Ross: We Need To View Security As An Investment In Our Mission’s Success

Dr. Ron Ross

Dr. Ron Ross, Senior Computer Scientist and Information Security Researcher at NIST, presented at the 5th Annual IT Security Automation Conference in Baltimore. Report and photos by Ibrahim Dabo

October 26 – 29, 2009 marked the 5th Annual IT Security Automation Conference and Expo, held at the Baltimore Convention Center, Baltimore, Maryland. The conference highlighted emerging technologies designed to support the security automation needs of various sectors, as well as providing a common understanding for using specific open standards.

Very well attended, the conference attracted public and private sector senior executives, security managers and staff, Information Technology professionals, and developers of software products and services.

Among notable speakers were Dr. Ron Ross, Senior Computer Scientist and Information Security Researcher at the National Institute of Standards and Technology (NIST). His specialization includes security requirements definition, testing and evaluation, risk management, and information assurance; and he leads the Federal Information Security Management Act Implementation Project for NIST. Ross presented exclusively on the importance of information security and good risk management strategy for senior executives and IT professionals.

Enterprise Architecture

While acknowledging that there is way too much IT today and not having control over it, Ross said that Enterprise Architecture is the salvation long term for our security problems. “We consolidate, we standardize, we optimize, and, what does that do for us as security professionals? It gives us a hope of deploying the right controls to the right parts of the systems, together with all the configuration settings to really make a difference.”

Working With Industry To Develop More Secure Products And Systems

Ross said there is a need to revisit the trusted product evaluation program strategy – working with industry to make

IT Conference

Among attendees at the conference were senior executives and IT professionals

better products. All the security configuration settings in the world still rest on some piece of software, said Ross, but how good and highly assured is that software, and are we using good secured coding techniques to develop these myriad of products?

Ross highlighted key questions that need to be considered when new technologies are bought, such as, how do we securely hook them up, how do we use our current systems and security engineering practices which have been developed over the past decade to really do the right thing?


Ross said the vision with the Unified Information Security Framework is to develop a core set of standards and guidelines that the entire federal government and contracting base can use.

In November, NIST will release the final draft of the new Special Publication 800-37, which will fundamentally restructure the current certification and accreditation process for information systems.

“Gone will be the static paper-base three-year approach that we’ve grown up with,” Ross said. “In comes the era of continuous monitoring, situation awareness, automation, up-tempo. Those are the words the adversaries work with everyday.

Dr. Ross

“We have to be able to change the infrastracture rapidly so the adversary doesn’t have the ability to run right through our defenses,” Dr. Ross

Ross stressed the importance of getting inside the adversaries’ cycle and operating in their space, and not get slaved to the bureaucracy, checklists, dashboards, and everything that absolutely doesn’t give any real sense of where we stand with regard to security.

He said the adversaries respect “strength and mechanism,” adding that “we have to get to the point where we find the right metrics.”

“We do the right thing with reporting – that’s always going to be important – but fundamentally we have to do the right thing with regard to protection,” Ross said.

Enterprise-wide Risk Management

Looking beyond SCAP (Security Content Automation Protocol) and into the infrastructure, NIST will put out the final draft of the Special Publication 800-39 — Develop enterprise-wide risk management guidance. Ross said they will propose a three-level hierarchy for risk management which is not available today. Level 1 will look into Organization; Level 2, Mission/Business Process; and Level 3, Information Systems.

“We will never have enough controls in place; there will never be enough SCAP configuration settings to fully stop the adversary. So how do we manage risk in the very dangerous environment and more importantly how do we monitor risk over time?” Ross said, adding that the setting on your system today and the current state of your security today is not going to be the same tomorrow. He raised the question of how do we effectively manage risk in these very complicated times.

“It’s all about mission. We have to be able to turn the equation around and stop thinking about security as a cost center, and start looking at security as an investment in our mission’s success,” Ross said.

Limitation of Privileges

Ross spoke about the importance of limiting the many privileges that are given to many people, saying the SCAP project in general, is an articulation of one of the fundamental principles of information security in our business—least privilege, least functionality.

“As security folks, we’d like to close down all ports, protocols and services, and functions, unless we need those to be

IT Conference

Ross said it is very predictable how our networks are set up, adding that “we’ve got to be able to change things around quickly to confuse and delay the adversaries that are very, very capable”

successful in carrying out our missions,” Ross said, cautioning that the vendors traditionally like to deliver products ‘wide open’—maximum functionality. He said with the SCAP project, we can close down avenues of attack, avenues of approach for adversaries, citing an example of disabling the auto-execute command so that when someone plugs in a flash drive into the USB port of a laptop, that malicious code does not execute automatically.

Risk Management Framework

Ross said the Risk Management Framework gives a disciplined construction approach to building a good security program—one that is flexible, agile, and meets the needs of the individuals and mission owners, adding that authorized and official senior leaders should get the important information they need to make credible risk-based decisions.

“We can use automation to our benefit: automating things that humans don’t do very well, automating things in the SCAP business, having automation help us manage our controls, giving us a sense of what’s working [and] what’s not working, how to make things better. That’s the information that senior leaders need to have today,” Ross said.

He added that senior leaders have to worry about a plethora of risks today, security being only one aspect. He said they also have to deal with program risks, safety risks, and budget risks.

“The good risk management strategy that sits at the top of the enterprise is critical,” Ross said, adding that without senior leadership involvement, and for the most part, all the management chain down to the people in the junior levels, none of this is going to work all that well. He said the risk management piece needs to be at the top of the organization so that strategy can be pushed down to everyone who is working to keep those enterprise assets as safe and secure as they can be.

Dr Ross

Dr Ross (left) and Vern Williams (right) of ACCI. Ross was elected to the grade of ISSA Distinguished Fellow. Photo credit: Ibrahim Dabo.

In recognition of his exceptional service to the security community and significant contribution to the Local, State or National Security posture, or capability, the Officers and Board of Directors of ISSA (Information Systems Security Association) international certified that Dr. Ron Ross be elected to the grade of ISSA Distinguished Fellow.

Related Links
· Dr. Ron Ross’ Profile
· Exclusive Interview: SimulScribe CEO, James Siminoff, On Voicemail-To-Text Transcription
· IT Security Automation Conference Reinforces The Need For Better Security Measures
· Click on the album below for photos taken at the conference and Expo (All photos by Ibrahim Dabo)

5th Annual IT Security Automation Conference, Baltimore, Maryland

> Click Here to return to IB’s Blog Home Page
> Click Here to return to Home Page

About Ib Dabo

Ib Dabo, founder and executive editor of Ib Talk Online, is a writer, journalist, photographer, and communications and IT leader whose mission is to inspire and work with people to make a difference in our world. Visit his official website - - to learn more. Follow @IbDabo on Twitter and also @IbTalkOnline on Twitter.