The innovation: Rapid risk reduction through automated continuous monitoring
The NASA Ames Research Center has won a 2012 U.S. National Cybersecurity Innovation Award for reducing risk through automated continuous monitoring at very low cost.
NASA Ames proved that the power of continuous monitoring and mitigation, first seen at the U.S. State Department, could be easily and inexpensively replicated even in a smaller agency. NASA Ames altered its vulnerability detection program to bring responsibility directly to system administrators and technical staff–those who can actually fix problems. By normalizing and tabulating Common Vulnerability Scoring System scores for each host and cross-referencing hosts to our asset inventory, the Center produced a “scoreboard” showing which hosts (and which system administrators) are security heroes, and which are security problems. The scores were further modified by constantly scanning the Center from a truly external server and adjusting scores upward when vulnerable hosts have services exposed beyond agency firewalls.
The database of external scan results is retained and updated monthly for quick searching when questions arise as to which emerging vulnerabilities are exposed to potential attackers in the 1st defensive layer. The scoreboards are updated weekly and available to all system administrators to view their own scores in relation to those of their peers.
From the first week, vulnerable systems either were turned off or fixed. The Center’s security staff (via the ability to look up exposures) and system administrators (via the ability to quickly gauge where to spend their limited time on security hardening) have both benefited from the tool. In addition, there is now strong incentive for system administrators to correct deficiencies in the asset database to normalize their scores, and they are responding.
The system administrators responded immediately and positively to the initiative, and the system is now being used at many NASA Centers. The entire cost was two programmers for three months and some management oversight.
About the National Cybersecurity Innovation Awards
The annual U.S. National Cybersecurity Innovation Awards recognize initiatives by companies and government agencies that contribute to significant cyber risk reduction, have not been deployed effectively before in a similar fashion, can be scaled quickly to serve large numbers of people, and should be supported and adopted quickly by many other organizations. Nominators include senior U.S. government officials involved with cybersecurity as well as leaders from major cybersecurity Information Sharing and Analysis Centers. Corporations and individuals may also nominate innovations. For the 2012 awards, more than 30 nominations were received and nine were selected. The panel of judges for the 2012 awards is described below.
Sameer Bhalotra served as White House Senior Director for Cybersecurity, leading the national identity management and continuous monitoring initiatives. He also served as the principal cybersecurity staffer for the Senate Intelligence Committee, which oversees the cyber budgets of the National Security Agency and the other intelligence agencies.
Tony Sager’s stellar career at the National Security Agency spanned 34 years. He headed the Systems & Network Attack Center, oversaw all Red and Blue Team projects, created and headed security product evaluation teams, helped guide the agency’s top talent development programs, served as founding director of the Vulnerability Analysis & Operations Group (comprised of 700 of the NSA’s top technical cybersecurity specialists), and was the Chief Operating Officer for the Information Assurance Directorate.
Asheem Chandna is the dean of venture capitalists in the cybersecurity field. As a partner at Greylock since 2003, he has helped create and grow multiple security technology businesses to market-leading positions, and successfully merged several into larger companies. He also serves on the panel of judges for the Wall Street Journal Global Technology Innovation Awards.
Alan Paller is Director of Research at the SANS Institute, where he oversees an international search for people and organizations that have identified important ways to reduce the risk posed by cyber threats. He also oversees the Internet Storm Center and the annual initiative to determine the seven most dangerous new attack vectors. He co-chairs the DHS Task Force on Cyberskills and the FCC Working Group on Cybersecurity Best Practices in the telecommunications industry.
CONTACT: Alan Paller, Director of Research, SANS Institute, +1-301-951-0102 x108, apaller@sans.org