I just finished two weeks of travel – part in Washington DC, part at a Wall Street conference. In both arenas, continuous monitoring is a hot topic. But, as so often happens, the two communities don’t seem to agree on what the words mean. Disconnects on this point aren’t just a semantic detail – in a world of FISMA reform and increasing pressure for federal oversight of “critical infrastructure,” misunderstandings can cause major problems. I find most people agree that whatever we eventually decide that we mean by critical infrastructure, we know that our bank accounts, retirement savings and investment accounts are very much part of it. Disagreements about how to protect them is not a nice situation.
“Continuous monitoring” is a two word phrase and disagreements I’ve run into focus on two points – what does “monitoring” mean, and yes, you guessed it, what does “continuous” mean? In this article, I’m going to focus on what kind of monitoring we should be talking about – I’ll get back to the point about what continuous means in another piece.
The Feds get credit for inventing the phrase continuous monitoring, or at least for picking it as the label for the major effort under way to reform FISMA compliance. If you don’t work in a major federal agency, you may not know much about this, but if you work in any company doing business with the government or manage systems likely to be classified as critical infrastructure, you will care. FISMA started out as a heavyweight, paperwork-centric audit process. The good news is the folks at NIST and OMB are pushing to fix this broken process – no more mountains of three-ring binders produced every three years and already wrong by the time the ink is dry. The big push is for automation – an area where the Fed can claim some serious achievements over the last 10+ years. For one example of unheralded success, look into the SCAP standards – an effort that has substantially changed the economics of inter-product integration. OK, a 10-year effort to agree on long lists of identification numbers is hardly sexy, but the tidal effect has been profound – just too slow to pick up media attention.
This has been a glacial process, but immensely powerful and capable of completely reshaping the landscape. And it’s all been heading in the same direction – automation. Automation of what? Of security, naturally, but it’s not that simple. Not all security problems are immediately amenable to computer automation. Imagine a live, human attacker trying to defeat a computer defender. Who wins? Given time, the human will win. We are creative, inventive creatures and we find ways to think outside the box – something computers never do (literally or figuratively). So what these efforts are automating is the assessment of controls – measuring whether you’re actually doing what you meant to do, or what best practices say you should do before an attacker strikes. This is the smart play. It applies the right tool, which is automation, to the right problem, which is the truly atrocious state of our defensive posture.
So when I’m in DC talking to intelligence, military or civilian agencies, they all understand that Continuous Monitoring means applying automation to the assessment of defenses. The documents which define what you’re supposed to do (e.g., NIST SP 800-37) have a clear focus on proactive risk management, before the bad guys strike.
But as I saw again in my recent travel, Wall Street firms and other highly security-conscious organizations outside the Fed seem to equate continuous monitoring with “buy more live sensors.” That’s not what the Feds are doing, or at most it’s a minor sub-area. Think of it like this: installing video cameras to watch your barn door is fine, but as you review footage showing a horse thief waving to you on the way out, you rapidly realize that what you’re doing is not risk management. Risk management, of the kind the Feds are quite rightly promoting, amounts to checking the barn, realizing the door is open, and closing it.
So the Feds and Wall Street disagree about what monitoring means – or at least as they use the term, they are thinking about different things. That’s dangerous. On balance, I think the Feds have it right – 80 percent emphasis on risk management, on automation ahead of the attack, and 20 percent on making sure you have detection mechanisms in place. Nobody is suggesting you don’t need sensors – video cameras on the barn door. The point is simply that you should make sure you didn’t leave the door wide open first!
Related Reading: Continuous Monitoring for Year-Round Coal Avoidance
