Uganda, Senegal, Uzbekistan, Moldova, Ecuador, Haiti—name any impoverished country in the world, and the U.S. Agency for International Development is probably there on the ground. Increasingly, however, USAIDs humanitarian offense is relying on a solid IT security defense.
With a new financial record-keeping system due to come online within the next six months, USAID has sharpened its focus on hacking threats, using SIM (security incident management) technology to correlate and manage data from political and humanitarian hot spots around the world and to keep billions of dollars in U.S. development money flowing.
USAID sprang into existence with a stroke of the pen by President John F. Kennedy in 1961 and has provided economic and humanitarian aid as well as development assistance to needy countries ever since. The agency consolidated a hodgepodge of foreign aid and development organizations that grew out of the U.S. governments post-World War II Marshall Plan for rebuilding Europe.
The olive branch of U.S. foreign policy, USAID does most of its work in the background: helping Ugandan flower growers break into the U.S. market, battling armyworm infestations in Tanzania, providing food assistance in drought-plagued Kenya or helping to electrify rural India.
Maintaining operations in some of the worlds poorest countries has never been easy for a 21st-century aid organization with $9 billion in direct aid to distribute in conjunction with the U.S. Department of State. But more and more, USAIDs reputation as an agency of do-gooders with money to hand out makes the organization a popular target for malicious hackers, online criminal groups and others hostile to the United States, said Philip Heneghan, chief information security officer at USAID.
USAIDs field offices were natural targets, said Tracey Hulver, director of product management at NetForensics, in Edison, N.J.
“True or not, people feel like, if a machine is sitting in the Congo, its easier to access than a central hub in Washington, D.C.,” Hulver said.
Until recently, USAID was an easy target, too. The agency was failing audits of its IT security and received a “C-” in 2003 on the House Government Reform Committees Federal Security Report Card, a measure of federal agencies compliance with FISMA (Federal Information Security Management Act) of 2002.
Like many organizations, USAID had a potpourri of different security products deployed around the globe, such as IDSes (intrusion detection systems) and firewalls, producing reams of data that nobody was looking at.
USAID also had no way to parse the data that was being produced by the devices, making incident response “pretty random,” Hulver said.
“Getting an F gets embarrassing after a while,” Heneghan said.
In 2003, USAID turned to Open System Sciences, in Newington, Va., for help.
SIM technology was key for turning the agencys performance on IT security around, Heneghan said. “We had to get awareness and see what was going on on our network,” he said.
“Phils mantra was You cant improve what you cant measure,” said Bill Geimer, a program manager for OSS.
The first task for OSS was to marry USAIDs firewall and IDS data, Geimer said.
A data marriage
“We needed to take firewall and IDS format log data and collect [it] in a way so that it was in the same format,” Geimer said.
NetForensics was one of the few SIM vendors in 2003 that could collect, normalize, aggregate and correlate data from USAIDs Checkpoint Systems firewalls; Cisco Systems network IDS and Internet Security Systems host IDS; and work with McAfee ePolicy Orchestrator, the agencys policy enforcement platform, Geimer said.
NetForensics addressed USAIDs latency problems by making sure that collection engines deployed in the field had enough memory to cache log information until a link became available, said Hulver.
USAIDs remote offices also made it difficult to troubleshoot problems, said Geimer of OSS, which has a team of 12 people working for USAID in Washington.
“This isnt Paris or London. Think Bolivia and Sri Lanka,” Geimer said. “When USAID travels, its to places where most other people arent. For us on the security side, that means managing things you cant touch easily.”
In two years, the NetForensics technology has improved USAIDs ability to monitor security events and make sense of the data produced from its network of IDS sensors and firewalls, Heneghan said.
Still, the agency has had its share of issues with the NetForensics technology and is continuing to work with NetForensics on ways to improve its SIM technology.
For example, USAID regularly reports to U.S. CERT (Computer Emergency Readiness Team) in the Department of Homeland Security. The agency often is asked by other federal agencies to respond to specific requests, such as providing detailed reports on an IP address. But out-of-the-ordinary searches can be incredibly slow on NetForensics system, Heneghan said.
“If you get a call from OMB [the Office of Management and Budget] … and youve got to run a report for the last 35 days worth of data, if you dont have an index, its going to take a while,” said Geimer.
Since implementing NetForensics and revamping its security operations, USAID has gone to the front of the class, judging from the results of security audits in recent years. The agency scored an A+ on the Federal Computer Security Report Card in 2004. A report from the USAID inspector general released last week also gave USAID high marks on FISMA compliance for 2005.
Still, theres no going back to life without security information management technology, Heneghan said.
“Infosec [information security] is in the Wild West stage,” Heneghan said. “The more you know, the more scared you should be.” SIM technology just gives USAID the “eyes” to be able to see and understand the threat, Heneghan said.