LAS VEGAS — When John Streufert was CISO at the U.S. State Department he saw that the agency was losing a lot of money and wasting a lot of employee time trying to defend against cyber attacks. And despite all the audits and reports, the defense wasn’t working – the bad guys were getting in and stealing data.
So, he overtook a move to continuous monitoring of the network that was able to reduce as much as 90% of the security risk, he said in a keynote at the Qualys Security Conference 2013 today. Specifically, they were able to identify the worst problems in minutes rather than years, to fix the worst problems in days as opposed to months, and get costs down to about $200 million compared to $600 million per year.
Now, Streufert is bringing that same game plan to the Department of Homeland Security where he is director of federal network resilience. “We are in the process of making a shift in the federal government as to how we handle our security challenges,” he said. “Continuous Diagnostics and Mitigation can stop 85% of cyber related attacks” and report on attacks in near real time, as well as enable system administrators to respond to exploits much faster.
The system can help the agency avoid being low-hanging fruit. According to CSIS and Verizon reports: 75% of attacks use known vulnerabilities that could be patched; more than 90% of successful attacks require only the most basic techniques; and 96% of them could be avoided if there had been simple or intermediate controls in place.
At the State Department the statistics of the environment before the changes made for a strong economic case, Streufert said:
- Every three days there were trillions of security events; millions of attempted attacks; thousands new flaws introduce; and hundreds of successful attacks.
- Every three months there were over 10,000 successful attacks; terabytes of data stolen; 7,200 reports written; and hundreds of labor hours wasted.
- Every three years there are thousands of assessments and other reports written, each requiring 3-9 months to prepare and out-of-date the moment they are printed; and the data provide only a snapshot in time versus real-time identification and mitigation of problems.
These manual processes, reports and audits cost between $600 million and $1.9 billion a year, or $1,400 per page, and result in the equivalent of 438 feet of paperwork. They also consume as much as 65% of the overall IT security effort in the agencies involved, according to Streufert.
He was asked to go to DHS to work on moving the agency from a cybersecurity defense strategy modeled on process and compliance to one focused on continuous diagnostics and mitigation. The first phase will be completed this year, the second phase next year and the final phase in 2015. The cost will be about $600 million over three years.
Update: See attachments for data sheet describing the US Department of Homeland Security Continuous Diagnostics and Mitigration Program.