Nonstop monitoring of the government's cyber resources tops the wish list of managers looking to keep out invaders. Others want "black lists" that repel known invaders. Vendors in turn are stepping up with a range of offensive and defensive tools they say will secure the portals.

Step one: Out with the old.

At the SANS Institute, a Maryland-based computer security research center, research director Alan Paller said federal agencies are shifting their buying priorities when it comes to security:

• Agencies have spent billions of dollars on reports documenting the status of their systems. These certifications and accreditations are on their way out.

• Firewalls are a necessary defense, but no longer the weighty investment they once were, now that invaders have shown themselves adept at getting around the gates. "The firewall has become a steel door on a cardboard house," Paller said.

• The audit log, a cumbersome recording that tracks all system activity, sits in dusty binders. "You have it all on a big disk, but you never actually look at it," Paller said.

With these cybersecurity staples on the wane, Paller sees a range of powerful new tools on the rise. Companies like RSA and LogLogic, for example, are producing software to put those formerly static log recordings to work, analyzing activity for potential trouble signs.

Most notable is the rise of "continuous monitoring," software that watches and interprets system activity not once every three years, as required by the National Institute of Standards and Technology (NIST), but every hour of every day.

Microsoft is big into this, as are MacFee/FoundStone, Ncircle and NetSonar.

To understand the relevance of nonstop monitoring, consider the experience of security products vendor netForensics. The company worked with an unnamed agency to monitor cyber activity for 30 days. In that time the software logged 15 billion events, of which 3,500 appeared as potential security threats. The agency then prioritized those threats for follow-up.

"It's not that we have too little information; it's that we have too much information," said Tracy Hulver, vice president of products. With such a volume of traffic on the move, real-time feedback becomes essential. "It all boils down to situational awareness."

Noting the patterns

That awareness may go beyond what is visible to the naked eye. In addition to catching one-time attacks — a failed password, multiple log-on attempts and so on — monitoring tools take note of small innocuous events that, when added up over time, form suspicious patterns.

The Nuclear Regulatory Commission ran a pilot program on continuous monitoring within one of its organizations in late 2009, said chief information officer Darren Ash. The agency was looking specifically to see how monitoring could ensure security daily while still meeting long-range regulatory goals.

"The test was very much about the processes that we put in place, the testing of controls," he said. "We are asking: What are the types of things that make it less burdensome on the system owner, but still meet the requirements under the concept of [the Federal Information Security Management Act]? You want to create something that is efficient and also cost effective."

NRC is still reviewing the results of the test.

Building ‘smart' defenses

Much of the work in cyber defense in recent years has been block-and-tackle stuff: Build a bigger wall, make more sophisticated algorithms to detect malicious action. Today a new, highly targeted approach is rising up in the keep-'em-out realm.

Tom Conway, director of federal business development at global security systems vendor McAfee, talks about "reputation" or "hygiene" scoring. The idea is to compile a global database of suspect URLs, IP addresses and individuals. If a vendor, say McAfee, could build such a database, it could then inform its users in real time so that they could defend themselves against these threats.

Microsoft said recently that it will build separate data center facilities — protected by biometric controls and accessible only by U.S. citizens — in an effort to win business from federal government agencies needing added security.

A few examples of other vendors' offerings:

• Dynamics Research Corp. recently announced a $15.4 million contract to help the Homeland Security Department ensure its security policies and procedures are up to date.

• Iron Bow Technologies delivers cybersecurity products and other IT tools to the IRS, FBI and other civilian and military agencies.