Automation proves vital to continuous monitoring

Sooner or later any discussion about continuous monitoring will come around to the issue of automation.

Most continuous monitoring-related policies and programs assume that agencies will employ automation. That includes the National Institute of Standards and Technology (NIST) Special Publication 800-53, which lays out a risk management framework, and the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, which provides capabilities and tools for agency managers to identify and mitigate flaws in their networks that pose security risks.

It’s a matter of necessity. For most organizations, trying to manually perform continuous monitoring of all of the network segments and devices, including assessment and review of the results of that monitoring, is impossible. For all intents and purposes, if you cannot automate you cannot do an effective job of continuous monitoring.

Unfortunately, automation is a challenge for many government organizations. Reasons include a lack of understanding of what’s required, a lack of expertise in implementing monitoring programs and, critically, a lack of any standard way to move information between the various tools that are used in monitoring networks and systems.

And then there is an overall problem with organizations trying to cover too many security bases.

“There’s just too much time spent on empty processes, paper reporting and also sorting through conflicting guidance, vendor claims and so on,” said Tony Sager, director of the SANS Institute’s Innovation Center and former head of cyber defense operations for the National Security Agency.

When it comes to automation, agencies would be better off focusing their energies on automating core capabilities. For example, automating the management of desktop configurations can make it “dramatically easier and better,” he said.

Automation means “you can better study and understand the security properties of your technology, and so better understand the risk from things like flaws in software,” Sager said. “It allows you to know when things change unexpectedly [and] to change your higher-level reporting from ‘here are all the known bad things’ to ‘things are operating the way we decided they should.’”

However, even if organizations do everything right along these lines, they still might run into problems with factors outside their control.

One major issue is interoperability. Most agency IT environments are heterogeneous because of the way they have been built up over the years. The mix of vendor devices and tools across the enterprise make automation a tricky proposition.

This interoperability problem has been understood for some time. It was the reason for such things as NIST’s work on the Security Content Automation Protocol (SCAP), for example, which is aimed at enabling the automation of computer configurations linked to the security controls spelled out in SP 800-53.

However, said Adam Montville, technical product manager for the Center for Internet Security (CIS), although SCAP has allowed organizations to get a fair way towards the interoperability needed for automation in continuous monitoring, it’s still not all of the way there.

“Even today,” he said, “you’ll find instances of SCAP-validated content that won’t run in a particular vendor’s tools, even though those tools have been SCAP-validated.”

The most significant problem is that standards have focused on defining the kind of information that’s needed for automation, but not for moving that information from place to place. That can be a problem when it comes to getting different vendors’ tools to speak to each other.

Montville is currently the vice-chair of an effort headed by the Internet Engineering Task Force (IETF) to provide these kinds of open standards-based automation specifications and content. The goal of the IETF working group is to standardize content repositories so that the different vendors’ tools can interrogate and pull down the latest applicable content for the IT assets those tools have to assess.

The first phase of this effort will be to build on the work that’s already been done for SCAP by trying to fill in the holes and then derive an architecture in which the interoperability protocols will work, Montville said.

“If we can get an architecture document settled on, then we’ll be able to actually look at the constituents of SCAP and see how they fit the architectural model we’d like to build, ” he said. “My hope is that we’ll be able to reuse much of the work that’s already been done as a first tilt at the problem such that, if people do use SCAP, they’ll be able to reuse that content with these standards with very little tweaking.”

Much of this first phase effort by the IETF working group could be aired and decided on at the IETF 89 meeting in London in March 2014, he said. He also hopes that vendors will begin incorporating some of the working group’s findings in their products, even though standards may not be finalized for some time.

In the meantime, even with all of the apparent resource, technology and interoperability problems, both Sager and Montville believe that there are things that agencies can do to get started on the road to automation and true continuous monitoring.

The top of the list: Choose the IT resources that are most critical and protect those first. Even if agencies can’t implement the whole of the security framework included in SP 800-53, choose those security controls that map best to the needs of these “crown jewels”— inventory, system configuration management, vulnerability management and configuration management for network devices — and start with those. Don’t get distracted, Sager said, and just focus on that small number of essentials.

Montville agreed.

“Automate for those most critical assets, define the end points that are processing, transmitting and storing the most critical information and get started there,” he said. “Get used to how it all works for those, do the glue code and scripting yourself if you have to, and don’t worry about much else. It’s not impossible; it just takes a little dedication and commitment.”