Strengthening Security with Continuous Monitoring
0 likes1,367 views
The document emphasizes the critical need for continuous monitoring in information security to combat increasing and sophisticated threats faced by government and private-sector organizations. It discusses how traditional static tools and a lack of integration hinder effective security strategies and advocates for a shift towards a proactive, risk-based approach supported by continuous diagnostics and monitoring services. Booz Allen Hamilton offers tailored continuous monitoring solutions designed to improve organizational security postures while ensuring compliance and reducing complexity.
Strengthening Security with Continuous Monitoring
- 1. Strengthening Security with Continuous Monitoring 1 Information security has never been more critical to the performance of U.S. government agencies and private- sector enterprises. Today, continuous monitoring is an indispensable component of an effective security strategy. Real-time threats, more sophisticated attacks, compliance requirements, and budget reductions are converging to make continuous monitoring an undertaking of paramount importance. Today, organizations of every type present much larger attack targets because more of their activities take place online and through mobile devices. The threats to an organization’s data and proprietary information are constant. These are not the much-publicized raids by amateur hackers—more and more, they include advanced persistent threats from highly sophisticated and well-organized sources—including foreign governments. The vulnerabilities and threats are multiplying and changing in real time, making the risks to an organization’s equipment, productivity, intellectual capital, and reputation more and more complex. Government and private-sector organizations are trying to keep pace with the rising threat levels. However, they are not achieving the dynamic security levels required because the information security tools they use are largely static “point solutions,” with few interconnections and little integration, and because they often lack the benefits of a centralized, organizationwide security strategy. Moreover, organizations face severe operational challenges— notably the constant pressure to do more with less funding and fewer resources, while contending with the demands of burdensome reporting. What’s needed now is “always-on” vigilance and solutions for Continuous Diagnostics and Mitigation (CDM), to provide organizations with Continuous Monitoring as a Service (CMaaS). The rising number of incidents and the complexity of threats demand greater emphasis on developing and implementing more powerful defenses and countermeasures. In turn, that calls for a mindset of continuous monitoring, along with the skills and the solutions to ensure continuous monitoring becomes part of the information security fabric of the organization. In particular, that mindset must evolve to support a culture of risk-based thinking and a shift toward organizationwide views of data management, with all the processes and techniques that this shift involves. Do you have the resources and the partnerships to make continuous monitoring a reality? Booz Allen Can Help You Improve Your Security Posture Through Continuous Monitoring Booz Allen Hamilton, a leading strategy and technology consulting firm, is the trusted partner you need to establish and maintain a highly effective security posture. Booz Allen’s Continuous Monitoring solutions provide organizations with the automated capabilities to support timely, cost-effective, risk-based decisionmaking that uses standardized data feeds, providing ongoing and historic situational awareness regarding organizational assets. Our efficient approach incorporates lessons learned from large-scale CDM deployments, such as the Defense Information Systems Agency (DISA), the US Air Force, and the Department of State. As such, we understand the complexity of designing and implementing continuous-monitoring solutions for US federal government organizations. We help organizations develop prioritized plans for implementation and adoption of a continuous monitoring program, including incremental automation timed to keep pace with new products, vulnerabilities, and threats and evolving organizational capabilities. We further ensure that a continuous-monitoring program encompasses all monitoring needs across all CMaaS tool and task areas, including those that cannot immediately be automated. With many decades of expertise in information security compliance, risk management, monitoring, and Strengthening Security with Continuous Monitoring
- 2. 2 automation, our teams of industry professionals are widely recognized as the experts in their fields. We are closely aligned with the federal government’s cyber stakeholders, and we understand how cyber programs, from the National Cybersecurity Protection System (NCPS) to Cyberscope, must be closely coordinated if the security postures of .gov and .mil are to benefit fully. And, because one size does not fit all, we tailor solutions to your needs to reduce complexity and enable efficient implementation—ensuring regulatory compliance while enhancing situational awareness. Booz Allen is the only solutions provider that brings together the requisite skills, resources, and experience to ensure that your continuous-monitoring solution is implemented efficiently and matched exactly to your needs. Our multidisciplinary approach integrates the human capital side of continuous monitoring with the tools and technology to achieve change. This approach ensures a holistic solution in which continuous monitoring is fully integrated and effectively achieved. Our solutions are integration-ready: we use a specification-based integration approach and open industry standards such as Security Content Automation Protocol (SCAP). Collectively, these characteristics reduce integration timelines, minimize complexity, and eliminate the problem of vendor lock-in. In addition, the skills and approach we have developed and fine-tuned for government clients are entirely applicable to commercial enterprises that are ready to recognize and incorporate the elevated levels of security provided by continuous monitoring. Benefits Delivered By implementing Booz Allen’s Continuous Monitoring solutions, your security team spends time remediating instead of simply monitoring and reporting—proactively and continuously improving security systems rather than focusing only on compliance with known security standards. Our Continuous Monitoring solutions provide the capability to collect, organize, analyze, and present the data that enables effective risk-management decisions and prioritization of the necessary actions, based on near real-time comprehensive analysis and scoring. Put simply, we help you to systematically address the current status of your organization’s ability to recognize and remediate threats and vulnerabilities. Our solutions consistently deliver access control, confidentiality, integrity, and availability while ensuring that utilization of system resources and staffing remains flexible. Organizations that have selected Booz Allen’s Continuous Monitoring solutions have seen lower costs as a result of automation. Our solutions reduce technical complexity and technical risks by using a proven design and deployment model that provides economies of scale with rapid deployment, reduced IT footprint, and premium vendor pricing. It is a comprehensive approach that meets and exceeds the 215 defined tool operational requirements and provides additional functionality and capabilities—for example, Network Access Control (NAC), hardware and software asset tagging and management, SCAP ingest, and publishing—and is ready to meet tomorrow’s evolving mission needs by incorporating proven methods such as intelligent scanning and data tagging. Users of our Continuous Monitoring solutions also find that their situational awareness shows significant improvement, and they are better able to pinpoint and act on deviations from expectations while meeting compliance objectives more easily. The net result for decisionmakers is precise knowledge of what it takes to prioritize the initiatives that will have the most positive effects on their security posture. Inside Booz Allen’s Approach Our solutions leverage an evolving set of standards and industry-preferred tools for security automation capabilities—tools designed not only for traditional data centers but also for the cloud, for mobile- computing solutions, and to harness and exploit the information that Big Data provides. Booz Allen takes a realistic, phased approach to the implementation of continuous monitoring, knowing that every organization has its own discrete requirements, its own mix of resources, its own state of readiness, 3 and its own existing security tool infrastructure. (See the roadmap illustrated below.) This deliberate approach enables every organization’s monitoring capabilities to mature over time. Furthermore, it helps organizations to manage the significant cultural shift to risk management as a policy that involves all aspects of confidentiality, integrity, and availability. The earliest step involves establishing and maintaining a continuous-monitoring program—from setting out the strategy, vision, policies, and procedures and identifying key stakeholders, to identifying roles and responsibilities and assigning resources. The next step—performing continuous monitoring—calls for designing the appropriate infrastructure; testing, implementing, and maintaining that infrastructure; and establishing data- collection guidelines, all the way through to providing key design documentation. Phase 1 should support asset management, configuration setting compliance, and vulnerability management. The third step of the Phase 1 activities guide the organization in institutionalizing continuous monitoring as a managed process, paying attention to discrete steps such as establishing process governance, establishing executive and role-based training programs, and placing work products under appropriate levels of control. Moving on to the second discrete phase, Booz Allen’s Continuous Monitoring enables the organization to modify its continuous-monitoring infrastructure based on a phased approach until all requirements are satisfied, adding support where necessary (for instance, malware management) and designing the next release of the infrastructure based on updated and new requirements. This phase extends to modifying the continuous- monitoring process based on collected improvement information and lessons learned. At the same time, Booz Allen is careful to incorporate the human factors inherent in the transition to continuous monitoring and to automation. We recognize the importance of project leadership roles; effective, ongoing communication throughout the organization; and the meaningful, practical incentives that guide “real world” behaviors in the workplace. We make sure this is your security initiative by collaborating closely with you throughout the phases and being a trusted advisor to help your organization’s security practices evolve from labor-intensive custom processes to processes built on standardized content evaluated by the government, vendors, testing laboratories, and the information security community. Booz Allen’s Record Speaks for Itself Our experience with managing and mitigating security risks spans some of the most demanding information security scenarios across a wide range of US government agencies. Here is a glimpse of where we have added significant value: • Recognized as industry leader in security measurement and process improvement • Co-authored National Institute of Standards and Technology (NIST) Information Security Continuous Monitoring (ISCM) for Federal Information Systems Exhibit 1 | Booz Allen Hamilton’s Continuous Monitoring Roadmap Source: Booz Allen Hamilton Phase 1 Phase 2 Establish and Maintain a ConMon Program Perform ConMon Institutionalize ConMon as a Managed Process 1 2 3 4 5 Modify the ConMon Infrastructure Based on a Phased Approach Until All Requirements Are Satisfied Modify the ConMon Process Based on Collected Improvement Information and Lessons Learned
- 3. 4 and Organizations (NIST SP 800-137); Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture; NISTIR 7799 DRAFT Continuous Monitoring Reference Model Workflow, Subsystem, and Interface Specifications; NISTIR 7800 DRAFT Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains; NISTIR 7848 DRAFT Specification for the Asset Summary Reporting Format 1.0; NISTIR 7802 Trust Model for Security Automation Data (TMSAD) Version 1.0; NIST Guide for Applying the Risk Management Framework to Federal Information Systems (NIST SP 900-37 rev1) • Contributed to ISO/IEC standards in information security • Developed comprehensive information assurance (IA) metrics programs for civil/defense agencies (including the Departments of State, Energy, Army, and Agriculture) • Published and presented for CSI, E-Gov IA, ISSEA, NISSC, PSM, SSTC, NDIA, SEPG, NETSC, and ITSAC conferences • Support IT supply chain risk and software assurance efforts • Implement SCAP standards into security applications • Use and develop Open Checklist Interactive Language (OCIL) content for non-automatable controls • Provide round-the-clock operations and maintenance of a global defense infrastructure for which we plan, provision, configure, customize, operate, and maintain tools, sensors, and dashboards to enable continuous-monitoring diagnostics • Support the development of a solution to facilitate Federal Information Security Management Act (FISMA) compliance reporting called Department of Defense (DoD) Cyberscope (DCS) and the development of Enterprise Mission Assurance Support Service (eMASS), which is DoD’s recommended tool for information system certification and accreditation Our Services Booz Allen’s services include: • Planning and business process reengineering • Behavioral economics and organizational change management • Capabilities to implement all 15 CMaaS functional areas of tools • Services to support all 11 CMaaS task areas, from order planning to tool and sensor operation and management • Training and consulting in CDM governance • Modernization of security management processes • Automation of compliance checking, vulnerability management, and security measurement • Increased compliance with FISMA, Office of Management and Budget, DoD 8500.2/8510, Payment Card Industry Data Security Standards (PCI DSS), and other compliance requirements • Use of automation to reduce cost of security by enabling ongoing authorization and data-driven risk management decisionmaking • Security metrics and measurement development, analysis, reporting, and visualization (dashboards) • Recommendation and implementation of SCAP technologies and tools • Customization of SCAP content to help federal agencies adapt configurations to meet their local security policies • Automation of the Federal Desktop Core Configuration and the US Government Configuration Baseline implementation and monitoring • NIST guidance in IA metrics/performance measures (NIST SP 800-55 and 800-80), Return on Security Investment (ROSI) (NIST SP 800-65), NIST Handbook (NIST 800-100), and NIST IR 7756 DRAFT CAESARS FE See our ideas in action at www.boozallen.com 5 Contact Information George Schu Senior Vice President schu_george@bah.com 703-377-5001 Daryl Eckard Principal eckard_daryl@bah.com 703-377-7271 Lori Sparks Principal sparks_lori_l@bah.com 703-984-3362
- 4. About Booz Allen 6 To learn more about the firm and to download digital versions of this article and other Booz Allen Hamilton publications, visit www.boozallen.com. Booz Allen Hamilton has been at the forefront of strategy and technology consulting for nearly a century. Today, Booz Allen is a leading provider of management and technology consulting services to the US government in defense, intelligence, and civil markets, and to major corporations, institutions, and not-for-profit organizations. In the commercial sector, the firm focuses on leveraging its existing expertise for clients in the financial services, healthcare, and energy markets, and to international clients in the Middle East. Booz Allen offers clients deep functional knowledge spanning strategy and organization, engineering and operations, technology, and analytics—which it combines with specialized expertise in clients’ mission and domain areas to help solve their toughest problems. The firm’s management consulting heritage is the basis for its unique collaborative culture and operating model, enabling Booz Allen to anticipate needs and opportunities, rapidly deploy talent and resources, and deliver enduring results. By combining a consultant’s problem-solving orientation with deep technical knowledge and strong execution, Booz Allen helps clients achieve success in their most critical missions—as evidenced by the firm’s many client relationships that span decades. Booz Allen helps shape thinking and prepare for future developments in areas of national importance, including cybersecurity, homeland security, healthcare, and information technology. Booz Allen is headquartered in McLean, Virginia, employs approximately 25,000 people, and had revenue of $5.86 billion for the 12 months ended March 31, 2012. For over a decade, Booz Allen’s high standing as a business and an employer has been recognized by dozens of organizations and publications, including Fortune, Working Mother, G.I. Jobs, and DiversityInc. More information is available at www.boozallen.com. (NYSE: BAH) www.boozallen.com The most complete, recent list of offices and their addresses and telephone numbers can be found on www.boozallen.com Principal Offices Huntsville, Alabama Montgomery, Alabama Sierra Vista, Arizona Los Angeles, California San Diego, California San Francisco, California Colorado Springs, Colorado Denver, Colorado District of Columbia Pensacola, Florida Sarasota, Florida Tampa, Florida Atlanta, Georgia Honolulu, Hawaii O’Fallon, Illinois Indianapolis, Indiana Leavenworth, Kansas Radcliff, Kentucky Aberdeen, Maryland Annapolis Junction, Maryland Lexington Park, Maryland Linthicum, Maryland Rockville, Maryland Troy, Michigan Kansas City, Missouri Omaha, Nebraska Red Bank, New Jersey New York, New York Rome, New York Fayetteville, North Carolina Cleveland, Ohio Dayton, Ohio Philadelphia, Pennsylvania Charleston, South Carolina Houston, Texas San Antonio, Texas Abu Dhabi, UAE Alexandria, Virginia Arlington, Virginia Chantilly, Virginia Charlottesville, Virginia Falls Church, Virginia Herndon, Virginia Lorton, Virginia McLean, Virginia Norfolk, Virginia Stafford, Virginia Seattle, Washington ©2013 Booz Allen Hamilton Inc. 02.065.13