“Worst First”. This was the theme I took away from the IT Security Automation Conference (ITSAC) earlier this month in Baltimore. ITSAC is a really worthwhile event for any federal IA professional. It focuses heavily on automated continuous controls monitoring, incident response, and SCAP.
The “worst first” message was the thread that held the sessions together (at least the ones I attended – there were four separate tracks). As I mentioned in my last blog, so many silver-bullet security solutions come and go. Sometimes they are new tools or technologies; sometimes it is a new process or regulation. It is nice to hear something as humble, pragmatic, and unpretentious as: find the worst, scariest risk and fix it, when that’s done find the next one and do the same, rinse and repeat, ad infinitum. What?! Who are you and what have you have done with my federal IA community?
It points out that we have not only matured in our technology but in our culture. There are, of course, a few assumptions for this to work. 1) We have to be able to do a reasonable job of discovering and understanding our risks. 2) We also have to know how to rank and prioritize our risks to know which are worst. The first point means improving our tools and skills: deploying better sensors in higher numbers and getting better intelligence from them using SCAP to more specifically identify platforms, vulnerabilities, and configurations. The second point is about finding a way for scoring and grading risks, including the use of SCAP specifications like CVSS and CCSS which assign severity levels. State Department was cited many times, as a pioneer of continuous monitoring, as an example of how quickly and drastically risk can be reduced by attacking the right (worst) things in the right order – quintessential Pareto 80/20…
I’m sold. Let’s do it!
Federal FY2013 will be a huge year for IA transformation: the first FedRAMP systems, the DHS CMaaS offerings, 800-53 Rev 4, DIA RMF… it will be a busy and exciting year!
Send me your thoughts, challenges, or questions on these issues. email@example.com