Maintaining continuous monitoring of large computer networks remains a challenge for government departments despite a Homeland Security program to supply commercial, off-the-shelf cybersecurity tools to federal agencies at no cost, two cybersecurity officials said.
Speaking in a panel at the Security through Innovation Summit, sponsored by Intel Security, Roger Greenwell, chief of cybersecurity for the Defense Information Systems Agency, underscored the logistical difficulties of maintaining a constant eye on a diverse enterprise.
The Department of Defense “is an enterprise of enterprises. Every service has their own unique way of doing things,” Greenwell said.
The proliferation of different software and legacy systems across the DoD renders traditional Continuous Diagnostics and Monitoring, or CDM, solutions, like automation, difficult, he added.
“What we’ve really tried to is leverage automation, and to be honest, it’s a challenge… [DoD] is such a heterogenous environment. We have one of everything. Someone made it, DoD bought it, and we might still be running it today.”
One solution is an appeal to the basics. The DoD Scorecard initiative, under which each service or agency within the sprawling department receives a cybersecurity grade based on their fulfillment of core security tenets, has eased DISA’s ability to gauge performance and worked to hold individual services accountable for simple and effective defenses, he said.
“[The scorecard] ties back to the cyber discipline implementation plan, to get back to some of these basic principles which, if they’re taken care of, we can mitigate many of our systems from the attack surface,” Greenwell said.
But internal hurdles are only the beginning. Shaun Khalfan, Chief Systems Security Officer at DHS Customs and Border Protection, said that the multiplication of third party threats puts a large strain on CDM programs.
“We have to screen massive data: airplane manifests, millions of passengers, deliveries. We have a lot of third party customers, and breaches are now coming from third party entities,” Khalfan said. “With the advanced threats coming out there, how do you start to tease that out from the noise? You’re not looking for a needle in a haystack, you’re looking for a needle in a stack of needles.”
CDM is further complicated by the sheer quantity of potential security controls available, making it difficult to determine which areas to prioritize.
“We’re looking at NIST 853 family and saying, what should we be monitoring? Which of these should we be focusing [on] from a CDM perspective?” said Greenwell. “With 900 controls as part of the catalogue, we have to select controls that are most applicable — try to figure out what data is out there that can come back and give you some level of assurance that your data is under protection.”
“There’s definitely room for improvement” in the process, he added.