The nation's critical information infrastructure faces a threat landscape of increasing menace. Adversaries are bringing to bear attack methods of greater complexity, impact, and stealth than has ever been seen. With more of the nation's work being conducted on computer systems and networks, the importance of the security of these systems and the data they contain has never been more important. Unfortunately, the models the private and public sector organizations are using today results in an inconsistent approach to securing these assets, at best, and a complete failure in the face of motivated attackers, at worst.
This is further highlighted in that not a day seemingly goes by without news discussing that yet another organization has suffered an intrusion into their information technology systems. These intrusions even occur within organizations that are compliant with so-called ‘industry best-practices,’ maintain defense-in depth, employ rigorous patching regimens, perform annual audits, provide user security awareness training, and so on. Each year the Office of Management and Budget issues a report to Congress on the implementation of the Federal Information Security Management Act of 2002 (FISMA). Many of these organizations, while “Certified and Accredited,” still have suffered very serious attacks and loss of data from many different types of incidents.
As additional background, current approaches for addressing these problems can include: an Administration and Compliance (AC) component and a Threat Awareness, Assessment and Mitigation (TAAM) component. Administration and Compliance is the sum of all of the activities most people would identify as common information security practices within an enterprise. It consists of, for example, the designing and deploying of systems in a way so as to be hardened against attack, the deployment of intrusion detection and prevention systems, the use of anti-virus software, being FISMA, PCI-DSS or ISO 27000 compliant and so on. While this is often the entirety of most organizations' practice of information security, it is often insufficient.
Threat Awareness, Assessment and Mitigation (TAAM) is the practice of gathering intelligence on potential threats to an organization, analyzing those threats, and producing deployable and actionable mitigation strategies rapidly enough to counter the threats. This often requires a very broad and deep visibility into the threat landscape and requires highly specialized and expensive skill sets such as malware reverse engineering, network forensics, system vulnerability analysis, and system exploitation all working together to provide a proactive posture against emerging threats both internal and external to the organization. Most organizations find it difficult or impossible to justify the expense and complexity of developing a sophisticated TAAM capability but also find it difficult to outsource this function due to a fragmented market for these services. The end result is a focus on Administration and Compliance because it is manageable, measureable, and is what is required by various information security control frameworks and so-called best practices systems.
The “.gov” network consists of an estimated 2500 egress and ingress points to the Internet. This porous perimeter allows adversaries to exploit and compromise critical information infrastructure of the United States with relative ease. Currently, each Federal agency operates much like an independent enterprise and thus there is little uniformity in systems, architectures, and capabilities. Each agency controls and maintains their own security procedures and technology to prevent intrusions with predictably mixed results. Additionally, the level of complexity within IT environments has increased as a result of the rapid pace of changes enabled via emerging technologies such as virtualization and the wide variety of devices connecting to enterprise networks. These factors further complicate the requirement to maintain secure environments.
FISMA, among other things, provides a framework of best practices for civilian agencies to operate government information systems in a secure manner. FISMA, coupled with detailed controls and procedure guidance from the National Institute of Standards and Technology (NIST), is intended as a best practices security standard analogous to those found in the private sector such as the ISO 27000 series or the Payment Card Industry Data Security Standard (PCI DSS). A successful security standard may not only describe a set of controls appropriate to the perceived threat and collection of assets being defended (which FISMA does) but also measure the “effectiveness” of those controls for actually improving the information security posture (which FISMA does not). Additionally, there may be accountability either explicitly delineated in the standard or implicitly via market consequences or externally imposed penalties. In other words, FISMA and the accompanying NIST controls focus almost exclusively on AC and do not require any TAAM capability within Federal agencies. This half-solution is mirrored in the private sector as well in the ISO 27000 series and PCI-DSS standards.
Another hallmark of reactive Administration and Compliance postures is a reliance on signature-based systems such as intrusion detection/prevention systems and conventional anti-virus and malware systems. While these systems have a role in effective information system security, namely rapid, organization-wide detection once a threat has been identified by a proactive TAAM practice, to naively rely on them to detect previously unseen attacks (so called 0-Day exploits) not only leaves organizations completely blind to the attack but can also induce a false-sense of security perpetuated by blissful ignorance. This misuse of the technology leaves organizations with a brittle information security posture that collapses in the face of new and emerging attack techniques. Adversaries know this and plan their attacks accordingly.
In a threat environment that sees rapid evolution, often on the order of weeks and months, Federal procurement cycles on the order of years have little hope of fielding technology and solutions that can be relevant to the conflict.