CYBERSECURITY
THE KEY TO CYBER SURVIVAL
Continuous monitoring can help agencies navigate an increasingly complex
threat landscape.
MIKE POULOS
TECHNICAL DIRECTOR OF U.S. FEDERAL, QUALYS
FEDERAL AGENCIES need to adopt new approaches to help them quickly and efficiently keep pace with the astronomical number and ever- growing variety of cyber threats.
Agencies can’t possibly manually crunch all the information necessary to keep pace with this threat environment. The key to success is establishing a continuous monitoring program built on automation, consolidation, and sound governance. Automation is the only way to reduce the load on IT professionals and help them focus on mission-critical tasks.
Agencies should move away from running a hodgepodge of disparate solutions that cover asset inventory, vulnerability management, policy compliance, and certificate management, to name a few. They should instead adopt suites of tightly integrated tools and use cloud-based managed services to enable rapid, efficient, real- time analysis of critical functions.
These efforts should lead to a continuous monitoring approach based on automated tools easily configured to perform the necessary analytics and report relevant information to the appropriate users so they can act quickly and make sound decisions. Continuous monitoring should also include scanning the agency’s infrastructure at least once per day. There are readily available tools to ensure compliance
with the National Institute of Standards and Technology’s 800 series or the Center for Internet Security’s top 20 critical security controls.
Along the way, agencies shouldn’t overlook the opportunity to seamlessly integrate their web application security tools, including malware detection, web application scanning, and web application firewalls. They should incorporate security requirements into websites and applications while they are being developed and have them continuously tested.
At the heart of all those activities is a better understanding of the level of risk individual
agencies face. That requires a process for repeatable risk assessments and audits that cover everyone involved, including employees, contractors, and other external partners.
Agencies must be proactive and conduct ongoing risk assessment. They must move away from spreadsheets and manual data collection
to an automated workflow that tracks progress, enables organization-wide campaigns, establishes a baseline for the agency’s current risk posture, and conducts trend analysis on where the agency is headed.
Existing cloud services, managed services, and security assessment questionnaires can help. The most efficient tools stay up-to-date with regulatory changes and coordinate with third-party audits.
Fortunately, agencies also have access to the Federal Risk and Authorization Management Program (FedRAMP), a clearinghouse of cloud service providers that have each gone through an extensive security review process. The impor- tance of FedRAMP can’t be overstated. Agencies should rely on that government-wide, standardized approach to security assessments and continuous monitoring as they adopt cloud products and services.
From a governance perspective, today’s
threat landscape requires CIOs and CISOs to
work closely on all aspects of information and operational security. New tools that seamlessly work across functional areas help foster closer collaboration between the information security and network administration teams, which will benefit individual agencies and the government as a whole.
Ultimately, governance policies should be built around a management framework that
lets agencies accept a certain level of risk while understanding it’s impossible to defend an entire infrastructure in today’s boundary-less mobile work environment.
Mike Poulos is technical director of U.S. federal at Qualys.
SPONSORED CONTENT
S-20