Federal CIOs Moving Cybersecurity Beyond Compliance

As federal agencies struggle to keep pace with the mounting threats to their far-flung digital systems, IT professionals must move away from treating security as a compliance exercise and adopt dynamic, real-time monitoring, government CIOs said in a recent panel discussion.

In many agencies, that shift toward continuous monitoring is already well underway, as CIOs have been working to further automate their systems so that networked assets scan for and report potential security incidents.

"There was a lot of checklists focused on looking at what type of security controls needed to be implemented, what type of security controls actually were implemented," says Simon Szykman, CIO at the Department of Commerce.

"We're now moving toward an era of much more automated and near real-time situational awareness where we have systems that themselves are able to verify that controls are being implemented, assess the state of security across a broad infrastructure, and report in a real-time or near real-time basis a broad security posture over a big infrastructure up to decision makers," Szykman says.

For entities within the government with IT assets positioned around the country or even globally, achieving that holistic view of the network can be a particular challenge.

[ Commentary: McAfee Offers Global Response to Nationalized Malware ][ More: McAfee Security Report Suggests 2014 Will Be a Rough Year ]

For instance, at the National Oceanic and Atmospheric Administration, the division of Commerce that includes the National Weather Service, IT staffers maintain a sprawling network that collects data from more than 20,000 devices. With the agency's shift to continuous monitoring, all of the automated information logs those devices produce became centrally collected and analyzed - a round-the-clock process that scrutinizes more than 1 billion events per day, according to NOAA CIO Joe Klimavicz.

Those data points had been collected before NOAA moved to continuous monitoring about four years ago, Klimavicz says, but the agency did nothing with them. Now, with constant threat detection and analysis, NOAA's systems block more than half a million malicious Web connections each week, according to the CIO.

"At NOAA, continuous monitoring is embedded in our enterprise-level security operations center," Klimavicz says. "We're able to see things that we weren't able to see before."

Cybersecurity 'A Big Data Issue' for State Department

But all that monitoring and data collection can create its own set of challenges. The State Department, for instance, maintains IT operations in more than 200 countries. Its security personnel are swimming in data points. That prompted the IT team to develop a system, dubbed continuous diagnostics and mitigation, or CDM, to sift through the clutter.

[ Analysis: Tech Industry Praises White House Cybersecurity Framework ][ Also: How the NIST Cybersecurity Framework Can Help Secure the Enterprise ]

"It is a big data issue. Part of it is dealing with thousands of false positives on a daily basis," says William Lay, the State Department's deputy CIO for information assurance. "We have hundreds of monitors, thousands of sensors. They're all pulling data together 24/7."

Lay continues: "We can't afford to have an army of people watching all of these monitors, so we have to have really sophisticated tools to filter for us. But once the filtering is consistent, we really end up with a risk management model that gets the false positives down to a point that they are manageable - and we end up with useful information that leads to better decisions."

Lay explains that the State Department designed the CDM program as a proprietary, in-house product to digest the disparate feeds from networked devices and populate a dashboard that would offer visualizations of the various security operations such as patching and virus protection.

[ Resources: Data Visualization on a Shoestring and 8 Great Sites for One-Stop Data Visualization ]

"The big key is being able to give situational awareness to both our decision makers and our system owners," Lay says, "so they really know when they're making risk-based decisions what it is they're up against, whether it's introducing new technologies or if they're just trying to further the mission of the department."

Now four years along, CDM has moved under the auspices of the Department of Homeland Security, which has been working to commercialize the product and is making it available to other federal agencies along with state, local and tribal governments.

Through those kinds of initiatives, the feds are looking to put the era of check-box security behind them. From the vantage point of a vendor such as the security firm Blue Coat, that shift has entailed changes in what government customers are expecting from the contractors they do business with.

"With compliance, we've been dealing with solutions where we're able to pass audits. So we get a grade on whether or not our cybersecurity posture was meeting the minimum requirements for the government," says Aubrey Merchant-Dest, Blue Coat's director of cybersecurity strategy.

Now, Blue Coat sees attackers trying to get assets or break into a network with targeted attacks - and they can easily skate through perimeter defenses and even host defenses, Merchant-Dest says. "Bottom line: We can't stop everything. With this new automated approach that CDM provides us, it's in fact going to give us a better handle on cyber situational awareness."

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.

Read more about cybercrime in CIO's Cybercrime Drilldown.

Join the CSO newsletter!

Error: Please check your email address.

Tags government IT securitycontinuous monitoringcybersecuritymcafeesecuritylegalSecurity | Cybercrimecybercrime

More about 24/7Blue Coat SystemsCommunications Design & MgmntDepartment of CommerceFacebookGoogleMcAfee AustraliaMcAfee Security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Kenneth Corbin

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place