The Two Sides of Continuous Monitoring

If you work in any remote proximity to the government IT security sector, the phrase “continuous monitoring” has likely been seared into your brain over the course of the last year.

In my last job before joining RedSeal, at Core Security, I was lucky enough to work with Tom Kellermann, a former World Bank security team member who now serves on a number of influential panels including the Center for Strategic and International Studies (CSIS) Commission on Cybersecurity – and if I told you how frequently he referenced the term in highlighting key U.S. federal initiatives, you likely wouldn’t even believe me.

Here at RedSeal, we’ve also got a highly visible advisor in the government segment, except this one wears stars on his shoulders. Retired Maj. Gen. John P. Casciano is perhaps best known for his work as Air Force Director of Intelligence, Surveillance and Reconnaissance, Deputy Chief of Staff, Air and Space Operations. Today, along with advising RedSeal’s efforts, he wears the title of president and CEO of consultants GrayStar Associates LLC, and guess what? Yep, he’s big on continuous monitoring himself.

In a column published on government IT news site NextGov this week, dubbed “Cybersecurity’s Double-Edged Sword,” Casciano helps shed some light on what he sees as the true potential of continuous monitoring as spelled out in guidance released by the National Institute of Standards and Technology in June 2010, and how the concept “enables organizations to proactively identify security issues that can be mitigated or plugged in advance of cyber intrusions or attacks.”

Of the two breeds of IT security solutions that government organizations have already embraced as a result of the NIST recommendations (updated themselves again earlier this week), which will likely find their way into future versions of the Federal Information Security Management Act (FISMA), Casciano relates some doubts regarding one, in the form of adding more intrusion and attack detection-type tools.

Designed to sense attacks once they are in progress, but before they overcome a network’s defenses, these IDS systems are useful in catching campaigns as they play out, but “could encourage a false sense of security” he said, as they “addresses only ongoing malicious activity, while failing to address areas that are vulnerable to future attacks.”

That approach, as noted, has some value, but fails to “deal with the more proactive requirements specified in the NIST guidelines,” the Major General observes.

To Casciano, the underlying spirit of the NIST recommendations is far better represented in the form of solutions like RedSeal’s security posture management software, as such a technology “actively analyzes a network – scanning it for threats, vulnerabilities and deviations from enterprise policies – and allows managers to take action in advance of an intrusion or attack,” he writes.

This two-edged approach to continuous monitoring has also reared its head in some of the proposed cyber-security legislation introduced in recent months on Capitol Hill. While shot down earlier this week over other issues, the so-called Skelton National Defense Authorization Act for Fiscal Year 2011 offered two specific definitions for the concept (in sec. 930, page 495) that track very closely with Casciano’s outline.

The second of the two guidelines references “the automation of continuous monitoring of the effectiveness of the information security policies, procedures, and practices” within the Department of Defense via “automation of management, operational, and technical controls.”

That’s verbiage that certainly makes us feel good about what we have to offer in meeting subsequent continuous monitoring mandates that could be issued in the government sector.

Ultimately, both brands of continuous monitoring will provide significant benefits, but more proactive efforts aimed at identifying and mitigating security exposures before they can be exploited will be more important, as breaches need to be prevented before the damage is done, Casciano contends.

“The approach enables managers to plug holes and boost defenses to limit the number and intensity of intrusions. It provides deep insight into the enterprise, so security and IT managers identify and address dangerous pathways,” the expert writes in his piece.

Of course we here at RedSeal are honored to have someone like Major General Casciano endorsing our methodologies, and their output in the form of our products.

For everyone’s sake, let’s hope that those in the position to make technology decisions at some of the worlds’ most important organizations heed his advice.

You can bet that when he talks (or writes)… we’re certainly always listening.

To read the entire NextGov article, CLICK HERE.