Government // Cybersecurity
Commentary
6/16/2014
09:06 AM
Vincent Berk
Vincent Berk
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

NIST Security Guidance Revision: Prepare Now

NIST 800-53 Revision 5 will likely put more emphasis on continuous monitoring. Don't wait until it arrives to close your security gaps.

 Government Data + Maps: 10 Great Examples
Government Data + Maps: 10 Great Examples
(Click image for larger view and slideshow.)

The National Institute of Science and Technology's Special Publication 800-53 aims to raise the bar and set a standard of security for federal government information processing systems. As NIST works on Revision 5 of the document, which I expect to come out in early 2015 (see editor's note in the comments section), it will need to reverse the sweeping generalizations made in Revision 4 regarding the nature of the threat against data. Network defense is not a spectator sport -- it must be engaged in continuously and consciously.

As a natural evolution of the NIST document, continuous monitoring and anomaly detection will likely play a more significant role in Revision 5. However, agencies should not wait until next April to shift focus towards understanding the specific threats to data through continuous monitoring. There is a great deal agencies can do to get a head start on the guidance and to prepare their systems and networks for the new version in advance.

Build an active defense
The rubber meets the road in active defense at strategic data acquisition -- collecting the information needed to understand the changing nature of the adversary. For a multi-faceted data acquisition approach, we must start by analyzing the key threat categories that we face.

The term "advanced persistent threat" has been overused in recent years, but it describes the most important type of attacker any government agency should prepare for. Government organizations are by definition the only high-valued target in their class -- after all, there is only one IRS or one Defense Department -- so there is no other "low-hanging fruit" for attackers to go after. This means targeted attackers will be stealthy and crafty in any offensive approach.

[Ready to respond? GAO Faults Agencies On Cyber Incident Response.]

Another prevalent, yet avoidable, data threat is simple user error. The sheer number of data loss cases where documents were inadvertently emailed, laptops were left on airplanes, or phones were lost is staggering -- and growing. These mistakes are often inconsequential, but all it takes is an observant attacker to pay close attention to the careless worker and take advantage of the opportunity. Understanding the attacker means understanding his or her options.

Currently, the NIST document's focus is heavily weighted towards the mapping and classification of key data assets. This is important because it helps security analysts explore the landscape that needs to be defended. However, Revision 5 should also take into consideration that effective defense against data sabotage or espionage requires a thorough understanding of the data assets, as well as an intimate knowledge of the adversary.

Understand your adversary
Analyzing the adversary is accomplished by collecting as much information as possible about it. Data acquisition is the process of intelligence-gathering on the adversary.

Data acquisition is different from simply monitoring your networks. Monitoring provides a limited-time view of the status of your infrastructure and focuses on uptime. Intelligence-gathering requires advanced and widely deployed telemetry and focuses on security. This provides the operator a long-term, historical view (months to years), and also a 360-degree view of the infrastructure. Active network defense involves watching and understanding data access patterns, common log messages, and traffic endpoints, in order to build an understanding of what is going on and keep a finger on the pulse.

The next revision of NIST 800-53 will likely emphasize intelligence-gathering through data acquisition and policy creation based on attacker knowledge. The recommendations will shift focus from simple data inventory management to risk assessment, in order to understand adversary behavior and specific threats to this data better. Long-term storage and analysis of network traffic records, logs, authentication information, and the behavior of traffic patterns will become a more prominent theme.

With this we will see a shift towards enabling the analyst to become more active and effective at defending the information infrastructure. This will come both in the form of policy creation and threat and adversary analysis.

NIST is on the right track. We cannot simply focus on the data alone. No general can defend his or her territory without a thorough understanding of the adversary. You must understand your enemy -- and then some. The trick here is that NIST releases a new set of guidelines only every so often, so businesses should look beyond this occasional checklist and be proactive when it comes to protecting their data.

NIST's cyber security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work? Read the Protecting Critical Infrastructure issue of InformationWeek Government today.

Dr. Vincent Berk is CEO of FlowTraq with 15 years of IT security and network management experience. He is a member of ACM and the IEEE. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Vincent Berk
50%
50%
Vincent Berk,
User Rank: Apprentice
6/18/2014 | 5:39:51 PM
Remark Clarification

I'd like to clarify my earlier remark that I expect Revision 5 to be released in early 2015. Even though no date has been announced, I believe this is the clear trend given the 2-year cycle we've seen in the past for the release of Revisions of Special Publication 800-53.

— Dr. Vincent Berk, CEO of FlowTraq

David F. Carr
50%
50%
David F. Carr,
User Rank: Author
6/18/2014 | 9:20:32 AM
No date for next NIST guidance
The original version of this column asserted that Revision 5 was "expected" to be published in April 2015. We received the following request for a correction from NIST public affairs:

"In an InformationWeek commentary by Vincent Berk on June 16, 2014, it was reported incorrectly that NIST plans to update its security and privacy controls catalog, Special Publication 800-53, from Revision 4 to Revision 5. NIST has not announced any plans to update that publication or proposed any date for such an update."

I'm not sure of the source of confusion but meanwhile have revised the text to make clear that Mr. Berk's assertion is an opinion.

- David F. Carr, editor, InformationWeek Government
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Apprentice
6/17/2014 | 1:42:32 AM
Aging Standards in a DevOps World
While I believe standards are necessary, guidelines appreciated, and recommendations great for comparison, in the InfoSec world, where DevOps rules, NIST is the rarely visiting relative who has to be caught up on what's happening in the family every time it shows up. Too many organizations spend ridiculous amounts of money on documentation, requirements, audit criteria and other artifacts without actually touching the actual environment at risk, or watching an exploit being worked in real-time. Today's enterprise security leadership and teams have to be ready to change strategy, tools and scope on the daily, if not hourly.

If your company just wants to look like they are doing something about risk, sure, write a few thousand pages based upon Common Criteria and NIST framework recommendations, audit requirements, security targets of evaluation. But if you actually want your enterprise environment to be secure and stand up against the most innovative cyber criminals, get out there into the underground, talk to people and learn, hack and capture a few flags, and stay glued to sites like Dark Reading and Packet Storm. If you have the resources, set up an internal penetration lab to actively hack your own applications and network model in a mirrored environment. And, hire the best; not on paper, but tried and true in the underground.

Until government agencies catch on to the Free and Open Source Software (FOSS) way of doing things, and start acknowledging the 24/7 world of DevOps is ever-changing and that InfoSec is a massive endeavor, not easily squished into a couple hundred pages of rigid government standards, it will always be behind the times and cyber criminals leagues ahead of them.
D.M. Romano
50%
50%
D.M. Romano,
User Rank: Moderator
6/16/2014 | 1:37:16 PM
Overlooked
"For a multi-faceted data acquisition approach, we must start by analyzing the key threat categories that we face."


I've worked in several environments and am surprised at how often this is overlooked and not effectually evaluated. 
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek - September 2, 2014
Avoiding audits and vendor fines isn't enough. Take control of licensing to exact deeper software discounts and match purchasing to actual employee needs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Howard Marks talks about steps to take in choosing the right cloud storage solutions for your IT problems
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.