Occupation: chief information security officer, U.S. Department of State
Personal: Wife, three children
College: Maxwell School of Public Affairs, Syracuse University, M.P.A; St. Olaf College, B.A.
Recent accomplishments: Reduced measured risk on PCs and servers by a factor of 20; his tools guided critical patch coverage to the 84-percent level in seven days and 93-percent in 30 days at State; gives away software and speaks widely to promote continuous monitoring across the economy; served in 17 federal civilian roles across military, civilian and foreign affairs organizations
John Streufert doesn't like three-ring binders. Not because they remind him of a cold-hearted teacher, but because of what their presence has come to symbolize in the government security world.
As chief information security officer of the U.S. Department of State since the summer of 2006, Streufert has seen more notebooks filled with compliance paperwork than he cares to remember. Indeed, between Federal Information Security Management Act (FISMA) mandates and the Office of Management and Budget-required risk studies, the printers at the Harry S. Truman Building in Washington, D.C. have worked overtime.
But not long after joining State, Streufert realized that while the agency was dutifully feeding the compliance beast, the process was doing almost nothing to improve security and mitigate risk. In fact, it was quite the opposite. The number of exploits impacting State meteorically rose from 2008 to 2010, from 2,104 to nearly 8,000. And when it came to FISMA report-card time, State often received failing grades for its ability to protect sensitive data.
“The network was changing faster than you could print out the results,” he says. “The three-ring binders don't really help you that much if your exploits are quadrupling. We had to do something else because it wasn't working. Was the government getting any value doing these three-ring binder reports?”
Streufert and three others decided an overhaul was the answer. Instead of relying on snapshot-in-time images of its compliance, the agency would be better served by continuous network monitoring of the Microsoft computers and servers at its 400 embassies, consulates and offices spread across the globe. Not only would security improve, but the agency would get a better bang for its buck. (Consider: The agency has spent between $30,000 and $2.5 million on each individual compliance report since 2004.)
In making this decision, Streufert drew on evidence: 80 percent of exploits rely on known vulnerabilities and configuration management settings. So in 2008, he and his team stood up a new program, known as iPost, which borrows a page from the financial markets to “monetize highly disparate risks into a common currency.” Dashboards, much like one might find on a trading floor, detail the “hottest risks” as if they were shares of Apple or Google.
“The relative risk becomes variables which we increase or decrease based on vulnerability, threat or impact that is posed to the organization from a particular problem,” he says.
In layman's terms, that means affixing a risk score to each vulnerability and patching the most pressing issues first. That runs counter, Streufert says, to how most commercially available vulnerability management products handle the problem.
“Most people treat every risk like it's $1,” he says.
Since the model was implemented, the results have been nothing short of stunning. Streufert says State found that by automating the process, it was able to reduce its risk by a factor of 10 within the first 11 months and by a factor of 20 within two years.
“There's almost nobody on earth that can patch as quickly as the State Department,” he says. “And it's due to the monetization of relative risk for critical problems, which allows unparalled speed and patching of known vulnerabilities.”
James Lewis, a senior fellow and director of the Technology and Public Policy Program at the Center for Strategic and International Studies, has been closely following the State Department's progress. Lewis is a big believer that more agencies – and the private sector – should get away from a compliance focus, though he admits there is much resistance to this because organizations have become far too complacent in checking off boxes as a means of verifying security.
“[State's model] moves from the shot-in-the-dark [mentality] we had for years to something more quantifiable,” Lewis says. “And John was sort of a path-breaker in doing this. Since then, they've been able to close down the number of opponent successes and have been able to upgrade response time.”
That is especially important for the nation's lead foreign affairs agency. “They had a huge number of penetrations,” Lewis says. “A former State official said in 2007 they lost three or four terabytes of information. That's a huge outflow not that long ago, and that's what drove them.”
With the program now comfortably in place, Streufert has spent much of 2011 investigating how he can extend its essence to other areas of network weaknesses, notably applications, routers and switches. And when he's not focused on State, Streufert serves as an industry advocate for the agency's model. He often spends hours before and after work, fielding phone calls and emails from hundreds of private sector security professionals interested in adopting a similar initiative.
Streufert tells them: “If we're going to step up to the plate and fix our security challenges, this is a set of techniques that are not disruptive to the organizational structure and, dollar for dollar, you're going to get a higher return than a lot of investments in this space.”
And while iPost was home grown at the State Department, Streufert is not keeping anything secret.
“It seems like valuable information to share,” he says. “It seems easier to adopt continuous monitoring than to persuade people to stop doing the three-ring binder studies. My belief is that the merit and efficiency of doing it this way will [become] more widely understood and adopted.” – Dan Kaplan
Top 5 influential IT security thinkers
From the - December 2011 Issue of SCMagazine »