The Education Department decided the outsourcing approach to cybersecurity is no longer working. So, it brought a host of enterprise capabilities back in-house — something that is rarely done in the government.
But after years of outsourcing its security operations center to another federal agency, Education determined the move to cloud computing and mobility required a different approach to network and data security.
Steve Grewal, the Education Department’s chief information security officer, said the agency recently launched an internal security operations (SOC) center as part of a broader enterprise security capability.
“Given the evolution of cloud computing and given the cloud first policy by OMB, we’ve started to experience this, and it will continue over the next several years. We are moving to more of an outsourced model, we are moving to off-premise installations, and we are moving to portfolio of service providers. While from a security operations perspective, these providers have the day-to-day operations responsibility, we are still accountable,” he said. “So the concept of operations in working with these folks can vary. In some cases, we have full transparency. In some cases, it’s process integration. And in some cases, it’s management via service level agreements. But in terms of an independent validation and verification mechanism to ensure their operational practices are aligned with our policies, we are able to gain that visibility via that enterprise operational capability and the SOC being a keep component of that.”
Grewal said the initial operating capability of the SOC includes six functions:
Intrusion detection and prevention capabilities
Operating system and network device vulnerability scanning
Web application scanning
Initial capability for cyber forensics
Data collection and analysis
“We looked at the services that were being provided by the managed security service provider arrangement, but really the key tools in our toolbox from an operational capability SOC perspective that we felt without having these tools, these capabilities live, we would not be able to do this,” he said. “It was more based on needs requirements from across the enterprise.”
Grewal said Education brought the SOC in-house for several reasons. First, there was the potential cost savings and efficiency gains. He said Education already is spending about 20 percent less on security operations services in the short time the SOC is run by agency employees.
“Most of the efficiencies are a result of level of effort or on the people front,” he said. “The tool costs and infrastructure costs are pretty black and white.”
Controlling their own destiny
Second, there was the expectation of improved network and data security. Grewal said the SOC gives his staff greater visibility into the health of Education’s network and the ability to respond more quickly to threats and attacks.
“We are now really able to control our own destiny,” he said. “The ability to do verification and validation against service provider practices is a tremendous benefit.”
The reason why Education needed more visibility into its service providers is because it uses a contractor-owned, contractor-operated (CoCo) model for its network. Dell Federal Services runs the $400 million Educate contract after buying Perot Systems in 2009. Perot Systems won the 10-year deal in 2007.
Grewal said Education didn’t have to spend a whole lot of money to set up the SOC. He said the agency already licensed many of the tools it needs for the center’s capabilities. Most of the upfront costs for the SOC was for improving Education’s infrastructure and hosting functions, he said.
“As we started engaging in discussing with our federal agency that was servicing us, most of the tools that were being utilized by the MSSP were licensed under the Department of Education. So as we disentangled and transitioned away, we were able to bring those tools with us,” Grewal said.
Now that the SOC reached its initial launch, Grewal is focused on full operational capabilities over the next two years.
“That really entails additional sensor placement, additional intrusion detection system and intrusion protection system sensors across other environment, as well as some of our Web services providers around the country,” he said. “It also includes a more robust and enhanced forensics capability and finally analytics. Across the federal government, we do a good job with data collection, but the rubber really meets the road in terms of looking at the right data, being able to slice and dice and being able to react to it. The underlying analysis capabilities is a big component of the full operating capability, and we’re looking forward to that.”
Grewal said Education is doing market research on the various tools across the cybersecurity industry. He said there is no specific timetable for a potential acquisition, but the agency fully intends to invest in these advanced cyber capabilities.
CDM, HSPD-12, TIC
Education’s decision to bring the security operations center back in-house coincides with the Homeland Security Department’s initiative to move agencies to a more dynamic approach to cybersecurity under the continuous mitigation and diagnostics (CDM) program.
DHS is providing more than $180 million in tools and services for agencies to implement continuous monitoring.
Grewal said Education is meeting DHS’ requirements for CDM tools under its current set up with Dell. He said Education is working closely with DHS for the next set of tools and services.
The agency has been implementing CDM capabilities since 2012.
The SOC is but one piece to a broader effort by Education to raise the level of its cyber posture.
Grewal said Education issued a new risk management framework as part of the CDM effort. He said the agency finalized it in 2013.
“It involves everything from our mission priorities, the controls that are the most relevant for those mission priorities, how do we automate those controls, how do we gain and sustain visibility into the controls and then really make decisions based on risk,” he said. “This will give us more agility and flexibility with the trend of consumerization, new technologies entering the marketplace. This will give us the platform for having the data we need in expedient fashion and having the right people make the decisions.”
Grewal said the other major initiative is the implementation of Web application firewalls under the Trusted Internet Connections (TIC) initiative.
He said a majority of the attacks Education is seeing are SQL injection cross-site scripting, and the Web application firewalls will enable the agency to better intercept and protect its systems.
The next priority is implementing two-factor logical access for mission critical applications using the smart identity cards under the Homeland Security Presidential Directive-12 (HSPD-12).
Grewal said Education also is installing two enterprisewide cyber capabilities: a network access control solution for internal and external access, and a data-loss prevention system that is focused on policy-based controls for information flowing into and out of the network.