Frank Konkel published an article recently in Federal Computing Weekly, highlighting the need – and challenges — of continuous monitoring to improve cybersecurity. The broader context of that article is clear to me, but explaining it takes a bit of background.
I spent the first years of my career in the U.S. Air Force. The most formative were with the Air Force Information Operations Center and the 92d Aggressor Squadron – the Air Force’s Red Team. “Red Teams” are federal-speak for penetration testers.
What made Air Force penetration testers unique is the tight feedback loop to operations and management. After every engagement, there was a detailed after-action review with both local and global network defenders to find tactical changes to close identified gaps. Semi-annual reports to senior leaders identified strategic changes, those impractical or impossible to address tactically. As a confident (read: cocky) young captain with a solid command of U.S. Air Force networks, their vulnerabilities and the art of exploitation, I gave great strategic briefs.
In 2003, the Air Force was still coming to grips with the inevitability of compromise. Many senior leaders were dedicated to the hamster wheel of patch and vulnerability management, confident that if we could just keep ourselves patched, we could keep the intruders out. At the same time, the attackers we now call “The APT” were incredibly active – compromising Air Force networks daily.
My overall strategic message of the time was the inevitability of compromise. I pushed hard that we could never completely prevent all intrusions and that we must shift investments from prevention to detection and response.
I remember one briefing clearly. It was to the senior acquisition official in charge of the entire Air Force IT budget. At the end of my brief, he remarked “I believe you, son. I have $XXM to spend next year on USAF IT infrastructure and security is priority number one. Tell me what to buy to fix this and I’ll do it.”
Excited at the opportunity to make a real impact on the Air Force network defense posture, we initiated a detailed evaluation of the industry’s product offerings. After weeks of study, we found no enterprise-class solutions available from industry. We recommended that the budget not go to products, but instead to people and processes, in order to shore up the technology shortfalls with more manpower until industry caught up.
The gap between Air Force security operations needs and the industry’s product line was incredibly frustrating. It’s taken 10 years, but I am delighted to report things are starting to change.
As more organizations are targeted by intruders, those organizations are learning the lessons the Air Force learned 10 years ago. That “education” is translating into widespread demand for enterprise-class information security products that recognize the inevitability of compromise and focus not just on prevention, but also detection and response. These products are being driven by a new emerging model for information security operations that embrace detection and response as part of their daily operations.
NIST’s new Framework for Improving Critical Infrastructure Cybersecurity uses the framework I saw first from the Air Force circa 2006: a continuous cycle of Identification, Protection, Detection, Response and Recovery.
(At right: “Functions organize basic cybersecurity activities at their highest level. These Functions are: Identify, Protect, Detect, Respond, and Recover.”)
Gartner’s new Adaptive Security Architecture calls the cycle Prediction, Prevention, Detection, and Response. They advocate for organizations to adopt a model of continuous detection and response:
At Bit9 + Carbon Black, we use a more focused model of prevention, detection and response. (See the picture below.)
All three of us are using different terminology, but the underlying message is the same: we can no longer “set-and-forget” static protections, but must instead incorporate detection and response as continuous business processes. As the Air Force, the federal government and defense contractors learned 10 years ago, it is time to accept the inevitability of compromise. We must recognize our currently-accepted best practices for managing information security are outdated, and together identify new technologies and processes to protect our data.
Supporting this new operational model is the reason we built Carbon Black. It is us doing our part to fill one technology gap: continuous detection and response. Our recent merger with Bit9 completes the last major part of the information security operational lifecycle: together, we have a single, integrated platform to support continuous operations.
With that context, re-read Frank Konkel’s article in Federal Computing Weekly. The challenges he highlights are because the federal information security teams are trying to develop their own enterprise-class security products. They are trying to use system administration and application debugging logs for security needs. They are discovering the challenge of software: it’s hard, especially at enterprise scale. None of this is their fault – they are doing the best they can with the resources they have. Fault lies at our feet – the information security industry – for failing to ship products that meet their needs.
Both Bit9 and Carbon Black continuously monitor hosts in your network, recording the critical data you need to support your operations. We do this with modest data requirements, even at enterprise-scale. It’s possible because our products are purpose-built for the now-emerging model of continuous operations the federal information security world has followed for ten years. When you embrace a model of continuous operations, building products that support continuous monitoring becomes natural.
Bit9 + Carbon Black is the product I’ve wanted for 10 years, since that senior Air Force official thumped this cocky Captain in the chest and asked what he should buy. It was too early then, but the time for that product is now. The products from Bit9 + Carbon Black are us doing our part to support this newly emerging operational model and advance the industry.
What are you doing?