Continuous Monitoring solutions are vital for the federal agencies when it comes to developing comprehensive cybersecurity programs. Federal Technology Insider recently spoke with Bill Billings, Federal Chief Information Security Officer for HP Enterprise Security Products, about key insights into next-generation Continuous Monitoring solutions and much more.
Q. What exactly is Continuous Monitoring and how can it help government agencies?
A. Continuous Monitoring has been used by organizations for many years. It is the process and technology used to detect compliance and risk issues associated with an organization’s financial and operational environment. Continuous Monitoring has become a major focus area in the enterprise. It is very similar to providing federal agencies with insight into compliance requirements (like FISMA and C&A), as well as offering a near-real-time way to effectively manage risk.
NIST defines Continuous Monitoring within SP 800-137 as “Information security continuous monitoring (ISCM) is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions.”
Specifically Continuous Monitoring is the assessment and analysis of security control effectiveness and of the security status of the IT enterprise in accordance with an agency’s risk tolerance or risk management.
Security control effectiveness is measured in near real time across the IT enterprise for correctness and by how those controls meet the agency’s risk management. It is an effective and efficient process to measure if the controls implemented are in accordance with the security plan to address threats and if the security plans are adequate.
Continuous Monitoring provides situational awareness of all systems across the agency and through technology and process automation. An agency’s security status is determined using internal metrics to best convey the security posture of the agency’s information and IT enterprise. This requires an agency to maintain an understanding of threats and threat activities; assess all security controls; collect, correlate, and analyze security-related information; and provide actionable communication of security status across the agency. It also requires agency officials to actively manage risk.
Q. In your opinion, what is the state of cybersecurity and government? Are we effective at staying one step ahead of the bad guys?
A. There has been a lot of leadership across the U.S. government regarding cyber — some good and some that could be looked at again. For instance, FISMA came about in a time where compliance was misconstrued. For example, if an agency was FISMA compliant, then it was considered on some level to be more secure. Today, government leadership is beginning to encourage Continuous Monitoring, which is an extension of what will become the next version of FISMA.
In addition, the bad guys have developed business models and communities around sharing information about vulnerabilities in general, but also specifically where those vulnerabilities are in certain enterprises. There have been many healthy discussions on the Capitol Hill and with the current administration about threat sharing between the public and private sectors. The discussions to date have always focused on government being the central point, hence the pushback from industry and privacy groups. A workable model may be defining what information I want to share within a community of interest. For instance, I may be willing to share specifics of an attack I’m seeing with one community, but I may not want to share the specific IP addresses, Intellectual Property or PII with another.
Q. Give us your perspective on the today’s cyber threats for government.
A. We only have to look as far as the nightly news to understand today’s attempts to breach enterprises have greater sophistication, persistence, agility, complexity, and coordination. Frequently these successful attacks are supported and financed by criminal or state-sanctioned organizations.
Combine evolving threats with the almost continuously morphing IT enterprise landscape with new cloud, mobility, and BYOD strategies, the flow of information is rapidly expanding, requiring more time and energy for security teams to monitor incidents and respond quickly. I’m a firm believer in, “It’s not a question of if and enterprise will have an incident, but when.” This fundamental assumption changes how the security team looks at the overall enterprise security problem. As such, Continuous Monitoring plays a key role in helping government agencies meet their cybersecurity goals.