Government agencies are faced with an ever-increasing multitude of cybersecurity threats and rising compliance regulations. This was recently demonstrated when the inspector general of the Department of the Interior found that two of its bureaus didn’t detect high-risk vulnerabilities that could have exposed personally identifiable data (PII) for years.
A staggering 20,000-plus vulnerabilities were found on the DOI’s systems (some dating back to 2009) along with nearly 4,000 patches. The IG’s recommendation? Install BigFix immediately. A related article found that a number of the endpoints and servers did not have BigFix installed and as a result could not adequately identify unauthorized devices and associated vulnerabilities.
If there’s a silver lining here, it’s that these high-profile breaches are accelerating the adoption of major initiatives such as the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program. CDM provides federal departments and agencies with capabilities and tools that identify cybersecurity risks on an ongoing basis, prioritize these risks based on potential impacts and enable cybersecurity personnel to mitigate the most significant problems first.
Agencies need to identify potential threats in minutes, not weeks. Real-time knowledge of each endpoint’s status and overall security posture is invaluable. In the most recent case, IG cited continuous monitoring and configuration of endpoints as well as the need to quickly address vulnerabilities in order to protect the data belonging to the 24 exposed endpoints within the agency.
Meeting the Increasing Federal Requirements for Security Compliance
A holistic CDM solution must be able to continuously monitor, manage and mitigate vulnerabilities while providing a rapid return on investment. Many endpoint solutions that lay claim to continuous monitoring are based on the old paradigm for vulnerability management that implements disparate technologies for assessment and remediation. This approach can leave agencies with major compliance gaps and little time to investigate the implementation of a truly continuous monitoring solution. Considering today’s threat environment and the amount of malware released by cybercriminals, this approach to security management falls dangerously short.
An effective CDM solution must do the following:
- Deliver visibility, control and remediation of all endpoints, regardless of their type, location or bandwidth
- Provide continuous monitoring of the infrastructure to identify security issues as they occur and remediate them in real time
- Deliver reporting that proves compliance with cybersecurity and data privacy regulations under a number of standards, including the Security Content Automation Protocol (SCAP), the Federal Desktop Core Configuration (FDCC), the U.S. Government Configuration Baseline (USGCB) , the Defense Information Systems Agency (DISA), the Security Technical Implementation Guides (STIG), the Center for Internet Security (CIS), the Payment Card Industry Data Security Standard (PCI DSS) and others
- Fund compliance operations in a way that delivers rapid time-to-value while leveraging existing infrastructure investment
A Better Way Forward
Continuous monitoring is a necessary mandate that ensures business continuity and federal IT security compliance within the government and national critical infrastructure. Ultimately, federal agencies need to implement a continuous management solution to meet the requirements of current and future mandates. Even more importantly, they need to secure the nation’s networks from cyberthreats that could compromise national security.
An enterprise cybersecurity solution can help government agencies combat threats and eliminate vulnerabilities. That’s why more than 55 U.S. Federal agencies have standardized on IBM BigFix to manage and secure over 4 million workstations, servers (both physical and virtual), and many other endpoints across a vast array of operating systems. Such solutions deliver real-time, continuous endpoint security and compliance by leveraging a library of many thousands of checks. It’s also a major factor in IG’s recommendation to the DOI to install IBM BigFix on all endpoints in light of the most recent security exposure.
Listen to the FedScoop podcast on endpoint security
These out-of-the-box checks greatly accelerate an organization’s time-to-compliance and remediation, especially when compared to less-mature tools that require administrators to create scripts for each new task or action. A unified platform needs to secure and manage endpoints across heterogeneous operating system environments, enabling situational awareness and incident response, simplifying federal security compliance requirements and protecting the nation’s front lines throughout the cyber battlefield.
CTO for Endpoint and Mobile Security, IBM