Implementing Continuous Monitoring

John M. Gilligan

FedTech Continuous Monitoring Webinar

December 1, 2011

1

Topics

• Background• What is continuous monitoring• NIST and FISMA guidance• Continuous Monitoring in the “Cloud”• What’s next• Final thoughts

2

Government Security Environment• We are in a cyber “war” and are losing badly!• The IT industry has produced an inherently

unsecure environment—total is security not achievable

• CIO/CISO mandates exceed time and resources available

• Cyber security is an enormously complex challenge—there are very few true experts

It is time to focus on ways to make real improvements in security3

FISMA Was Well Intended; What was Not Working?

• Original intent was good: – Ensure effective controls– Improve oversight of security programs– Provide for independent evaluation

• Implementation took us off course– Agencies unable to assess risks– NIST “guidance” became mandatory– No auditable basis for independent evaluation– Grading became overly focused on paperwork– Failure to recognize emergence of automated tools

4Bottom Line: High cost and debates about security improvements!

Analogy of “Old” FISMA Implementation

• An ambulance shows up at a hospital emergency room with a bleeding patient

• Hospital gives inoculations for flu, tetanus, shingles, and vaccination updates

• Hospital tests for communicable diseases, high blood pressure, sends blood sample for cholesterol check, gives eye exam and checks hearing

• At some point, doctors address the cause of the bleeding

5Former Policy Regarding FISMA Resulted in a Checklist

Approach

Meanwhile, the patient is bleeding to death!!

6

We Need Triage--Not Comprehensive Medical Care

FISMA and NIST Guidance

• FISMA Reporting Metrics (6/1/11) requires reporting on metrics monitored on a continuous basis

• NIST SP-800-37 encourages continuous monitoring in support of certification/recertification

7

Policy and Guidelines recognizing benefits of Continuous Monitoring

What is Continuous Monitoring?• Monitor security controls at frequency of

attacks • Recognize that systems undergo continuous

evolution• Leverage automated tools*• Focus on highest threat areas (e.g., FISMA

reporting guidance, 20 Critical Controls)• Implement management reporting to

motivate rapid change (e.g., State Dept.)8

* Many relevant tools are already being used to perform operations and maintenance functions

Continuous Monitoring in the “Cloud”

• Cloud provider must provide evidence of continuous monitoring– Summary of continuous monitoring

implementation—prior to engagement– Metrics from monitoring and actions taken

• Cloud provider should be able to move quickly to improve security– Single provider and single control point– Less influence from cultural resistance

9

Continuous Monitoring: What’s next?• Expand number of controls

implemented/monitored—build on initial capabilities and success

• Leverage integration of tools to achieve true enterprise view and rapid response capability

• Decrease cycle time toward ‘real time’ monitoring (from every couple of days to single digit seconds)

• Fully integrate security and operations to reduce cost of operations and security

10

Final Thoughts• Federal government with industry support can

lead global improvement in cyber security• Continuous Monitoring of security control

implementation and enforcement is essential• In the near-term we must focus our efforts to

make measurable progress• A well managed system is a harder target and

costs less to operate

11We Need to Stop the Bleeding—Now!

Contact Information

12

John M. Gilligan

jgilligan@gilligangroupinc.com

703-503-3232www.gilligangroupinc.com

13

NIST Guidance: 1200 pages of FIPS Pubs, Special Pubs, Security Bulletins, etc.