In The Boardroom™ With...

Mr. Ed Keegan
Director, Cybersecurity Strategies & Portfolio
U.S. Public Sector, HP Enterprise Services

SecuritySolutionsWatch.com: Thank you for joining us today, Ed. It’s truly an honor to speak with a U.S. Air Force Colonel (Ret.) and an expert whose experience includes running network operations and security for the North American Aerospace Defense Command and United States Northern Command. Please tell us a little more about your background and your role at HP.

Ed Keegan: Thank you. It’s my pleasure to be here. I spent 25 years in the U.S. Air Force, most of it focused on technology. I started as a computer programmer and, over time, my career broadened to include other areas such as satellite operations and computer networks, finally culminating with a focus on cybersecurity.

Since I retired from the Air Force, I have been with HP Enterprise Services. My initial position was as the Director of Cybersecurity Strategies and, about a year ago, I added the role of Director, Cybersecurity Portfolio within the Cybersecurity Solutions Group. In this role, I lead our efforts to take new and emerging cybersecurity solutions from concept to production.

SecuritySolutionsWatch.com: In recent months, the marketplace has been increasingly talking about Continuous Monitoring. This topic seems to have emerged as one of the leading trends within government IT. Can you give us a quick overview of “why CM, and why now?”

Ed Keegan: Recently one of my co-workers captured the essence of CM when he said, “The current state of network security is like being satisfied with plugging 85% of the holes in the bottom of your boat.” We even found a picture to graphically represent his point —a boat filing with water with all its sailors feverishly bailing water that continued to pour in. It really captured the essence of cybersecurity -- all of the activity was dedicated to “staying afloat” with no one actually paddling forward. This concept tracks with what I witnessed when I was running networks in the Air Force. At the tactical level, we spent most of our budget and time keeping what we had running; we weren’t able to dedicate enough resources to providing new operational capabilities that were important to the customer.

As to the “why now” CM is so important: it has emerged as a key priority due to the nature of today’s changing threats. Originally, cyber hackers were intent on making a name for themselves through notoriety and media attention. They were intentionally “noisy” as they hacked, because they wanted publicity and their 15 minutes of fame. Those threats have largely been mitigated with advancements in cybersecurity over the last decade. Today’s new threat, however, is significantly more challenging. Although some “noisy” cyber attackers still exist, the majority of attacks are designed to remain undiscovered.

With organized crime and hostile nation states now emerging as leading perpetrators of network attacks, the goal is to place malicious software, what we refer to as Advance Persistent Threats, on the networks — threats that are intentionally slow and quiet in order to remain undetected. By remaining quiet, criminals are able to spread throughout networks and, in some cases, use them as launching points to infiltrate other networks. This also allows them to exfiltrate valuable information from unsuspecting organizations and citizens/constituents over a long period of time.

So, while an annual checklist to assess network defenses was adequate during the era of noisy hackers, it is inadequate for today’s threat landscape. Stopping these attacks before they can extract, modify or destroy data is the goal. That requires a more proactive approach to monitoring network activity and data access. CM is the implementation of a new cybersecurity strategy that is more likely to catch these threats in near real time, and allow the organization to proactively mitigate these new risks.

SecuritySolutionsWatch.com: In preparing for our discussion, we’ve read that “HP Continuous Monitoring (CM) enables you to constantly assess your IT security risk posture from all levels of the organization. It provides current security and compliance insights in real time, to help you improve your security situational awareness and make cost-effective risk-based decisions.” In other discussions, oftentimes we hear that CM may represent different things to different cybersecurity professionals. What is your perspective on CM?

Ed Keegan: I think NIST has it exactly right in their most recent version of Special Publication 800-137. CM is sometimes viewed as a technology program, when it is actually a risk management program with a technical component. Without an understanding of the organization’s risk policies and risk tolerance, any technical implementation is wasted. Worse, such an implementation may give a false sense of security, in that the technology may be missing or misidentifying threats that may actually cause a severe impact to critical missions.

Of additional concern is the potential for overspending on low-priority cybersecurity capabilities to the detriment of the areas that provide the highest return on investment. An effective CM implementation ties investment to risk, so senior leaders can meet their compliance and legal obligations, while still being good stewards of the taxpayers’ money. For this reason, HP built consulting services and technology component services into our offering so we can help guide our customers to develop the right solution for their mission/business requirements.

SecuritySolutionsWatch.com: In your opinion, are there misperceptions in the cybersecurity community regarding what CM IS and IS NOT?

Ed Keegan: As with any change of this magnitude, there is bound to be some lag in understanding. Perhaps, however, the biggest misperception about CM is the notion that “we’re already monitoring and patching our network — isn’t that CM?” Although those activities are part of the overall CM process, the true value of CM is derived from asking a different question: “are the security controls effective?” It’s not enough to “check the box” that an organization has some controls. CM ensures an organization continually evaluates whether it’s using the right controls and whether they’re using them correctly based on their priorities and risk management program.

The Department of Homeland Security (DHS) just announced the award of a CM-focused Blanket Purchase Agreement (BPA). When titling the effort, DHS named it, Continuous Diagnostics and Mitigation, which is very descriptive and helps clarify CM for the “.gov” community. The BPA covers more than just tools that monitor the network; it underscores the need to use data in identifying, diagnosing and mitigating risks. Additionally, it covers a variety of services that support programmatic decisions to ensure departments and agencies can implement a full CM program.

SecuritySolutionsWatch.com: Your HP colleague, Navy Rear Adm. (Ret.) Elizabeth A. Hight, has methodically explained that "defending everything is, for all practical purposes, impossible in today's globally interconnected and networked world." And, today’s cyber environment has never been more challenging with threats coming at any time from nation states, highly organized hacker groups, and lone wolves. What is the particular role CM plays within this ever-changing threat environment?

Ed Keegan: Admiral Hight is absolutely correct — we’re in an age of ubiquitous connectivity, so defending everything is impossible. That is why CM has to be more than a technology program. Organizations need to understand how their technology ties to their mission, and then make risk-based decisions on what to defend and how to implement those defenses. Some risks are either unlikely, or not sufficiently mission-impacting if they do happen, so they can be accepted. Some are more severe, but too costly to fix, so they must be mitigated. Some risks, however, go straight to the core mission of the organization and must be dealt with quickly. Every organization has a budget and has to prioritize its spending. An effective CM program gives the CxO the processes to set risk tolerance parameters based on their mission or business and the tools to focus their efforts on the highest priority risk areas.

SecuritySolutionsWatch.com: Following up on that thought, and relating it to the discussion about automation, you mentioned that there are a variety of tools on the market to help organizations protect and manage their networks. How does CM relate to and/or impact these tools?

Ed Keegan: CM represents a maturation of information technology. Over the past 15 to 20 years, various tools have been created to address individual problems, such as perimeter protection, endpoint protection, data loss prevention and so on. Once implemented, the tools are presumed to be doing the job. Therefore, original information assurance programs were written to ensure these tools were present — not to ensure they were integrated and operating properly. CM represents the next logical step in this process —automated, continuous auditing of the cyber environment to ensure proper configuration along with proactive monitoring for threats and vulnerabilities. This will ensure security compliance resulting in the prioritization and initiation of actions required to further secure the governments’ information and systems.

Integration is a fundamental principle of CM, providing increased understanding, ease of use and cost savings. As we developed our CM capability here in HP, we used an open architecture approach that would allow a “plug and play” integration scheme. This was critical because a “rip and replace” strategy that would cause a department or agency to replace existing technology is not a realistic option in today’s budgetary environment. Our architecture and integrated “best of breed” toolset gives a flexible solution that can either be implemented in its entirety or modified to accept alternative technologies where a department/agency has unique needs and unique risk tolerance parameters that must be addressed. This ensures a lower cost to implement and a solution that is modular and easily maintained, even as tools and threats evolve.

SecuritySolutionsWatch.com: The applicability of CM would seem to extend across the board from the public sector agencies to other highly regulated industries such as finance, healthcare and energy. Is this correct and, if so, would you care to elaborate on what CM affords these various segments as well?

Ed Keegan: The private sector in the US owns a significant majority of our critical infrastructure. While government cybersecurity programs have received high levels of attention and funding, the same cannot necessarily be said for private industry. That disconnect represents a significant threat to our national and economic security. Consequently, the White House has established an aggressive cybersecurity agenda that includes a focus on the critical infrastructure of our nation. As such, private sector critical infrastructure industries are invited to voluntarily comply with many of the same cybersecurity initiatives that are mandated in the public sector. Implementation of Continuous Monitoring and achieving effective coordination between the public and private sectors are areas of primary importance addressed within those federal initiatives. First and foremost, implementing CM can vastly improve the operational insight and situational awareness for critical infrastructure owners. This will allow them to conduct advanced planning and coordinated response activities across a full range of adverse events, including malicious cyber activity. Other reasons to include CM in a critical infrastructure risk reduction plan include ensuring compliance with legal and regulatory requirements. In addition, a CM program delivers significant automation improvements which drive down the cost of implementation. Finally, the CM program can help avoid related costs associated with security incidents such as the loss of public trust and a diminished reputation -- costs which are often overlooked until a network has been breached and information stolen. Under a CM regime, vulnerabilities and threats are detected and stopped much sooner in their lifecycle, thus mitigating both tangible and intangible costs of a network intrusion that today might be recognized months or years “after the fact”.

SecuritySolutionsWatch.com: You’ve discussed how CM is applicable to critical infrastructure industries. Do you think CM would be even more broadly applicable in the economy, and what are some of the economic impacts of CM?

Ed Keegan: Protecting our nation’s data and network infrastructure is not only important to our national security, public safety and critical infrastructure sectors, but, because we live in a market-driven Internet economy, cybersecurity is also critical to our ability to compete and our overall economic posture. Those economic drivers are two-fold.

First, the economic impact to federal, state, local and tribal governments, and by extension the entire U.S. economy, are felt through the high cost of compliance with laws and regulations such as FISMA. White House Cybersecurity Coordinator Michael Daniel was recently quoted in an interview explaining that the current audit-compliance approach to network security is incredibly costly in both reporting time and personnel costs. CM gets us away from that manual compliance “checklist” mentality, and into a far more cost-effective, automated system of monitoring and managing cybersecurity. The added benefit is that the automated reporting under CM is immediately actionable, while the report generated under the existing manual audits are often outdated before they are even completed. The second main economic impact is much greater, and extends to the high value of information in modern economies — our treasure is stored in our information systems. Whether we experience theft of intellectual property from commercial companies or grand-scale identity theft affecting thousands of people, the economic impact to our nation is enormous. Implementation of CM, with its near real-time notification of vulnerabilities, can significantly reduce those economic losses.

SecuritySolutionsWatch.com: Do state and local governments also have a need for the same type of CM solution as that used by federal agencies?

Ed Keegan: Because of the ubiquitous connectivity of the Internet, there is a saying that “a risk assumed by one is a risk to all.” Our state, local, and tribal governments, as well as our educational institutions, all face the same threats as the federal government and the critical infrastructure companies. However, they face several unique challenges that complicate their move to CM.

First, they have fewer resources than federal departments and agencies. These governments and institutions must, therefore, be even more efficient in their approach to controls and mitigation. Second, they typically have more dispersed networks providing many services that must allow interaction with citizens at large in everyday operation. This creates more of a federation of government echelons (for example, multiple county or city governments implementing their state’s Department of Motor Vehicles services), whereas federal government networks tend to be more compact and centralized. The risk management processes, and the technology behind continuous monitoring of a federated environment, will, therefore, be quite complex and require additional planning and design services.

In conclusion, Continuous Monitoring can provide visibility and decision-making. It delivers the processes needed to determine and set risk tolerance parameters and provides the tools to focus efforts on the highest priority risk areas. An enhanced level of real-time situational awareness is realized while costs are controlled or reduced and risk management decision-making is more effective. Know your environment ---- manage your risk. That is what CM is all about.