Greg Boison is Director of Homeland and Cyber Security at Lockheed Martin.
The 80-20 rule of information security is now widely accepted not only among cyber security professionals but among high-level executives as well. And that's certainly a sign of progress. It means that organizations are waking up to the importance of cyber hygiene, much like the medical profession realized more than 100 years ago that the vast majority of hospital-acquired infections could be prevented if doctors simply washed their hands.
But merely accepting that 80 percent of IT network vulnerabilities can be addressed with basic security controls in place today is only half the battle. Unfortunately, the actual implementation of basic cyber hygiene continues to fall short in too many instances. And that means low-level, opportunistic threats continue to cost organizations more than they should. In this post, I'll look at a few of the reasons why and what government organizations can do to improve their continuous diagnostics and mitigation (CDM) posture.
1. Tools alone are insufficient.
Perhaps the biggest impediment to CDM effectiveness that we see is the notion that tools alone can detect and defeat 80 percent of threats. While COTS tools certainly are essential components of a comprehensive cyber security solution, no single tool represents an effective strategy by itself. Tools are most effective when they are selected and maintained to complement each other in a well-designed security plan that encompasses:
Asset awareness — performing an exhaustive inventory and continually tracking all devices and software existing on or having access to your system.
Configuration settings management & vulnerability patching — keeping vendor patches up to date and using scanning tools to detect assets without the latest patches.
2. The mission matters.
Another critical aspect of an effective cyber security plan — and one that organizations often overlook — is the need to tailor a CDM strategy to the agency's unique mission requirements. The complexity of the enterprise, exposure points, stakeholder needs, threat profiles, mission criticality, hardware and software resources, and much more must be considered when designing a mission-specific CDM strategy.
3. Compliance and security are not necessarily the same thing.
Government agencies devote considerable resources to complying with National Institute of Standards and Technology (NIST) guidelines for reducing information security risk, as mandated by the Federal Information Security Management Act (FISMA). But while annual certification of policies and procedures is important and necessary, it does not always protect organizations against threats. CDM is shifting the paradigm, so that continuous security becomes a means to FISMA certification, rather than the other way around. Some estimates have placed the potential cost savings from better staging of security resources at well over $1 billion annually.
4. Automation is the key to productivity.
An effective CDM strategy includes a large amount of cost-saving automation which reduces compliance costs and increases the productivity of the cyber security team. Rather than constantly "cleaning up spills," cyber analysts are able to focus on higher-level tasks that address more advanced threats.