Continuous Monitoring and Accelerating ATO’s (Authority to Operate)

On this episode of VM Short Cuts, Nucleus co-founder and CEO, Steve Carter, discusses how Nucleus helps Federal agencies accelerate the ATO process through continuous monitoring.

VM Short Cuts is a video series from Nucleus Security, providing insights and expertise from VM professionals around the globe.

Transcription

 

Adam Dudley:

Hello, and welcome to volume eight of Nucleus Shortcuts. If you missed earlier episodes, don’t worry, you can find them in our blog at nucleussec.com and on our YouTube channel. So as usual, I’m your host, Adam Dudley.

Adam Dudley:

And our topic today is on the federal side of things, this is Nucleus for Continuous Monitoring and Accelerating ATOs, mainly for the federal space that Nucleus operates in. So my guest is Steve Carter. Steve is a Nucleus co-founder and our CEO. He’s based in Jacksonville, Florida.

Adam Dudley:

And so in addition to enterprises and MSSPs, Nucleus has established itself in the federal space and Steve was largely responsible for creating our foundation in the federal space. So I thought he’d be a great person to have here for this particular topic.

Adam Dudley:

Now, Steve has a background in government contracting for cyber security from his previous company. And this company was sort of the testing ground for Nucleus, where it was road tested, managing millions of vulnerabilities for the department of defense. So Steve, would you like to introduce yourself and maybe share anything I might have missed?

Steve Carter:

Sure, sure. Thanks for the intro. I think you did a fantastic job there. But I won’t take all the credit for the federal traction, because there were a lot of people that were kind of key to helping us on our path to federal.

Steve Carter:

But yeah, for my background, I’ll add just a bit more color here because it is kind of relevant to the topic. I spent the first 15 years or so of my career as a security engineer, supporting federal agencies.

Steve Carter:

One of the things that I was really passionate about during that time was improving vulnerability management programs. And that was really just because on almost every project I worked on or every supported vulnerability management processes were they significantly slowed down system and software development.

Steve Carter:

And my background is also in software development. So I viewed vulnerability management and vul management processes as kind of an inhibitor to innovation.

Steve Carter:

So I spent a lot of my time helping federal agencies scale vulnerability management programs and make them faster and more efficient by helping them build tools that can automate mostly repetitive manual and time consuming tasks that are often required for goal management.

Steve Carter:

So the last five years, I’ve spent building Nucleus. First, as the original developer of the software. And then obviously now I’m much more focused on strategy and partnerships and product direction and stuff. So yeah, that’s it in a nutshell.

Adam Dudley:

Great, great. Thanks for summing that up. So I really zeroed in on there how in your background, I don’t think I really knew this specific detail, but that you’re able to observe this almost average serial relationship between software development and security where security’s often seen as something that’s slowing down the software development process. Is that right?

Steve Carter:

Yeah, that’s right. And I’m not sure that that’s unique to the federal government.

Adam Dudley:

Right.

Steve Carter:

I mean, I think that’s probably in a lot of large enterprises, maybe most of them.

Adam Dudley:

Yeah. Right.

Steve Carter:

And honestly I think that by and large the federal government has the same challenges as the private sector in regard to vulnerability management, right? Especially the private sector large enterprises. They’ve got some of the largest and most complex networks, obviously in the world. They’ve got every technology.

Adam Dudley:

Right.

Steve Carter:

You can imagine under the sun. Lots, they have lots of different people and lots of different roles that all need access to vulnerability management or to vulnerability information for different reasons. You know?

Adam Dudley:

Right.

Steve Carter:

And so. So yeah, these are a lot of the same problems that the private sector faces with large enterprises.

Adam Dudley:

Okay. So for the folks watching at home, would you mind just summarizing what are those specific, those problems that might be specific to the federal government? And then on the other side of things, what are the outcomes they’re trying to get instead of those issues?

Steve Carter:

Yeah. Yeah. So kind of starting with the challenges, like I mentioned, mostly the same challenges, but they’ve got some extra challenges that really make vulnerability management more difficult to do and really much more important to do well.

Steve Carter:

So as you know, and probably the audience knows compliance is really a cornerstone in any federal cybersecurity agency and program. And there’s really, at least my experience has been, there’s this culture of compliance that you really don’t see in the private sector. And when I talk about compliance, I’m referring to, of course, the NIST controls.

Adam Dudley:

Right.

Steve Carter:

Primarily NIST 800-53 is what federal agencies have to follow. That’s one form of compliance, but I’m also talking about compliance with executive orders and compliance with some of the directives. Like we saw the CISA binding operational directive.

Adam Dudley:

Right.

Steve Carter:

Come out a few weeks ago. So there’s compliance with that. There’s compliance with security hardening frameworks, like DISA, DISA STIGs and CIS and stuff. So there’s just this culture of compliance. And so that presents some unique challenges.

Steve Carter:

And I think that the impact of not being compliant in the federal government, because there is compliance in the private sector as well, but the impact of not being compliant in the federal space is that you really, your system or your software can’t go live, it can’t operate on the network. A non-compliant system can’t obtain an ATO or maintain that ATO over time. An ATO, if you don’t know, means the authority to operate.

Adam Dudley:

Right.

Steve Carter:

And it’s kind of a unique, formal process that the federal government has for saying, you’re approved to operate on the network.

Steve Carter:

And so to your original question, though, what outcomes are federal customers trying to achieve with Nucleus, in addition to the normal outcomes for large enterprises, better visibility into all vulnerability information in one place. They want to analyze, prioritize, respond to vulnerabilities faster.

Steve Carter:

They want to monitor and measure SLAs. And we do all this and more, but because I think of the importance of compliance in the federal space and the requirements that kind of fall out from all of this compliance, they have some unique outcomes that they rely on Nucleus for.

Steve Carter:

So I’ll give you a couple of examples. A lot of federal organizations have really specialized reporting requirements. So they have to maintain a document called a Plan of Action and Milestones, otherwise known as a POAM.

Adam Dudley:

Right.

Steve Carter:

And it’s basically a list of vulnerabilities and weaknesses, the plan to remediate them, the remediation status over time. And this is something that Nucleus can, is it’s able to track and report on really well.

Steve Carter:

They also have really unique requirements for controlling access to vulnerability information, so that very specific vulnerability information is only shared with the specific people and groups that need it to do their jobs.

Steve Carter:

So we’re able to compartmentalize vulnerability information really well in Nucleus to kind of satisfy that. There’s a lot of processes for accepting risk and granting exceptions.

Steve Carter:

And with Nucleus serving kind of as a, it kind of serves as a single source of truth for all your vulnerabilities, but not just the vulnerability information itself, but also its status in terms of the risk acceptance and when the risk was accepted and by who, who accepted the risk and when that acceptance expired [crosstalk 00:08:12].

Adam Dudley:

Historical tracking and that historical record would be.

Steve Carter:

Exactly.

Adam Dudley:

Which we maintain pretty much infinitely for our customers.

Steve Carter:

Exactly. Yeah, exactly. So that’s, yeah, that’s kind of it. That’s a handful of things that are kind of unique for the.

Adam Dudley:

Yeah.

Steve Carter:

Federal government.

Adam Dudley:

But really what I heard there is that it’s all revolving around obtaining and maintaining compliance for certain projects or certain reasons, including it sounds like the concept of an ATO. That concept in itself is a form of compliance, right? Because if they can’t obtain and maintain their ATO, then they’re not going to be able to operate their software. Is that right?

Steve Carter:

That’s, yeah, that’s exactly right. And I should also say that federal agencies, it isn’t only compliance, right? They still have sophisticated attackers that are knocking on the door all day, every day.

Adam Dudley:

Sure.

Steve Carter:

The most sophisticated nation states to worry about and contend with. But on top of that, yeah, it is very much of a cultural of compliance.

Adam Dudley:

Awesome. Awesome. So we do have federal customers, we’re working with various customers in the government. And so what are we seeing or what are those customers seeing specifically in terms of the value they’re getting out of Nucleus in terms of the things we’ve already discussed?

Steve Carter:

Yeah. I mean, if we talk about, if we just really focus on ATOs, that’s where a lot of the value has been. And generally speaking, I think the ATO process for any federal agency is going to be really slow and cumbersome.

Steve Carter:

And it isn’t just because of bad vulnerability management or inefficient vulnerability management processes. But that said, vulnerability analysis and reporting is a very important part of the process to attain an ATO.

Steve Carter:

And it takes a lot of manual time and effort because that process today, if you don’t have something like Nucleus consists of manually downloading reports from lots of different tools.

Adam Dudley:

Right.

Steve Carter:

Parsing out findings from these reports, figuring out who’s responsible for what, emailing spreadsheets around, things like that. So there are some unique things that we do, again, that help to save a lot of time and ultimately do accelerate the ATO process, the process of obtaining an ATO.

Adam Dudley:

Yeah.

Steve Carter:

To a degree, at least. So just by.

Adam Dudley:

Got it.

Steve Carter:

Yeah, just by being a single database for all vulnerability information and aggregating and normalizing scan data from all the tools and use and organizing it correctly, and being able to collaborate with all the different stakeholders who need to assess.

Adam Dudley:

Sure.

Steve Carter:

And review that information in one place, right? Just that saves you a ton of time that would’ve been spent doing things kind of the old manual ways. And so just that alone will accelerate the process of obtaining an ATO. But then there’s also the, okay, what about now that I’ve got an ATO, I’m compliant, now you have to maintain compliance.

Steve Carter:

You have to each year you have to maintain your ATO. And honestly, I think that’s probably where Nucleus has been most impactful is really helping in that. And then that’s what’s called a continuous monitoring phase.

Steve Carter:

And we’ve been really helpful in continuous monitoring of custom applications and products to ensure that these ATOs are maintained all the time. Because we can take all the scan results that are being generated from all the web app scanners that are in use from the source composition analysis tools, container image scanning tools, and things like that.

Steve Carter:

We can aggregate it, we can organize it so that product owners, developers, and security assessors can see the data that they need to see for the apps and the products they’re responsible for.

Steve Carter:

And then we can automate that response when new vulnerabilities are discovered. So, yeah. So an example, I can give you, if you’re a government agency, you’ve got government agency whatever X, Y, Z, you’ve got a custom app. You developed. It’s in production and it uses, let’s say the struts Java library.

Steve Carter:

And when that app was deployed, a week ago, there were no vulnerabilities. But this morning, a zero day struts vulnerability is announced. And most organizations today have scanning tools or federal agencies they’ve got scanning tools set up to run every day.

Adam Dudley:

Right.

Steve Carter:

They’re doing a good job with that. And so they’ll detect the vulnerability, but more than likely, no one will notice or do anything with that information. Because it’s not really actionable. And so.

Adam Dudley:

Right.

Steve Carter:

So with Nucleus, the product owner that’s responsible for that app is going to be notified immediately.

Adam Dudley:

Right.

Steve Carter:

And that could be in Teams, it could be in Slack, it could be an email, whatever. A ticket’s going to be created for the developer of the app to fix it. The SOC team’s going to be notified so they can create a web app firewall or an IDS rule.

Steve Carter:

Your security assessor is going to be notified so he can monitor the entire process and make sure that remediation occurs in a timely manner. So yeah, with Nucleus in place, there’s just now this process to ensure that vulnerabilities are monitored and respondent to.

Adam Dudley:

Right.

Steve Carter:

In a consistent way, in a timely way.

Adam Dudley:

Right. So just, what I’m hearing is just like our enterprise customers, where often they come to us and they’re, as we say in this field, their people, processes and technology around vulnerability management are kind of fragmented.

Steve Carter:

Right.

Adam Dudley:

They’re just all over the place. And what we’re allowed to help, what we’re able to help with is to bring all that, bring all the people, processes and tech into one place and actually allow them to take productive action on all that.

Steve Carter:

Exactly.

Adam Dudley:

And without it, everything is just very, very inefficient. So as I’ve heard one of our colleagues describe it, Nucleus is like a glue that really glues together all the components of your VM program so that it can operate more efficiently.

Steve Carter:

Absolutely.

Adam Dudley:

Yeah.

Steve Carter:

Got it.

Adam Dudley:

Well, that’s great, Steve. Really appreciate you sharing all that. And before we wrap the episode, in your view, what is the most important thing for folks to take away from what we talked about here today? Say, there’s someone listening on the federal side and they haven’t heard about Nucleus, what would you say to them? What should they take away from this?

Steve Carter:

Oh man, that’s a really tough one. I would say it’s not really so much about Nucleus, but just in general, I think.

Adam Dudley:

Yeah.

Steve Carter:

One of the things I still see a lot in the federal space is this association of the term vulnerability management with vulnerability scanners.

Adam Dudley:

Right.

Steve Carter:

And to me, the most important thing I hope people take away is that vulnerability scanning is not vulnerability management, right? Vulnerability scanning is detection of vulnerabilities and it’s the easy part. And there are lots and lots of tools that do that really well.

Steve Carter:

And I love for people to start thinking about, really just to start thinking more broadly about vulnerability management and thinking more in terms of those processes and technologies that are needed to respond to vulnerabilities and how they can make those processes scale for large enterprises. And obviously, that’s what we live and breathe at Nucleus and something that we’re happy to help with.

Adam Dudley:

Great. Fantastic. And that’s a wrap for this episode. Thanks so much for joining us today, Steve. We’ll share any appropriate links in the show notes, including how you can get a free trial, take a demo, that kind of thing. And we’ll see you soon on the next Nucleus Shortcuts.

Steve Carter:

Yeah. Thanks for having, Adam.

Adam Dudley:

Thanks.

Steve Carter:

Cheers.

Adam Dudley:

Bye