Experience the commitment white paper Information Security Continuous Monitoring Charting the Right Course cgi.com
Hacking, malware, distributed denial of service attacks, insider threats and other criminal activities are on the rise; agencies must be prepared. Federal agency data is especially attractive. It can be used to conduct fraud, surveillance on citizens and agency employees or steal information. It could simply be a feather in the cap of a hacker looking to make a statement that he infiltrated a U.S. federal agency s defenses. As these attacks increase, it is critical that agencies know where their most important data is, as well as the health status of their networks. Today, nearly all of an agency s mission-critical functions depend on safe and secure information technology systems. With cyber threats constantly evolving and growing at an exponential rate, and an increased reliance on technology to deliver core services in government, a robust cyber defense is vital. Government leaders have recognized the need for a modified approach in protecting the nation s cyber infrastructure. The Department of Homeland Security s (DHS) Continuous Diagnostics and Mitigation (CDM) program is a dynamic approach to fortifying the cybersecurity of government networks and systems. CDM provides federal departments and agencies with capabilities and tools that identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first. This paper provides key steps for an agency to identify its best CDM strategy and best practices for program implementation. 1
Locking in the Right Strategy Definition of CDM Information security continuous monitoring is defined as maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk management decisions. The objective is to conduct ongoing monitoring of the security of an organization s networks, information, and systems, and respond by accepting, avoiding/ rejecting, transferring/ sharing, or mitigating risk as situations change. NIST Special Publication 800-137 Draft December 2010 Managing, implementing and operationalizing CDM is about process and methodology not just technology. It provides the coordination of software and hardware to keep an agency s security posture strong, reducing the likelihood of a successful breach, while providing peace of mind to business customers that their most sensitive data is as secure as possible. CDM provides insight into how critical technology is performing and where it is not. This provides the opportunity to identify areas of high risk and a new-found ability to react to changing situations. With the constant presence of cyber intrusions, advanced persistent threats and insider threats, agencies must maintain a constant awareness of their enterprise security status to quickly and effectively respond to external and internal threats. Manual processes based on compliance do not respond quickly enough to mitigate an everchanging threat. Automated and integrated surveillance of the agency network and the analytics to identify the most critical areas of vulnerability are needed to counter this challenge. Before laying out a plan to deploy CDM, here are some things to consider: 1 What assets require protection? 2 Who is the business owner of this data? 3 What level of protection is needed? 4 How might an asset be compromised? 5 What is the impact if protection fails? 6 What is being done today (and what is not)? Continuous Monitoring Process 2
Step 1 FIND THE GAPS The ability to identify gaps and determine areas of vulnerability are key to a successful strategy. What is in place today that is effective? What could be improved? Do current processes allow for future growth and scaling to meet demand? Recommendations Identify systems already in use that can be applied to the CDM program. Many of the security and operational tools agencies use to manage networks will likely be part of the overall continuous monitoring solution. Identify gaps in coverage for these systems and plan to expand their use across the entire agency. Ensure key personnel understand roles and responsibilities. Teams must have clear guidance on which controls they need to monitor. Ensure crossteam communication so that vulnerabilities can be tracked. Develop (or enhance) an enterprise-wide risk management process. Continuous monitoring requires the creation of a new risk management process for the organization or enhancement of an existing one. Start by considering the highest risk systems and then create templates for defining system-level risks and mitigation actions for these systems. NIST Risk Management Framework 800-53 3
Step 2 Given the complexity of information systems and networks, some ways to organize and monitor a system might include: Local computing environment, specific components of the network Agency network boundary, the area where information enters or leaves the organization Network and infrastructure, both of which provide connectivity across the agency IT infrastructure, the tools and technologies used to provide security enabled services IDENTIFY THE MOST IMPORTANT DATA Assess the most critical data in the organization, where it sits and who has access to it. Concentrate the CDM program here and develop an iterative implementation approach across the organization. Do not make the mistake of trying to apply CDM to the entire organization all at once. Such a tendency is not effective, strains resources and runs the risk of vital data remaining open to attack. The plan can be implemented across the network after the top priorities are secure. In the end it is the data being protected, so the agency s data is a key component of the CDM program. Work with agency stakeholders to build understanding of the current risks associated with their data (who and what technology has access) and how CDM will help. This will create opportunities for greater buy-in among these important stakeholders. Defense in Depth A way to identify and protect the most important data is a method called Defense in Depth This model is designed to provide a layered defense in the network. By seeking to delay rather than prevent the advance of an attacker by yielding space in order to buy time. Multiple layers of defense prevent direct attacks against critical data and systems. This will not only prevent security breaches, but also buy an organization time to detect and respond to an attack. Source: Information Security Continuous Monitoring Working Group, October 2013 4
1 Four best practices for implementation UNDERSTAND THE BUSINESS AND TECHNICAL VALUE The technical value of CDM is clear. It improves monitoring abilities, provides a clear network security posture and the ability to track and respond to incidents. But what cannot be emphasized enough is the business value of CDM. It allows agency customers the flexibility and freedom to use approved technology to be more productive, to find new, innovate ways to provide services, while keeping systems secure and data safe. It will also allow for more accurate network management, thereby reducing any operating costs and reducing the resources needed to respond to any issues. To get to this point, agencies must define their program s complete potential and impact, across business and technical areas. An example would be the implementation of mobile devices into an agency. The value of accessing agency resources via phone or tablet would allow employees who are traveling or work in remote locations to continue to be productive. Instead of carrying around documents and updating information once they get back to a secure location, costing hours of unproductive time, CDM can make sure the mobile devices that are connecting to the network are safe and secure. Allowing that information can get uploaded, shared and analyzed as soon as it is needed. This increases productivity and saves time and resources. Your agency dashboard is designed to give you a more complete and accurate view on the health status of your network. This information can support the business and technical value of current and new programs. 5
2 SECURE EXECUTIVE BUY-IN Implementing CDM requires employees at all levels to understand its value. However, the decision to implement CDM must be made across three key stakeholders: the CIO, the CISO, and senior agency leadership. Their support is critical. CDM will help manage the use of new technology for the foreseeable future. After the initial program is operational, the long-term cost and resource management will be needed to maintain CDM s value. As agency executives need to initiate new programs, CDM can help speed the process and adoption of new technology. 3 Implementation Maturity Model The maturity level of IT and cybersecurity varies by agency and each will require different levels of a CDM solution. Some agencies are just getting started. At other agencies, certain aspects are already in place. In order to adopt the right solution, agencies must assess their preparedness level. Several methods exist to determine an agency s maturity level. Two quality resources are NIST s Risk Management Framework and the CIS Controls for Effective Cyber Defense. Both provide great information for outlining overall security posture. When it comes specifically to CDM, DHS s recommendation is to start with the following functional areas: Devices: know if a new device has come into the environment, what that device is and where it is located. Software Inventory: maintain an inventory of the software operating in their environment. This ensures that software can be patched appropriately or defended when no patches are available. Configuration: define baseline configurations to see what the system should look like. This makes it easier to determine if anything in the baseline configuration has changed. Vulnerability: focus on vulnerability management by keeping up with emerging threats. 6
Response Plan 4 A critical, yet often overlooked, part of a successful CDM implementation is the installation of a breach response plan. Having a clear and complete plan will greatly limit the damage hackers are able to inflict on agency networks. A familiar tool used to coordinate a mature plan is the Computer Security Incident Response Team (CSIRT). This group includes a range of specialists who detect, respond to and fix problems, while recommending improvements for systems to curb repeat attacks. This team is comprised of: Response Team Leadership Maintains roles and responsibilities to keep the organization acting in concert. Management Provides the authority to make critical decisions. Information Security Identifies, tracks, remediates and manages incident issues. Information Technology Works to support assurance that the problem is mitigated and networks are secure. Legal Counsel Ensures the usability of any evidence collected during an investigation. Public Affairs Maintains an effective and credible message supporting an accurate representation of the situation to the public. HAVE AN IMPLEMENTATION PLAN Agencies have several options for implementation: 1 Self-implementation with commercial off-the-shelf/government off-the-shelf tools 2 Leverage the DHS Continuous Diagnostics and Mitigation Program 3 Hybrid approach that leverages components from options 1 and 2. Regardless of approach, the outcomes need to be the same: end-point integrity, least privilege, infrastructure integrity, boundary protection and event management. One recommended path comes from the Federal CIO Council s, Joint Continuous Monitoring Working Group. They recommend organizing the network as: 1 Local computing environment 2 Enclave boundary 3 Network and infrastructure 4 Supporting infrastructure 7
Once topography of the network is developed, the following steps are recommended: assess Identify which parts of the network are being monitored, which parts are not and how cyber operations are currently managed. plan Pinpoint key resources needed to implement CDM and maintain its long-term operations. This consists not only of people, but also tools, technologies and processes. A strong communications plan will enable an agency to set and manage expectations. implement Connect the impact of the implementation to current or upcoming programs. CDM is different from other cyber or IT programs. Once completed, it will affect cyber operations, IT infrastructure, management and customers. operations Consider the costs of personnel, hardware and software. Then, tie these costs to the business value brought to the agency. CDM is an ongoing program. It requires annual expenditures to maintain effective system security and to manage new data and new technologies. Multiple agency network topography 8
CDM can be a simple and complete means to effectively manage agencies assets and information. Through coordination of the first steps of the planning process, identifying the most important data and developing a comprehensive implementation and operations plan, organizations can learn to scope their security efforts efficiently. Due diligence in providing for system security and Federal Information Security Management Act compliance is becoming easier as new mechanisms are developed in support of this mission. The long-term value of CDM can help an agency: improve Risk Management Risk monitoring in a repeatable and sustainable manner strengthens an agency s security posture. Optimize Costs and Improve Effectiveness CDM can enable organizations to (1) automate controls, processes and activities to streamline operations and drive efficiencies; and (2) deploy monitoring activities that keep the network safe and prevent them from lapsing back into inefficient patterns. Monitor for Potential Fraud, Theft and Misconduct Along with codes of conduct, due diligence hotlines, whistleblower mechanisms and investigation and remediation protocols, CDM can become a key component in detecting and preventing cyber threats. address Regulatory Pressures A lack of visibility and transparency can develop when geographically located networks and people are not necessarily connected. CDM can help organizations draw those systems together to comply with regulations and reduce the costs of such compliance. CDM will evolve into an ongoing operational program that will touch every part of the network. If implemented well, agencies will be able to strengthen and widen their security posture. The need to maintain ongoing awareness of information security, vulnerabilities and threats to support organizational risk management decisions is vital. Today, the U.S. government requires an agile approach that not only supports requirements across both National Security Systems and Non-National Security Systems, but also allows organizations the ability to adapt ISCM principles to meet federal and agency-specific requirements. This overview provides initial guidance towards implementing CDM. To achieve success, federal government organizations, supported by industry partners, must work collaboratively to develop a common language, prioritized requirements, detailed technical specifications and insightful metrics, to guide full implementation. Everyone s combined efforts must be leveraged to achieve efficiencies and remain flexible to adapt to new threats and methods of detection and mitigation. 9
cgi.com About CGI Founded in 1976, CGI is one of the largest IT and business process services providers in the world. We combine innovative services and solutions with a disciplined delivery approach that has resulted in an industry-leading track record of delivering 95% of projects on time and within budget. Our global reach, combined with our proximity model of serving clients from 400 locations worldwide, provides the scale and immediacy required to rapidly respond to client needs. Our business consulting, systems integration and managed services help clients leverage current investments while adopting technology and business strategies that achieve top and bottom line results. As a demonstration of our commitment, our client satisfaction score consistently measures 9 out of 10. For more information, please call 703.227.6000 or email info@cgifederal.com 2014 CGI GROUP INC.