect of a security tool is the ability to move from a high-level executive view into specific areas, such as the security status of a particular bureau and its systems.
Administrators should also be able to configure the tool to give executives in different areas within Treasury a view into their systems' security, he said.
"I think that with current tools we also see that they offer multipurpose capabilities such as asset inventory," Roback said, "and I will certainly be looking to get that kind of thing out of any tools we acquire in order to support the broader IT mission."
Again, the big problem lies in choosing which of the many security-related elements to display on a dashboard.
"The level of abstraction is what you have to simplify," said Chris Michael, a technology strategist at Computer Associates International. "You can't get everything down to single bright colors, so you need to isolate those things that an executive needs to be able to get throughout the day."
And that again brings up the subject of context, Michael said.
That's exactly what makes it so difficult to come up with executive-level security dashboards, Lindstrom said. Their status reports are typically not quantitative, and by design, they do not include any great technical detail.
"It's really hard to dumb this down enough to get it to where it can be put onto a [executive-level] dashboard and still be meaningful," he said.**********
3 must-have dashboard features
The configuration of executive-level security dashboards depends on the needs of the executives who would use them, but most experts agree that dashboards should have the features described below.
- Simple views. Dashboards can represent fairly complicated situations, but the view has to be simple enough for busy and often nontechnical executives to instantly understand the network's security status. Red, yellow and green graphics -- such as pie charts, bar graphs or traffic-light buttons -- are preferable. The graphics typically indicate whether the organization complies with certain security policies.
- Drill-down capabilities. If necessary, executives should be able to drill down from the views presented on the first screen to find details on certain areas of an organization that might be causing noncompliant situations. In some circumstances, executives might want to know what's happening on a particular server or network gateway, for example. Most people agree that dashboards should present no more than two or three levels.
- Reporting. Not everyone who needs security status data will have access to the dashboard itself, so there should be a variety of ways to get the information to people. Many executives still rely on paper-based documents, so dashboards should have the ability to print reports in a number of formats.
-- Brian Robinson