As they move toward a continuous monitoring model, federal security managers will still have to show compliance with government security mandates and regulations. But, more fully integrating security into everyday information technology management will help ensure both compliance and systems security, according to federal security experts. And automating data gathering of everyday IT operations is at the heart of it.
In this interview from the second annual NSA Trusted Computing Conference in Orlando, the NSA"s Tony Sager discusses why the concepts of trusted computing are of foremost importance to the NSA and how they’re being put to work to solve the network and endpoint integrity problems faced by the public and private sector alike.
“The future has to be this--the vast majority of the data that’s created should flow as a byproduct under IT management, not as separate data,” said Tony Sager, chief operating officer for the Information Assurance Directorate at the National Security Agency. “People dream up a [Federal Information Systems Management Act], [or] this oversight and that compliance, and then say, ‘You must give me a report.’ There’s been no other way to do it. We treat it as separate thing. That’s just crazy.”
What Sager called proactive “network hygiene” will go a long way toward managing 80 to 90 percent of security issues.
“Here’s one of the great unspoken secrets of this business: the vast majority of the problems have a known solution,” he said in a discussion on NSA best practices for data security. “Believe me, a well-run network is a hard target.”
The key to better network hygiene and stronger security will be automation. “The goal is to demonstrate compliance with data generated off of IT,” Sager said. “We’ve got to automate a lot more of this stuff so we put the precious few humans we have to work on really hard problems—not patching, configurations, that kind of stuff.”
Initiatives such as Common Weakness Enumeration (CWE), a software-community project sponsored by Mitre Corp. and designed to encourage industry to create security tools, will help drive security automation. The goal of CWE is to create an online catalogue of software weaknesses and vulnerabilities, to better understand flaws in software and to create automated tools that can be employed to identify, fix and prevents those flaws.
“There are 46,600 vulnerabilities, but root causes are fewer than a thousand,” said Joe Jarzombek, director of software assurance at the Department of Homeland Security. “We [need to] attack the root cause. You still have to do all the patches because you’ve got all this legacy stuff. But simply patching for known vulnerabilities that were discovered by somebody else is just reactive,” he added. “You have to go after the root cause of common weaknesses. There are tools and services that [can do that]. Otherwise, you’re always trying to play catch up.”
Here are a couple of points to keep in mind:
- Security and astute IT management go hand in hand. “Changing this notion of security to something not that we create up front and lock forever but to something that we measure and manage is a really important conceptual change and is the underlying theme behind continuous monitoring,” Sager said.
- Compliance and policy are still important. “It’s not that compliance isn’t important,” Sager said. “It’s really important. Oversight and policy -- these things matter but they’ve been misaligned with technology. If policy says…‘protect this information because it is really important’ but it doesn’t recognize the technology paths to get there, then we’ll never get there.”