Achieving drastic risk reductions and rapid threat mitigation through continuous security monitoring and mitigation.
John Streufert, U.S. Department of State; receives a National Cybersecurity Innovation Award with White House Cyber Coordinator, Howard Schmidt at the National Cybersecurity Innovation Conference in Washington DC.
WASHINGTON DC, October 31, 2011
The SANS Institute announced today that the U.S. Department of State Office of the Chief Information Officer has won the 2011 U.S. National Cybersecurity Innovation Award for significantly improving the effectiveness of the nation's cyber security for creating, deploying and sharing the Department of State's unique risk scoring program which continuously monitors more than 100,000 systems for vulnerabilities and provides daily prioritized security action plans for every Department of State system administrator in the U.S. and in more than 200 countries.
The U.S. State Department is responsible for protecting computer networks for 400 U.S. embassies and offices across 24 time zones. To help protect these networks the State Department pioneered a risk scoring program to make it easier for managers to identify trouble spots, prioritize them, and resolve issues more quickly. The program relies on continuous risk monitoring and threat-based response and has proven to be so effective that the program has become a model for more than 100 state agencies and many commercial organizations. The security program scans every computer, every three to four days, to detect security vulnerabilities and weak configurations, ensures the most important problems are fixed first and publishes monthly grades that celebrates the success of the units doing the best job of protecting their computers. "We know anywhere in the world what our risk is," says John Streufert, Deputy CIO and Chief Information Security Officer of the department.
In the program's first year, the number of security gaps detected fell about 90% and most embassies and offices were receiving A and B grades. The uniqueness of the program is its market-based approach creating incentives for fixing security gaps. The program quantifies a range of security risks and "monetizes" them into a "common currency" that assigns the most points to the highest priority security gaps. The point system helps to identify which gaps to repair first, allowing security managers to quickly fix the gaps responsible for the greatest impact on their office or embassy's overall grade. Each embassy or office is evaluated on its ability to mitigate those risks, and its performance is made public for the rest of the department to see. When a critical vulnerability arises, the scoring system provides a laser-like focus on correcting that problem first, resulting in the vast majority of State Department computers being protected long before the computers of other departments.
Since launching the hugely successful program three years ago, the State Department has received inquiries from global companies such as Microsoft Corp., General Electric Co., JPMorgan Chase & Co., RSA, The Security Division of EMC and Heartland Payment Systems. Streufert has shared the State's documents and tools with other agencies, and he regularly works with CIOs and CISOs across government to troubleshoot their monitoring processes. And most importantly the State Department doesn't keep the methods secret; at least 40 organizations have requested and been supplied software, free of charge.
The U.S. Department of State Office of the Chief Information Officer wins the 2011 National Cybersecurity Innovation Award for eliminating security weaknesses that allow targeted cyber-attacks to succeed and for their ability to reduce risk, and quickly and effectively respond to new threats.
The National Cybersecurity Innovation Awards recognize developments undertaken by companies and government agencies that have developed and deployed innovative processes or technologies that (1) is innovative in that it has not been deployed effectively before, (2) can show a significant impact on reducing cyber risk, (3) can be scaled quickly to serve large numbers of people, and (4) should be adopted quickly by many other organizations. Nominators for the include most of the senior government officials involved with cybersecurity as well as those from the major Cybersecurity Information Sharing and Analysis Centers (ISACs). Corporations and individuals, including SANS instructors also nominated innovations. Each nomination was tested by SANS research department against the criteria; those that met *all* four were recognized. More than 50 nominations were received; 14 were selected.
Alan Paller, firstname.lastname@example.org, (301) 951-0102 x108
Established in 1989 as a cooperative research and education organization, SANS' programs reach more than 400,000 security professionals, auditors, system administrators, and network administrators who share the lessons they are learning and jointly find solutions to the challenges they face. At the heart of SANS are the many security practitioners in government agencies, corporations and universities around the world who invest hundreds of hours each year in research and teaching to help the entire information security community. (www.sans.org)