Federal CIOs Moving Cybersecurity Beyond Compliance

As federal agencies struggle to keep pace with the mounting threats to their far-flung digital systems, IT professionals must move away from treating security as a compliance exercise and adopt dynamic, real-time monitoring, government CIOs said in a recent panel discussion.

In many agencies, that shift toward continuous monitoring is already well underway, as CIOs have been working to further automate their systems so that networked assets scan for and report potential security incidents.

“There was a lot of checklists focused on looking at what type of security controls needed to be implemented, what type of security controls actually were implemented,” says Simon Szykman, CIO at the Department of Commerce.

“We’re now moving toward an era of much more automated and near real-time situational awareness where we have systems that themselves are able to verify that controls are being implemented, assess the state of security across a broad infrastructure, and report in a real-time or near real-time basis a broad security posture over a big infrastructure up to decision makers,” Szykman says.

For entities within the government with IT assets positioned around the country or even globally, achieving that holistic view of the network can be a particular challenge.

[ Commentary: McAfee Offers Global Response to Nationalized Malware ]

[ More: McAfee Security Report Suggests 2014 Will Be a Rough Year ]

For instance, at the National Oceanic and Atmospheric Administration, the division of Commerce that includes the National Weather Service, IT staffers maintain a sprawling network that collects data from more than 20,000 devices. With the agency’s shift to continuous monitoring, all of the automated information logs those devices produce became centrally collected and analyzed — a round-the-clock process that scrutinizes more than 1 billion events per day, according to NOAA CIO Joe Klimavicz.

Those data points had been collected before NOAA moved to continuous monitoring about four years ago, Klimavicz says, but the agency did nothing with them. Now, with constant threat detection and analysis, NOAA’s systems block more than half a million malicious Web connections each week, according to the CIO.

“At NOAA, continuous monitoring is embedded in our enterprise-level security operations center,” Klimavicz says. “We’re able to see things that we weren’t able to see before.”

Cybersecurity ‘A Big Data Issue’ for State Department

But all that monitoring and data collection can create its own set of challenges. The State Department, for instance, maintains IT operations in more than 200 countries. Its security personnel are swimming in data points. That prompted the IT team to develop a system, dubbed continuous diagnostics and mitigation, or CDM, to sift through the clutter.

[ Analysis: Tech Industry Praises White House Cybersecurity Framework ]

[ Also: How the NIST Cybersecurity Framework Can Help Secure the Enterprise ]

“It is a big data issue. Part of it is dealing with thousands of false positives on a daily basis,” says William Lay, the State Department’s deputy CIO for information assurance. “We have hundreds of monitors, thousands of sensors. They’re all pulling data together 24/7.”

Lay continues: “We can’t afford to have an army of people watching all of these monitors, so we have to have really sophisticated tools to filter for us. But once the filtering is consistent, we really end up with a risk management model that gets the false positives down to a point that they are manageable — and we end up with useful information that leads to better decisions.”

Lay explains that the State Department designed the CDM program as a proprietary, in-house product to digest the disparate feeds from networked devices and populate a dashboard that would offer visualizations of the various security operations such as patching and virus protection.

[ Resources: Data Visualization on a Shoestring and 8 Great Sites for One-Stop Data Visualization ]

“The big key is being able to give situational awareness to both our decision makers and our system owners,” Lay says, “so they really know when they’re making risk-based decisions what it is they’re up against, whether it’s introducing new technologies or if they’re just trying to further the mission of the department.”

Now four years along, CDM has moved under the auspices of the Department of Homeland Security, which has been working to commercialize the product and is making it available to other federal agencies along with state, local and tribal governments.

Through those kinds of initiatives, the feds are looking to put the era of check-box security behind them. From the vantage point of a vendor such as the security firm Blue Coat, that shift has entailed changes in what government customers are expecting from the contractors they do business with.

“With compliance, we’ve been dealing with solutions where we’re able to pass audits. So we get a grade on whether or not our cybersecurity posture was meeting the minimum requirements for the government,” says Aubrey Merchant-Dest, Blue Coat’s director of cybersecurity strategy.

Now, Blue Coat sees attackers trying to get assets or break into a network with targeted attacks — and they can easily skate through perimeter defenses and even host defenses, Merchant-Dest says. “Bottom line: We can’t stop everything. With this new automated approach that CDM provides us, it’s in fact going to give us a better handle on cyber situational awareness.”

Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.