Skip to content

Information Security: You’re (Finally!) Doing It Right

February 7, 2011

Last month, the U.S. Office of Management and Budget issued a memorandum referencing a previous OMB publication (OMB M-11-06, “Wikileaks – Mishandling of Classified Information”) and a previously-issued Executive Order (13526, “Classified National Security Information”) regarding the latest mania to seize the federal government: the potential of another Wikileaks-style event.

As anyone who hasn’t been living under a proverbial rock for the past few months knows, Wikileaks was recently provided (and reposted to the public) over 250,000 classified documents by one or more persons inside the federal government.  While the feds believe they may have identified the perpetrator of this Wikileaks incident, agencies across the spectrum – military, intelligence, and civilian – are scrambling to ensure that they have the necessary controls in place to know if, when, and how someone attempts to exfiltrate confidential data outside of the environment, and (hopefully… gulp…) detect and prevent the problem in real time, rather than after a leak has occured, global news coverage has been issued, and the need to find someone to blame inside the affected agency becomes acute.

Speaking on behalf of the information security community, let me say two things: first, “Excellent idea!” Second, “It’s about time.” For the past twenty years, federal agencies have been told that information security is about two things: data classification; and protecting the perimeter.  For somewhat less than twenty years, that was also pretty good advice.  But with the advent of technologies such as small removable media (e.g., flash storage), the increasing prevalence of mobile devices, and the legion of malware (such as spear phishing) that crawls across e-mail, social media, and other communication tools every single day, users — whether intentionally trying to conduct malfeasance or not – are increasing security risks. The traditional perimeter of the organization has been equaled in criticality by the perimeter of the user, and all of the personal technologies at his or her disposal.

So what can the OMB — and indeed, the rest of the federal government – do to mitigate this ever-growing threat?  Here are some ideas:

  • Better regulations to address situational awareness. Regulations, best practices, and standards need to better address the potential for internal threat, and true situational awareness — having complete, real-time visibility across all security data, not just events – is the best way to help solve the problem.  NIST is doing a fine job of starting to tackle requirements for continuous monitoring (a key requirement of situational awareness, which is being defined in NIST SP 800-137, still currently in draft), but agencies will need to take this to heart, and dig deep to find the technologies, personnel, and budget dollars to make this happen.
  • Correlation is the key. As we at eIQ have been saying for years, without the ability to correlate different types of security information together — from event-based data, to real-time asset and configuration changes, network traffic data, known vulnerabilities, file integrity, removable media status, and other data – real situational awareness cannot be achieved.
  • Let business requirements — not vendors – drive technology decisions. We in vendor-land have no shortage of ability to throw around hubris, FUD, and “we’re-all-you-need!”-isms.  But the reality is, every federal agency, office, and installation is different, and consequently, the technologies needed to achieve continuous monitoring and situational awareness will vary.  Agencies need to have access to many different point technologies — SIEM, DLP, IDS/IPS, endpoint security, configuration assessment and auditing, network traffic analysis, etc. – but they also need access to tools that can pull in data from these different tools, and derive real intelligence from the data.

Will we see another Wikileaks headline splashed across CNN, Fox News, the Huffington Post, et. al., anytime soon?  Only time will tell.  But with the increasing number of emboldened Wikileaks-type organizations that are popping up every day — à la Openleaks – the outlets for this type of [journalism? social commentary? mayhem? treason? insert your term here…] aren’t going away anytime soon.

The perimeter is dead.  Long live the perimeter!

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: