Today’s ferocious cybersecurity environment is dynamic. One of the challenges that organizations, both public and private sector, have encountered in attempting to mature their IT security and risk management plans has been a lack of methods to calculate truly relevant metrics that would allow for them to better understand and benchmark their security standing over time.
We know that government agencies and private-sector organizations have been attributing increasingly large amounts of time and financial resources to incorporating layered security defenses and processes across their IT infrastructure, but it has been difficult to measure our overall security posture to gain the information we need to have better situational awareness and respond more effectively to today’s threat-ridden environment.
Last week we saw – in the form of a memo sent from the President’s Office of Management and Budget to all heads of U.S. executive departments and agencies – an important step forward taken in the name of helping these organizations adopt the practices necessary to begin gathering these types of enterprise-level security metrics.
In the memo – distributed and signed by Federal Chief Information Officer Vivek Kundra and newly appointed Cybersecurity Coordinator Howard Schmidt, along with OMB Deputy Director for Management Jeffrey Zients – we see specific endorsement of this need for agencies to build and maintain security testing and measurement programs as part of their ongoing efforts to comply with the Federal Information Security Management Act of 2002 (FISMA).
This effort to engender a culture of metrics throughout enterprise security management in the federal sector echoes the findings of a report issued in Nov. 2009 by the Department of Homeland Security Science and Technology Directorate titled “A Roadmap for Cybersecurity Research” which aims to “define a national R&D agenda… to enable us to get ahead of our adversaries and produce the technologies that will protect our information systems and networks into the future.”
A critical “problem” as defined by this report is the current lack of “enterprise-level metrics” including “measures of overall system trustworthiness.”
Among the ideas and practices laid out in the new OMB directive, which is specifically submitted to provide instructions for agencies in meeting their 2010 reporting requirements under FISMA, is greater weighting toward the types of security testing that will allow agencies to get their hands on these types of enterprise security metrics I reference, and that the DHS Roadmap report recommends.
In section 10 of the OMB memo, in the course of calling for this more frequent and in-depth assessment of security standing, as well as “continuous monitoring activities” of the same nature, federal regulators also directly reference the need for adherence with NIST Special Publication 800-53A, which incorporates a heavy dose of proactive penetration testing to scope risk against real-world threat models.
This new directive from the highest levels of federal oversight that pushes organizations to aggressively ramp up their security testing practices is the first step in addressing the use of intelligent metrics to empower greater cyber-situational awareness within our government agencies, and represents a significant bridge between military-type assessment programs and civilian standards and risk assessment paradigms.
More comprehensive security benchmarking will be paramount to our collective success in enabling both government and private-sector organizations to understand their cybersecurity status in a manner that goes far beyond the checklist-driven approach of yesteryear.
From a company perspective, Core Security is extremely well positioned to help organizations of all kinds embrace the culture of security measurement and benchmarking both today, and in the future.
In our newly introduced CORE IMPACT Pro v10.5 offering, beyond the ability to directly gauge security posture in direct relation to real-world attacks via automated penetration testing, we’ve incorporated some features that specifically address the needs of government security testers, including support for the Security Content Automation Protocol (SCAP) and AES encryption as specified in FIPS 140-2, and the inclusion of the IAVA framework.
Beyond demonstrating the exploitability of particular IT systems or services using the product to conduct testing also highlights the efficacy of many of the various FISMA-required controls that have to be bypassed to achieve a compromise. And the existing IMPACT Pro FISMA Noncompliance Report should prove extremely useful for carrying out the kind of benchmarking laid out in the OMB memo.
Even further, in our new enterprise security testing and measurement solution, currently under development for release later this year, we will offer an even broader, more pervasive capability for organizations to carry out automated assessment and continuous monitoring of their IT infrastructure to benchmark standing and use enterprise level metrics to inform their security and risk management programs.
With the issuance of the new OMB memo, we see a major paradigm shift occurring under Kundra and Schmidt through which hard numbers will be applied to measure security performance and create better cyber-situational awareness across both government organizations and private industry.
This has to be viewed as a positive sign that we will make progress in the coming years around this issue of more effectively measuring enterprise level IT security risk.
-Tom Kellermann, Vice President of Security Awareness