In recent years, the State Department has found itself in a dangerous IT environment, much like many other agencies. Cybersecurity incidents at the department nearly quadrupled from 2008 to 2010, creating a need for heightened defenses, and the threat has only grown since then.
“We’re into an area where the kind and the quality of our defensive cybersecurity is more important than ever,” says John Streufert, the former chief information security officer at the State Department.
State addressed the threat by implementing an ambitious program to monitor the department’s cybersecurity posture. Knowing what the department’s IT assets are, where they are, and what’s protecting them helps the IT security staff understand how to best address the myriad threats they face.
With its assets accounted for, the next step was assessing what level of risk each organization faced. The department established a score card that gave organizations within State a letter grade based on how they addressed security risk. As the program evolved, the department tweaked the rating system. If security officials were more concerned about a problem, they could increase its grading weight, encouraging IT managers to focus attention on it.
The result is a program that monitors more than 100,000 systems, throughout the United States and in more than 200 countries.
“A program of well-structured continuous monitoring using these techniques resulted in a factor-of-10 reduction of risk at the State Department in just the first 12 months of use,” says Streufert, who earlier this year left the department to become head of the Homeland Security Department’s National Cybersecurity Division.
The program’s success was recognized when it received a 2011 U.S. National Cybersecurity Innovation Award from the SANS Institute, a security research and education organization.
State uses a number of software products to carry out tasks such as vulnerability scanning, vulnerability management and compliance monitoring. “State used existing tools and antivirus systems, and that’s a good way to go about it,” said Greg Wilshusen, director of information security issues at the Government Accountability Office, which audited the program last year.
Among the tools that State uses in its continuous monitoring program are Microsoft Active Directory and software products from McAfee Foundstone and Tenable Network Security.
“When these tools are deployed properly, you can collect details which empower technical managers for targeted daily attention to remediation,” Streufert says. “We found that lowering risk was both feasible and fast
“There’s a constant stream of new information about threats, vulnerabilities and remediation. You must have continuous situational awareness of this information and your own environment to securely manage your systems.”
— Tony Sager, Chief Operating Officer, NSA’s Information Assurance Directorate
“We’re looking to monitor our environment on a continual basis — regular, recurring monitoring of how things are going.”
— John “Rick” R. Walsh, Chief of Emerging Technologies, U.S. Army
“The increase of attacks is something that is being seen across every organization, and we’ve got to be able to monitor the situation and our security posture at the speed of these attacks.”
— John Gilligan, President of the Gilligan Group and former CIO of the Air Force