If you're new here and would like to see more of what I'm saying, you may want to subscribe to my RSS feed or have a look at my papers and presentations page for downloads of stuff that you can share or "borrow heavily from". You also might find my guidelines for posting comments interesting, especially if you're a government employee. Thanks for visiting and happy hacking!

Article from William Jackson in Government Computer News:  Security policies remain a burden to federal IT managers, but they are producing results.

First off, GCN, come into the modern Web 2.0 era by letting people comment on your articles or at least allow trackbacks.  Having said that, let’s look at some of Mr Jackson’s points:

• NIST Special Publications: They’re good.  They’re free.  The only problem is that they’re burying us in them.  And oh yeah, SP 800-53A is finally final.
• Security and Vendors/Contractors:  It’s much harder than you might think.  If there’s interest, I’ll put out some presentations on it in my “copious amounts of free time”.  In the meantime, check out what I’ve said so far about outsourcing.
• Documentation and Paperwork:  Sadly, this is a fact of life for the Government.  The primary problem is the layers of oversight that the system owner and ISSO have.  When you are as heavily audited as the executive branch is, you tend to avoid risks and overdocument.  My personal theory is that the reason is insistence on compliance instead of risk management.
• Revising FISMA:  I’ve said it time and time again, the law is good and doesn’t need to be changed, the execution is the part that needs work.

Bookmark to:

I’ve spent a couple of days traveling around to agencies to teach.  It was fun but tiring, and the best part of it is that since I’m not teaching pure doctrine, I can include the “here’s how it works in real life” parts and some of the BSOFH parts–what I refer to as the “security management heretic thoughts”.

Some basic statements, the rest of this post will explain:

• C&A is a commodity market
• Security controls assessment is a commodity market
• PCI assessment is a commodity market
• Most MSSP (or rather, Security Device Management Service Providers) services are commodity markets

Now my boss said the first one to me about 4 months ago and it really needed some time for me to grasp the implications.  What we mean by “commodity market” is that since there isn’t really much of a difference between vendors, the vendors have to compete on having the lower price.

Now what the smart people will try to do is to take the commodity service and try to make it more of a boutique service by increasing the value.  Problem is that it only works if the customers play along and figure out how your service is different–usually what happens is you lose in the market simply because now you’re “too expensive”.

Where Boutique Sits by miss_rogue.

Since the security assessment world is a services business, the only way to compete in a commodity market is to pay your people less and try to charge more. But oh yeah, we compete on price, so that only leaves the paychecks as the way to keep the margin up.

Some ways that vendors will try to keep the assessment costs down:

• Hire cheaper people (yes, paper CISSPs)
• Try to reduce the engegement to a formula/methodlogy (ack, a checklist)
• It’s all about billability:  what percentage of your people’s time is not billable to clients? 
• Put people on assessments who have tangential skills just to keep them billable
• Use Cost-Plus-Margin or Time-Plus-Materials so that you can work more hours
• Use Firm-Fixed-Price contracts with highly reduced services ($150 PCI assessments)

Now inside Government contracting, there’s a fact that’s not known outside of the beltway:  your margins are fixed by the Government.  In other words, they only allow you to have around a 13-15% margin.  The way to make money is that the pie is a much bigger pie, even though you only get a small piece of it.  And yes, they do look at your accounting records and yes, there are loopholes, but for the most part, you can only collect this little margin.  If you stop and think about it, the Government almost forces the majority of its contractors into a commodity market.

Then we wonder why C&A engagements go so haywire…

The problem with commodity markets and vulnerability/risk/pen-test assessments is that your results, and by extension your ability to secure your data, are only as good as the skills and creativity of the people that the vendor sends.  Sounds like a problem?  It is.

So knowing this, how can you as the client get the most out of your service providers? This is a quick list:

• Every year (or every other), get an assessment from somebody who has a good reputation for being thorough (ie, a boutique)
• Be willing to pay more for services than the bottom of the market but be sure that you get quality people to go along with it, otherwise you’ve just added to the vendor’s margin with no real improvements to yourself
• Get assessments from multiple vendors across the span of a year or two–more eyes means different checklists
• Provide the assessors with your own checklists so you can steer them (tip from Dave Mortman)
• Self-identify vulnerabilities when appropriate (especially with vulnerabilities from previous assessments)
• Typical contracting fixes such as scope management, reviewing resumes of key personnel, etc
• Get lucky when the vendor hires really good people who don’t know how much they’re really worth (that was me 5 years ago)
• More than I’m sure will end up in the comments to this post  =)

And the final technique is that it’s all about what you do with the assessment results.  If you feed them into a mitigation plan (goviespeak: POA&M) and improve your security, it’s a win.

Bookmark to:

Interestingly, Splunk has been going after FISMA dollars here lately.  check out the Forbes article, video on YouTube, and their own articles.  I guess there’s another “pig at the trough” (heh, including myself from time to time).

It’s interesting how companies decide to play in the Government market.  It seems like they fall into 2 categories:  companies that have grown to the point where they can sustain the long-term investment with a chance of payoff in 5 years, and companies that are desparate and want a spot at the trough.

To its credit, Splunk seems to be one of the former and not the latter, unlike the hordes of “Continuous Compliance” tools I’ve seen in the past year.

Which brings up the one big elephant in the room that nobody will talk about:  who is making money on FISMA?

This is my quick rundown on where the money is at:

• Large Security Services Firms:  Definitely.  About a quarter of that is document-munging and other jack*ssery that is wasteful, but a good 3/4 of the services are needed and well-received.  Survival tip:  combining FISMA services with other advisory/assessment services.
• Software and Product Vendors:  Yes and no.  Depends on how well they can make that crucial step of doing traceability from their product to the catalog of controls or have a product that’s so compelling that the Government can’t say no (A-V).  Survival tip:  Partner with the large integrator firms.
• Managed Security Service Providers:  Yes, for the time being,  but look at their market getting eaten from the top as US-CERT gets more systems monitored under Einstein and from the bottom as agencies stand up their own capabilities.  Survival tip: US-Cert affiliation and watch your funding trail, when it starts to dry up, you had better be diversified.
• System Integrators:  It’s split.  One half of them take a loss on FISMA-related issues because they get caught in a Do What I Mean with a “Contractor must comply with FISMA and all NIST Guidance” clause.  The other half know how to either scope FISMA into their proposals or they have enough good program management skills to protest changes in scope/cost.  Survival tip:  Have a Government-specific CSO/CISO who understands shared controls and how to negotiate with their SES counterparts.
• 8(a) and Security Boutique Firms:  Yes, depending on how well they can absorb overhead while they look for work.  Survival tip:  being registered as a disadvantaged/woman-owned/minority-owned/foo-owned business means that the big firms have to hire you because their contracts have to contain a certain percentage of small firms.
• Security Training Providers:  Yes.  These guys always win when there’s a demand.  That’s why SANS, ISC2, and a host of hundreds are all located around the beltway.  Survival tip:  trying to absorb government representation in training events and as speakers.

Bookmark to:

No big surprise, I’m a contractor who operates outsourced government IT systems. As a result, I get assessed and audited more than anybody else in the world (yes, hyperbole added). Anyway, I’m going to talk about what I give to my customers in the spirit of “object reuse”, it might come in handy for other people in the future.

I provide the following items to our account teams:

• Pre-sales: Document explaining how the operations group handles security that can be dropped into a proposal. This is freely-available because it doesn’t open up the cookie jar too much, and proposals to the government are available with the right requests. Modified version is included below.
• Pre-sales: Traceability matrix to delineate controls provided as part of service. This is released only to the capture/account team.  This is a work-in-progress because it’s a big bite to chew.
• Post-sales: Security controls document covering shared controls that can be dropped into a system security plan. You can get this in electronic form with a signed NDA.
• Post-sales: Addendum to Security Controls Document that describes the specifics on hybrid controls for your system.
• Post-sales: Auditor binder with all local policies and evidence for common controls. You can look but you can’t take it with you.

This is the text of the pre-sales security description, remember it’s written for a general-purpose audience:

Security of the Government IT systems and the data at the $FooCorp Operations Center requires cooperation between the Government and $FooCorp for program-specific and hybrid controls not provided by either the Government (security governance, Exhibit 53 filing) or the Operations Center (physical security, personnel security, media protection).

The hosting, monitoring, and management services provided by the state-of-the-art $FooCorp Operations Center are specially designed, configured and managed to meet the special IT security requirements of our Federal customers. The facility supports a FIPS-199 and FIPS-200 moderate control baseline and provides a common controls subset of SP 800-53 for all customers. The Data Center, NOC, and SOC have been audited numerous times by a wide variety of client agencies and their Inspectors General in support of Security Test and Evaluation, Certification and Accreditation, and annual FISMA audits.

Upon client request, $FooCorp can provide the Government with a Security Controls Document that describes the security controls, primarily physical security, in place at the Operations Center. The SCD is designed to be a “drop-in” augmentation for the customers’ system security plans. The Operations Center staff also maintains an audit binder that is for on-premises viewing by auditors, C&A staff, or security testers.

Now, taking a look at what I have, basically I’m saying the following points:

• Security controls are a joint responsibility between the Government and $FooCorp.
• I have common controls to save you time and money, you can get the full details after you hire us.
• I have many other customers that are satisfied with my controls.

What I have on my wish-list for the future:

• Being able to provide verification and validation of my common security controls. Yes, a SAS-70 properly scoped fits in here, but I don’t have the budget to make it happen and it will end up being a duplication of effort in most cases where the customer wants to do their own assessment.
• Being able to reuse evaluation results from one customer to to share with other customers. So far, I haven’t gotten any traction to do this because everybody wants to own their assessment results even though it’s a shared control.

Bookmark to:

All I need is a guitar, a harmonica, and a bottle neck. No, not that kind of bottle neck. =)

Well I got up early this morning
With one of those calls from the SOC
Spent five hours on con-call
Just reboot the #$%^@!ing box.

[chorus]
Oh yeah, you know I really pay my dues
What a great big PITA it is when you got those….
M-S-S-P Blues!
[/chorus]

I got outages to the left of me
Hackers and worms to the right
Thanks to all my S-L-As
I never sleep at night.

Can’t find anybody to hire,
Engineers walkin’ out the door.
All because of shift work
And wanting 5K more.

Customers are requesting changes
They got a lot of hope.
Won’t be getting any work done soon
‘Cause it’s all out of scope.

Syslog messages aren’t collectin’
It’s broke as far as you can see
We lost hours of logfiles
Because the traffic’s all U-D-P.

Bookmark to:

I had a good conversation this morning with a friend going over what to look for in picking a Manages Security Service Provider.  Since I have this wonderful relationship with our SOC (I’m both their customer and their LANLord), he wanted to know how, what, and where.

Over a year ago when I started getting involved in the managed service business,  I found Carnegie Mellon’s “Outsourcing Managed Security Services” (.pdf caveat).  I recommended that my friend go check it out, and on a lark I had a look at it.  It’s still relevant today.

And yes, Hoff, the report is from the “Networked Systems Survivability Program”.  Stuff that in your pipe and smoke it. =)

The one thing that keeps sticking in the back of my mind is MSSP service offerings.  So let me pick up the torch for Richard Bejtlich a little bit because deep down inside I like his Network Security Monitoring ideas.

Well, let’s say I’m a MSSP.  Not much of a stretch, really.  Now the problem with being a managed services provider is that I’m only as smart as my customers will let me be.  Some things sell themselves:  firewall monitoring and management; anti-virus deployment, monitoring, and management; and log monitoring and management.  Yes, it’s the same-old, tried-and-true security operations.  Some would say “tired”, and I would probably agree with that, too.

But when it comes to selling NSM (or any other new concept) as a service, it’s hard for me to sell.  The reason is that my customers don’t have a NSM problem, they have security, risk management, compliance, and auditor problems and the way that they understand to fix those problems is to outsource them.  Yes, that’s the the customer defining the solution space, but that’s the realpolitik of the market.

For a MSSP offering ala-carte service offerings, I have to frame NSM in a way that does the following:

• The customer can understand what they are getting
• The customer realizes a need for that service
• I’m not beaten on price by my competitors
• The customer’s auditors can understand how we are helping and that we have value

Basically, that’s just sound business, only my problem space is defined as providing an complex solution (security) on top of an already-esoteric solution (IT in general).

Bookmark to:

I’ve been sitting in some vendor presentations lately–I think they invite me along so I can be the resident curmudgeon–and I’m starting to get a good feel for what both the government and myself want in a product.

I want to know how a tool fits into my IA framework. That framework for me is NIST SP 800-53. One side effect of 800-53 is that I can’t justify a product “just because”–I have to state how this tool or service will help me attain “compliance” with the minimum baseline of security controls. It’s not enough anymore to just say “hey, our product helps you with SP 800-53 controls, have some magic FISMA Fairy Dust“.

Advice for vendors: take the day of effort to provide a traceability matrix for me. What I have is a Plan of Actions and Milestones (POA&M) that requires me to implement the following controls:

• AC-11 Session Lock
• AC-12 Session Termination

Now what I want is for your product to say the following:

• AC-11: Our product locks out users after 15 minutes of activity on their Frobulator workstation.
• AC-12: Our product terminates users after 25 minutes of activity on their Frobulator workstation.

If your product doesn’t do a control, don’t mention it. But by all means get somebody who routinely works with the catalog of controls to determine if you meet the control objective: there’s nothing I hate more than trying to understand how somebody stretched their interpretation of control objectives that I now have to turn around and rationalize to an auditor. It’s OK if your product doesn’t do everything as long as it does the right things.

Now the reason I bring all this up is that I, too, am a vendor–a services/outsourcing vendor. I’m taking the time this week to do my own traceability matrix that says something like this:

• For the Basic Hosting Service, these are the controls that you get (mostly Physical and Environmental Protection (PE) and Media Protection (MP) )
• For the IDS Monitoring and Management Service, these are the controls that you get (mostly Audit (AU) controls with a smattering of Incident Response (IR) controls)
• For the Network Monitoring and Management Services, these are the controls that you get (hardly any except for availability monitoring)
• This is what we provide for support when you do a risk assessment or certification and accreditation
• Some controls are Inherent Government Functions (IGF) and cannot be outsourced to us such as FIPS-199 categorization and risk acceptance

The whole idea is to delineate the responsibilities for pre-sales work so that when somebody contracts with us, they know the Government’s responsibilities, our Project Management Office’s (PMO’s) responsibilities, and my operations group’s responsibilities. It’s going back to the nature of outsourcing and the fact that transparency is key.

Bookmark to: