nCircle Federal Outlook Blog: June 2011 Archives

Advocates of expanding continuous monitoring of security controls got a great boost earlier this month with the appearance of the FY 2011 CIO FISMA Reporting Metrics. Especially interesting was the last section of the document, which asks agencies to report on their use of continuous monitoring in the areas of IDS/IPS; AV/Anti-Malware/Anti-Spyware; System Logs; Application Logs; Patch Status; Vulnerability Scans; DNS logging, and numerous other areas. This is very exciting, especially coupled with the emergence of Security Performance Management services like nCircle Benchmark, which could help agencies deliver on these requirements using the products and solutions they are already running.

However, all of the buzz on this document seems to trace back to the SANS NewsBites announcement and posting of the document on their website. After repeated searches, I can't find this report on the DHS website at all, or from any other government source. According to SANS, "The memo stems from 2010 guidance requiring government agencies to begin moving to continuous security monitoring." So, where exactly did this document come from? What does it mean? Inquiring minds -- and all those heavily invested in helping the government meet continuous monitoring requirements -- want to know...

Here at nCircle, we watched World IPv6 Day with great interest. U.S. federal government mandates have been a long-standing driver for our focus on IPv6, as have some key commercial customers. But outside those few, it seems like most people in cybersecurity circles have their hands full with other challenges and have greater priorities than IPv6.

That's an approach that will need to change; Federal CISO's and other security executives are going to have to wrap their heads and hands around this one pretty soon. Federal agencies, because of government mandates, will end up out in front whether they are ready or not. And unfortunately, there are some security fundamentals that must change, radically, to cope with an IPv6 world. One was identified in the test yesterday, where buffer overflows and DOS attacks could result from improper or immature implementations of the protocol.

But the security challenges will be harder than just double-checking implementation details. There's a tendency to think that IPv6 is just like IPv4, only bigger. My colleague, TK, has a wonderful riff on just how much bigger IPv6 is... there's a point at which scale changes everything. Let's take just one example that's really salient in nCircle's segment of security. Traditional methods of actively scanning a network to discover and profile assets - done in hours in IPv4 - would take billions of years in IPv6. Yet it will be easier than ever to hide a rogue presence. Where, indeed, are your assets?

New technologies are needed to secure this vastly larger frontier; nCircle and many others are working today to make sure that the right solutions are available. In the meantime, cybersecurity execs do have some meaningful choices they can make today. For one, they can certainly require that current asset discovery or scanning solutions at least identify IPv6-capable, and IPv6-enabled, devices resident in their IPv4 environments. After all you probably have IPv6 in your environment today, residing side-by-side with IPv4 on your existing devices. It is hard enough to manage and secure devices you know are there...much harder if you don't...

For most of the buzz around World IPv6 Day the focus was on function: will everything work? I hope that the numerous federal agencies participating will bring a security perspective to the experiment. What new security challenges will we face in an IPv6 world? Some speculate, but I look forward to hearing about the wide range of security issues that are identified through experiments like World IPv6 Day.

It's been an ongoing theme since I left federal employment for the cyber security industry -- defining the proper place of federal initiatives in my employers' overall company goals and objectives. Of course in my role as the federal advocate, I'm always looking for more investment in what my government customers need.

Some companies are heavily focused on the government sector, quick to respond to each new Federal initiative, standard, regulation or certification. Sometimes this pays off; sometimes, it's a rabbit trail. Other companies have a broad customer base, and constantly have to weigh investment in uniquely federal requirements - whether its FIPS standards, 508 compliance, PIV, SCAP validation, Cyberscope compliance - against the competing demands of their commercial customers for specific improvements in product features.

I've been in both places. Both have their challenges. But I have to say that it seems to me that having a broad customer base (federal, financial, health care, energy, retail...) leads to a result that is ultimately better for *everyone* than trying to focus on the needs of just the feds - even from my perspective advocating for Federal customers. Value flows both ways.

An emerging example of federal initiatives bringing value to our commercial customers seems to be developing with SCAP. We are definitely seeing private companies start to take an interest in the power and flexibility that are afforded when a broad segment of security companies start to speak the same underlying language.

Another interesting example - with the value flowing the other direction --has emerged with File Integrity Monitoring. File Integrity Monitoring has been a key part of nCircle's offerings for four years, as we addressed the needs of retailers and card processors rushing to comply with the PCI Data Security Standard. File integrity monitoring is a critical component of assuring appropriate protections for sensitive credit card information - but it was a discipline that had not been widely understood or adopted in the Federal space.

That changed with the release in 2009 of NIST SP 800-53 rev 3. Agencies are starting to grasp the implications of some of the new requirements, summarized below - and now we're hearing from our Federal customers across the spectrum looking for help meeting these new objectives. Fortunately, we already can offer a solution - courtesy of our engagement with the commercial retail market.

NIST File Integrity Monitoring Requirements

I'm happy to say that the current administration seems committed to leveraging the value of commercial engagement. At a TechAmerica Homeland Security Committee meeting this week, guest speaker Bruce McConnell of DHS reiterated that DHS, at least, continues to see the value in a strong commercial strategy -- using relationships and market drivers to get the cybersecurity innovation that is needed, not special buying requirements or "milspecs."

If you like, you can check out a short video about nCircle File Integrity Monitoring solution here.