1 SOLUTION BRIEF Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring Addressing FISMA Assessment Requirements Using RedSeal november 2011 WHITE PAPER RedSeal Networks, Inc Freedom Circle, Suite 800, Santa Clara, Tel (408) Toll Free (888)
2 2 SOLUTION BRIEF Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring Contents Executive Summary: 3 Maturing Risk Visualization, Assessment and Reporting: 3 Continuous Network Monitoring OMB: Traditional Security Assessment Can t Address Change 5 Automating Security Management: Embracing Real-World Continuous Monitoring 6 The Solution: RedSeal Proactive Security Intelligence 7 Conclusions: 8
3 Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring SOLUTION BRIEF 3 Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring Addressing FISMA Assessment Requirements Using RedSeal Executive Summary: This solution brief examines the requirement for U.S federal agencies to implement software providing continuous monitoring of network security by the end of fiscal 2012, and begin trending metrics regarding their overall security effectiveness to report to central management, as ordered by the White House Office of Management and Budget. The paper will address the specific recommendations made by NIST in providing guidance to organizations impacted by the two OMB mandates, and highlight the direct applicability of RedSeal s proactive security intelligence solutions in meeting those commands. By providing agencies with powerful automation to continually assess security infrastructure and trend key metrics about their ability to maintain critical asset protection, RedSeal empowers government security professionals to both address the explicit requirements of the White House directives, and embrace their underlying spirit. Maturing Risk Visualization, Assessment and Reporting: Continuous Network Monitoring Cyber-security officials in Washington have delivered a clear message to practitioners at every federal agency: radically advance use of automation to audit, trend and communicate meaningful data about security infrastructure effectiveness. Since Congress first enacted the Federal Information Security Management Act (FISMA) in 2002, federal agencies have worked continually to interpret the standards and address them via applicable practices. However, in recent years, as Congress has proposed and debated numerous updates to FISMA, White House officials, including Federal CIO Vivek Kundra and Cybersecurity Coordinator Howard Schmidt, have made it clear that whether or not a FISMA revamp is ever ratified, all federal agencies are expected to continue maturing their security, risk and vulnerability management efforts.
4 4 SOLUTION BRIEF Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring Since the beginning of 2011, the White House Office of Management and Budget has issued a handful of specific requirements, in particular calling for for agencies to deploy automated mechanisms that continuously assess the efficacy of security infrastructure, as well as systems that generate quantitative metrics for use in reporting ongoing performance to government auditors. Guided by the National Institute of Standards and Technologies (NIST), most federal agencies have already begun work to meet the involved demands before OMB s deadline for compliance expires at the end of fiscal To advance their programs rapidly and meet OMB s call for more pervasive use of automation to address security infrastructure management and information reporting, federal agencies must embrace solutions that provide constant visibility into critical asset protection and generate actionable data that clearly communicates their ability to drive improvements. RedSeal provides advanced security performance reporting including network security and vulnerability risk metrics. This screen shot is of RedSeal s vulnerability management dashaboard and includes a variety of vulnerability risk metrics.
5 Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring SOLUTION BRIEF 5 OMB: Traditional Security Assessment Can t Address Change As in the private sector, but frequently with even more serious implications, federal security professionals are more challenged than ever to respond to change in network infrastructure while stopping today s advanced attacks. Evidenced by numerous breach incidents and network intrusions at every level of the government, from exposure of military members personal information to theft of top secret war plane schematics, the constant stream of requests being made of infrastructure to support operations has left practitioners struggling to respond in adjusting defenses. Based on this reality, whereas annual or even quarterly self-assessment of security controls was previously considered sufficient, today s environment demands nearconstant auditing to ensure acceptable levels of protection. Instead of traditional reporting of operational efficiencies such as how many vulnerabilities have been patched, audits must instead base scoring on measurement of real-world risk mitigation. As noted in NIST s 2010 FAQ on continuous monitoring, long-standing processes, while still crucial to the overall process, fail to provide the ongoing lifecycle approach needed to handle today s ever-changing demands on infrastructure. According to NIST, continuous monitoring is vital in assessing the impact of change on information system security because it addresses other shortcomings in older auditing models, including: The inability to regularly determine if all planned, required, and deployed controls across all security infrastructure continue to be effective over time, in light of inevitable changes. Lack of emphasis on front end security measurements of important factors such as the likelihood that existing vulnerabilities could be exploited during attacks. Reliance on paper-based reporting methods that make it challenging for central auditors and management to gain a consistent read on trends in performance across all federal organizations. NIST and the OMB contend that continuous monitoring generates more timely, standardized reporting of risk via a more holistic, defense in depth strategy integrated into enterprise architectures and ongoing system development. When considering proposed changes or response to emerging threats, the management officials maintain, the data produced via continuous monitoring will allow authorizing officials to make more informed decisions.
6 6 SOLUTION BRIEF Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring RedSeal is the only solution to provide vulnerability risk measurement. This screen shot shows RedSeal s interactive visualization for browsing the trend of a security metric. Automating Security Management: Embracing Real- World Continuous Monitoring As outlined in the 2010 memo from CIO Kundra, Cyber-Czar Schmidt and OMB Deputy Director for Management Jeffrey Zients, all agencies must by the end of 2012, continuously monitor security-related information from across the enterprise in a manageable and actionable way. To do so, the memo continues, agencies need to automate security-related activities and acquire tools that correlate and analyze security-related information. This includes development of automated risk models for analyzing issues identified by other systems, such as vulnerability scanners. Continuous monitoring must also support FISMA assessment via a frequency depending on risk, to ensure that remediation is prioritized on fixing critical issues first. And while OMB recognizes that the assets involved will be unique to each agency, it contends that automation will allow for consistent reporting of results, nonetheless. Using solutions that overlay intelligence of network access to filter vulnerability scans, and allow for valuation of assets based on organizational importance, will transform an otherwise static and occasional security control assessment into a dynamic process, OMB claims, providing important benefits including: The ability to identify precisely those vulnerabilities that represent risk, based on their value and exposure to threat sources such as the Internet.
7 Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring SOLUTION BRIEF 7 Determination if an agency is applying risk-based methods to security programs and properly weighting information systems that support critical agency missions. Faster and less burdensome assessments of infrastructure shared among multiple agencies or managed by service providers, including the ability to share results of previous audits. As NIST submits in its FAQ, automation can make the process of continuous monitoring more cost effective, consistent, and efficient, providing a more dynamic view of security state. By adopting solutions that continuously analyze access and trend risk based on valuation, federal advisors claim, continuous monitoring will create standardized methods for identifying and referencing threats and vulnerabilities by which that data can be collected and shared quickly. The Solution: RedSeal Proactive Security Intelligence RedSeal s proactive security intelligence solutions are the only products on the market today that allow government organizations to automate continuous monitoring as outlined by NIST. With RedSeal, government agencies can address NIST s requirement to monitor the effectiveness of the information security policies, procedures, and practices via automation of management, operational, and technical controls. RedSeal delivers the security monitoring and risk assessment capabilities required by government auditors to: Track the security state of information systems on an ongoing basis and maintain required access authorization. Support FISMA requirements for assessment of security controls with a frequency depending on their importance in shielding critical assets. Assess the security impacts on information systems resulting from planned and unplanned changes to their hardware, software, firmware, or environment of operation. By providing a centralized front end risk management approach to information security, as recommended by NIST, organizations can use RedSeal to facilitate a systematic approach for assessing security controls to determine their overall effectiveness in determining the risk to the organization s operations. As continuous monitoring promises, RedSeal addresses the most cost-effective and important part of managing enterprise risk and maintaining an accurate understanding of security risks. Using RedSeal, federal agencies can isolate, trend and report key metrics regarding security infrastructure and its ongoing change that empower senior officials to deduce the maturity of protection across all organizations to evolve strategy and spending to meet important demands.
8 8 SOLUTION BRIEF Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring Conclusions: White House cyber-security leaders have often been criticized for a lack of oversight and influence into strategic matters that their jobs could rightly encompass, but initiatives such as continuous monitoring and the push for security metrics, now to be reviewed every month versus once per year, should have a significant impact. As NIST observes, understanding the security state of information systems is essential in highly dynamic environments of operation with changing threats, vulnerabilities, technologies, and missions/business processes, and continuous monitoring provides essential, near real time security status related information to help senior leaders make strategic decisions. RedSeal s proactive security intelligence solutions are the only products on the market that provide the level of automated assessment and onboard trending of security performance metrics that meet regulators true vision for continuous monitoring allowing individual federal agencies to understand and improve their own effectiveness, and feed data to central analysts to drive government-wide advancements in security management. About RedSeal: RedSeal Networks develops proactive security intelligence software that enterprise organizations depend on to visualize the effectiveness of security infrastructure, maintain continuous policy compliance and protect their most critical business assets and data. Unlike systems that measure the impact of attacks after they transpire or address individual elements of network protection, RedSeal analyzes the cumulative ability of defenses to control access and mitigate vulnerability exposure across the entire enterprise, providing the critical metrics necessary to trend performance and isolates gaps before they can be discovered by hackers. For more information on RedSeal products please visit the company s web site at or contact RedSeal representatives directly at (888)
9 Heeding FISMA s Call for Security Metrics and Continuous Network Monitoring SOLUTION BRIEF 9
10 WHITE PAPER RedSeal Networks, Inc Freedom Circle, Suite 800, Santa Clara, Tel (408) Toll Free (888) Copyright 2011 RedSeal Networks, Inc. All rights reserved. RedSeal and the RedSeal logo are trademarks of RedSeal Networks, Inc.