CSIAC

Cyber Security and Information Systems Information Analysis Center

/ Journal Issues / Cyber Science & Technology at the Army Research Laboratory (ARL) / Information Security Continuous Monitoring (ISCM)

Information Security Continuous Monitoring (ISCM)

Published in Journal of Cyber Security and Information Systems
Volume: 5 Number: 1 - Cyber Science & Technology at the Army Research Laboratory (ARL)
Authors: Akhilomen Oniha, Greg Weaver, Curtis Arnold and Thomas Schreck
| Leave a Comment

Future Direction

ISCM is not only a technical problem, it also requires policy actions in order to achieve and sustain its goals. The ISCM program at ARL will continue to be incrementally improved with the appropriate rigor and assessment frequencies to support the mission/business requirements, risk tolerance, and security categorization. By leveraging an integrated operational and technical ISCM portal, the Cyber Security Service Provider (CSSP) operations process and knowledge management capabilities ensure sustained and continuous assessments can be synchronized across the Army. To support ongoing risk determinations and future risk acceptance decisions by senior leaders, policies supporting the following six steps are necessary for achieving and sustaining an effective ISCM:

  • Define an ISCM policy, strategy, and supporting doctrine based on risk tolerance that promotes clear visibility into assets, awareness of vulnerabilities, up-to-date threat information, and mission/business impacts.
  • Ensure its ISCM program determines metrics, status monitoring frequencies, control assessment frequencies, and an ISCM technical architecture.
  • Automate collection, analysis, and reporting of data where possible. Collect the security-related information required for metrics, assessments, and reporting.
  • Analyze the data collected and report findings, determining the appropriate response. It may be necessary to collect additional information to clarify or supplement existing monitoring data.
  • Respond to findings with technical, management, and operational mitigating activities or acceptance, transference/sharing, or avoidance/rejection.
  • Review and update the monitoring program, adjusting the ISCM strategy and maturing measurement capabilities to increase visibility into organizational assets and awareness of vulnerabilities, further enable data–driven control of the security of an organization’s information infrastructure, and increase organizational resilience.

In 2017, ARL will release an ISCM Widget to support continuing re-authorization capabilities. This capability facilitates the NIST SP 800-137 requirement “that security controls and organizational risks are assessed and analyzed at a frequency sufficient to support risk-based security decisions…”

In 2017, ARL will propose a widget(s) that could support Mission Assurance Continuous Monitoring (MACM), an integrated observation of mission-aligned ISCM with operational and technical information network operations capabilities to create and preserve information assurance on the DoD information networks and increase organizational resilience.

In 2018, ARL will propose a widget(s) that could support Cyber Defense Continuous Monitoring (CDCM), an integrated global observation of mission-aligned partners through passive and active cyberspace operations intended to preserve the ability to utilize friendly cyberspace capabilities and protect data, networks, net-centric capabilities, and other war fighting and support enabling systems.

ARL will continue to develop ISCM and ensure that its requirements are well informed and reflect the best practices, lessons learned, and efficiencies developed across the Army.

References

  1. Burwell, S. M. (2013, November 18). “Enhancing the Security of Federal Information and Information Systems” [Memorandum]. Washington, DC: Office of Management and Budget. Retrieved from https://www.whitehouse.gov/sites/default/files/omb/memoranda/2014/m-14-03.pdf
  2. “Implementing Continuous Risk Monitoring at the Department of State” (2010, May). Retrieved from http://www.state.gov/documents/organization/156865.pdf
  3. Splunk. http://www.splunk.com/en_us/products/splunk-enterprise/features.html
  4. PostgreSQL. https://www.postgresql.org/about/
  5. Python. https://www.python.org/about/
  6. Apache Hadoop. http://hadoop.apache.org/
  7. Richardson, R. D. (n.d.). “INSCOM - Big Data”. Retrieved from https://info.publicintelligence.net/INSCOM-BigData.pdf
  8. Bart, D. V. (2016, April 22). “Big Data Platform (BDP) and Cyber Situational Awareness Analytic Capabilities (CSAAC)”. Retrieved from http://www.disa.mil/~/media/Files/DISA/News/Conference/2016/AFCEA-Symposium/4-Bart_Big-Data_Platform_Cyber.pdf
  9. “DISA’s Big Data Platform and Analytics Capabilities” (2016, May 16). Retrieved from http://www.disa.mil/NewsandEvents/News/2016/Big-Data-Platform
  10. Apache Storm. http://storm.apache.org/
  11. Apache Accumulo. https://accumulo.apache.org/
  12. ASSURED COMPLIANCE ASSESSMENT SOLUTION (ACAS). Retrieved July 20, 2016 from http://www.disa.mil/cybersecurity/network-defense/acas
  13. ANTI-VIRUS/ANTI-SPYWARE SOLUTIONS. Retrieved July 20, 2016 from http://www.disa.mil/Cybersecurity/Network-Defense/Antivirus
  14. Long, K. S. (2004, December). “CATCHING THE CYBER SPY: ARL’S INTERROGATOR”. Retrieved from http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA432198
  15. National Vulnerability Database. https://nvd.nist.gov/
  16. Apache Spark. http://spark.apache.org/
  17. Hadoop MapReduce. https://hadoop.apache.org/docs/r1.2.1/mapred_tutorial.html#Overview
  18. Elasticsearch. https://www.elastic.co/products/elasticsearch
  19. Term Frequency-Inverse Document Frequency (n.d.) Retrieved from http://www.tfidf.com/
  20. Lippmann, R.P, Riordan J.F, Yu T.H, and Watson K.K. (2012, May 22). “Continuous Security Metrics for Prevalent Network Threats: Introduction and First Four Metrics,” [Whitepaper]. MIT-Lincoln Labs. Retrieved from https://www.ll.mit.edu/mission/cybersec/publications/publication-files/full_papers/2012_05_22_Lippmann_TechReport_FP.pdf
  21. Watkins, L.A., Hurley, J.S. “Cyber Maturity as Measured by Scientific Risk-Based Metrics” Journal of Information Warfare (2015) 14.3: 60-69. Retrieved from https://www.researchgate.net/publication/280953172_Cyber_Maturity_as_Measured_by_Scientific_Risk-Based_Metrics

Authors

Akhilomen Oniha
Akhilomen Oniha
Mr. Akhilomen Oniha has over a decade of experience in the areas of information technology, Linux systems engineering, distributed computing and security engineering. Mr. Oniha is the Lead for Technical Architecture at the U.S. Army Research Laboratory (ARL) Sustaining Base Network Assurance Branch (SBNAB). Mr. Oniha holds a BS in Computer Science and a 2nd BS in Information Technology from University of Maryland University College. He also holds an MS in Computer Science with a focus on Information Assurance from Johns Hopkins University. His research interests include data science techniques, malware reverse engineering and vulnerability analysis.
Greg Weaver
Greg Weaver
Mr. Greg Weaver is currently serving as member of the Sustaining Base Network Assurance Branch at the U.S. Army Research Laboratory. The Sustaining Base Network Assurance Branch is responsible for performing a wide-range of Information Assurance activities from Research & Development to providing 24/7 Computer Network Defense services. Mr. Weaver has supported cybersecurity defense policy, operations and services for over 15 years and is an industry certified incident handler and information security professional.
Curtis Arnold
Curtis Arnold
Mr. Curtis Arnold is the Chief of the Sustaining Base Network Assurance Branch at the U.S. Army Research Laboratory. The Sustaining Base Network Assurance Branch is responsible for performing a wide-range of Information Assurance activities from Research & Development to providing 24/7 Computer Network Defense services. Computer Network Defense Services include oversight of more than 100 external customers and monitoring of over 300 intrusion detection sensors around the world. Mr. Arnold has supported ARL for over 10 years in a variety of leadership, policy, and technical roles. Before joining ARL, Mr. Arnold was a Non-Commissioned Officer in the U.S. Army Judge Advocate General’s Corps. Mr. Arnold holds a BS in Information Security and an M.S. in Information Technology from Johns Hopkins University. Mr. Arnold is currently pursuing his Doctorate in Information Assurance from Capitol College.
Thomas Schreck
Thomas Schreck
Mr. Thomas Schreck has 13 years of varied development experience from distributed computing, cryptography, user interface design, and legacy systems. Mr. Schreck is the lead KeyW Corporation analytics team developer, working on the Information Security Continuous Monitoring (ISCM) project for U.S. Army Research Laboratory (ARL). Mr. Schreck holds a BS in Computer Science and completed the course requirements for a BS in Applied Mathematics at New Jersey Institute of Technology. He also holds an MS in Computer Science with a focus in Information Assurance from Johns Hopkins University.

Reader Interactions

Leave a Comment