I have taken a special interest in Continuous Monitoring (CM) recently, and the mere mention of the subject with my peers has opened doors I had never imagined existed. Per a previous blog post, the topic is easy enough to grasp prima facia, but like any complex structure can range from abstract beauty to a mélange of seemingly disconnected microstructures when examined in depth. For an illustration, take a look at this quick order of magnitude trip through space. If you have read the picture book Zoom to your children, you know what I mean.
Fortunately, the Feds have done a lot of the heavy lifting when it comes to making sense of CM. In studying CAESARS Framework Extension: An Enterprise Continuous Monitoring Technical Reference Architecture (Draft), I have learned that the Office of Management and Budget has requested several agencies including the Department of State, Department of Justice, and Department of the Treasury to cooperate with the Department of Homeland Security to evaluate CM best practices and scale them across the government. And by request, I mean the same type of request the FEDs issue regarding your tax obligation on April 15th. The objective of the CAESARS Framework Extension is provide a CM reference to collect, analyze, and score security data across diverse infrastructures for objective measurement. Echoing the sentiments of Deputy Undersecretary of Defense William Lynn III at RSA this year, the document stops just short of calling for a partnership with private enterprise for supplying tools to make CAESARS a reality.
I have also learned that a lot of the tenets of CAESARS are relatively common place within security centric organization already. For example, the scoring system is designed to answer the following questions:
• What are the devices that constitute the organization‘s IT assets?
• What is the current state of security controls (subset of technical controls) associated with those assets?
• How does their state deviate from the accepted baseline of security controls and configurations?
• What is the relative severity of the deviations, expressed as a numerical value?
Or, put more familiarly, Gene Kim 101 – “Know what you’ve got, and know what has changed”.
I wonder if the adoption of CAESARS will follow the path of the USDoD funded Global Positioning System and the Russian funded GLONASS where the initial impetus, thought leadership and funding was provided by the Federal Government, with the benefits soon expanding to the commercial sector in cell phone technology, outdoor recreation, and the like.
If you are in the commercial sector and have adopted or are considering adopting CAESARS for your security posture, I would love to hear from you…please reach out to me via Twitter at @Blenmark.