In light of the introduction yesterday of the seminal Cyber Security Act and the Presidents OP-Ed in the WSJ: Taking the Cyberthreat Seriously.
It is time we learn a lesson from those learned by the Federal Government in Cybersecurity.
For the last 6 years the United States government has been struggling to determine how nation state and non-state hackers have bypassed perimeter defenses. After the Comprehensive National Cyber Initiative (CNCI) it was determined that most government agencies over rely on their perimeter defenses. The gauntlet was thrown down to determine how the offensive tactics utilized by the cyber intruders could inform the United States government’s defensive posture. One critical lesson was that many agencies did not test their security controls nor could they valid if these controls were working in concert with other controls and personnel to defend against the cyber onslaught. In order to improve defense in depth a mandate was issued for agencies to maintain “continuous monitoring”.
The paradigm of continuous monitoring began in the form of a memo sent from the President’s Office of Management and Budget to all heads of U.S. executive departments and agencies – it represented a leap forward taken in the name of helping these organizations adopt the practices necessary to begin gathering these types of enterprise-level security metrics. The directive issued from the highest levels of federal oversight has compelled organizations to aggressively ramp up their security testing practices. Continuous monitoring is a risk management process facilitated by people and technology to ensure overall ecosystem health, integrity and quality of service. According to NIST (National Institute of Standards and Technology) continuous monitoring has specific key tenants1:
- promote the concept of near real-time risk management and ongoing information system authorization through the implementation of robust continuous monitoring processes;
- provide emphasis on the selection, implementation, assessment, and monitoring of security controls, and the authorization of information systems;
- Establish responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems (i.e., common controls).
1 NIST, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, Special Publication 800-37 (Gaithersburg, Md.: February 2010).
Focus now must become centered on automation and embedding security into the operating system of your organization and ecosystem. If the enemy is going to shift the playing field, we must be prepared to spin the virtual chess board. To tap into the power of Web-based, mobile, and virtualization, and thus build stouter virtual castles in the sky, we must appreciate the evolution of blended threats from the simple virus of yesteryear to the virulent malware and organized cyber campaigns of 2012 (See: Security Intelligence). The cyber kill chain has dictated that we must also build dungeons within those castles. Continuous monitoring is the first step in addressing the use of intelligent metrics to empower greater cyber-situational awareness within government agencies, and represents a significant bridge between military-type assessment programs and civilian standards and risk assessment paradigms. The future of Cyber security will be grounded in continuous monitoring and the paradigm that we must increase the level of discomfort of our adversaries so that they no longer choose to expend the resources to attack and/or remain persistent within our networks. Offense must inform our cyber defense.
Trend Micro has developed a layered security platform that provides defense in depth and continuous monitoring of both traditional and virtual infrastructure: Deep Security. See: Cloud Solutions