implementing continuous monitoring
TRANSCRIPT
Implementing Continuous Monitoring
John M. Gilligan
FedTech Continuous Monitoring Webinar
December 1, 2011
1
Topics
• Background• What is continuous monitoring• NIST and FISMA guidance• Continuous Monitoring in the “Cloud”• What’s next• Final thoughts
2
Government Security Environment• We are in a cyber “war” and are losing badly!• The IT industry has produced an inherently
unsecure environment—total is security not achievable
• CIO/CISO mandates exceed time and resources available
• Cyber security is an enormously complex challenge—there are very few true experts
It is time to focus on ways to make real improvements in security3
FISMA Was Well Intended; What was Not Working?
• Original intent was good: – Ensure effective controls– Improve oversight of security programs– Provide for independent evaluation
• Implementation took us off course– Agencies unable to assess risks– NIST “guidance” became mandatory– No auditable basis for independent evaluation– Grading became overly focused on paperwork– Failure to recognize emergence of automated tools
4Bottom Line: High cost and debates about security improvements!
Analogy of “Old” FISMA Implementation
• An ambulance shows up at a hospital emergency room with a bleeding patient
• Hospital gives inoculations for flu, tetanus, shingles, and vaccination updates
• Hospital tests for communicable diseases, high blood pressure, sends blood sample for cholesterol check, gives eye exam and checks hearing
• At some point, doctors address the cause of the bleeding
5Former Policy Regarding FISMA Resulted in a Checklist
Approach
Meanwhile, the patient is bleeding to death!!
6
We Need Triage--Not Comprehensive Medical Care
FISMA and NIST Guidance
• FISMA Reporting Metrics (6/1/11) requires reporting on metrics monitored on a continuous basis
• NIST SP-800-37 encourages continuous monitoring in support of certification/recertification
7
Policy and Guidelines recognizing benefits of Continuous Monitoring
What is Continuous Monitoring?• Monitor security controls at frequency of
attacks • Recognize that systems undergo continuous
evolution• Leverage automated tools*• Focus on highest threat areas (e.g., FISMA
reporting guidance, 20 Critical Controls)• Implement management reporting to
motivate rapid change (e.g., State Dept.)8
* Many relevant tools are already being used to perform operations and maintenance functions
Continuous Monitoring in the “Cloud”
• Cloud provider must provide evidence of continuous monitoring– Summary of continuous monitoring
implementation—prior to engagement– Metrics from monitoring and actions taken
• Cloud provider should be able to move quickly to improve security– Single provider and single control point– Less influence from cultural resistance
9
Continuous Monitoring: What’s next?• Expand number of controls
implemented/monitored—build on initial capabilities and success
• Leverage integration of tools to achieve true enterprise view and rapid response capability
• Decrease cycle time toward ‘real time’ monitoring (from every couple of days to single digit seconds)
• Fully integrate security and operations to reduce cost of operations and security
10
Final Thoughts• Federal government with industry support can
lead global improvement in cyber security• Continuous Monitoring of security control
implementation and enforcement is essential• In the near-term we must focus our efforts to
make measurable progress• A well managed system is a harder target and
costs less to operate
11We Need to Stop the Bleeding—Now!
Contact Information
12
John M. Gilligan
703-503-3232www.gilligangroupinc.com
13
NIST Guidance: 1200 pages of FIPS Pubs, Special Pubs, Security Bulletins, etc.