Cybersecurity dashboards put focus on actionable information

Dashboards have been around in government for a number of years, used with varying success to measure the status of agency IT systems and programs. Now they’ll be a major plank in the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, a front line tool aimed at helping both individual agencies and the federal government measure and mitigate cybersecurity risks.

Under the program, agencies will deploy automated sensors at various places in their IT infrastructures. Those sensors will feed into dashboards that tell agencies what their most critical risks are and, in theory, give them plenty of warning so they know which security issues they need to address first. Summary information from the agencies will also feed into a federal-level dashboard, providing a picture of cyber risks across the government and a common understanding of the overall situational awareness.

Agencies already have some experience with using a dashboard for security reasons through the federal-level CyberScope, which allows them to report on how well they are complying with Federal Information Security Management Act (FISMA) requirements. But the CDM dashboards will operate at a wholly different level, and it will take a while before any conclusions can be drawn.

Monitoring inventories and vulnerabilities, which is what the first phase of the CDM is all about, basically tells you what’s out there in terms of IT systems and if they are configured properly, but that’s nothing new, said John Pescatore, director of emerging security trends at the SANS Institute. It’s the equivalent of a light on a car dashboard telling you whether your door is open or not.

“What you really need for a meaningful [cyber security] dashboard is something that tells you that these are the vulnerabilities you have, this is the threat environment, are you about to get into trouble, and should I check the engine now and pull over, ” he said. “The CDM efforts are several phases away from that happening.”

The federal-level dashboard, which will be maintained by DHS, will serve several purposes, according to a Nov. 18, 2013 memo from the Office of Management and Budget.

First, the data will provide information on specific vulnerabilities that could affect agencies. The data also will provide oversight organizations with data that can help identify the level of risk reduction that is “both possible and beneficial for agencies, depending on their risk-based needs,” the memo states. Finally, it will help DHS develop guidance for agencies aimed at improving their decision making based on risk and cost tradeoffs.

However, given the size and breadth of their IT infrastructures, agencies likely are looking for even more specific information about what steps they need to take, according to Pescatore.

“In the real world, no government agency has the resources to run out and immediately patch every single system every second Tuesday of the month,” said Pescatore. “They need something that tells them what systems to patch first, so effective dashboards need to have some risk assessment behind them that tells them what system holds the most essential data, and here’s how someone can get into it.”

That’s where the CDM contractors come in. As part of this program, which is being managed by the General Services Administration, those contractors will provide the technical services “necessary to install, configure and maintain the envisioned DHS-provided Base CDM dashboard, any intermediate dashboards, or other agency-supplied dashboard or CDM reporting systems,” according to a GSA ordering guide for agencies.

As part of those services, the contractors will work with agency cybersecurity experts on risk assessments that can show them how the various sensors should be deployed and integrated.

If you want these dashboards to be at all useful they’ll need to highlight when and where the real problems happen and what the real actions are to mitigate the vulnerabilities, Pescatore said. “And efforts aimed at that should be happening now.”