Agency activates security response center

WASHINGTON, D.C. - The Department of Veterans Affairs says it has started building a $100 million security incident response center to get a centralized overview of computer security vulnerabilities that may affect the 1,200 VA offices, 172 VA hospitals and the 240,000 employees working for the VA.

The goal of the center is to assist the VA's 600 local security managers in coping with computer viruses and hackers, and make sure the security managers are taking care of routine tasks such as software patching to eliminate vulnerabilities.

"The big difference over what we've done in the past is that now we will be more proactive about security," says Rob Pate, the VA's team leader for the Computer Incident Response Center (CIRC). He says that until now the VA's approach has been to blitz the hundreds of security managers with e-mail about every newly discovered vulnerability and security threat. "They said, 'We're just deleting and deleting this because it was so much mail.'"

With the new CIRC, the VA will transmit warnings only about network systems and applications for which the local security manager is in charge and follow up to see that they were able to cope successfully or handle tasks.

The VA's CIRC is the first of its kind for a civilian federal agency (the Air Force has a CIRC in San Antonio). Under a contract awarded this month, the VA CIRC is to be managed by a joint venture named VA Security Team (VAST), headed by the firm SecureInfo.

Within the $103 million contract - which can run for 11 years with options - VAST already has begun installing monitoring equipment, including the netForensics ActiveEnvoy security information management appliances across the backbone network of the VA and in its sites. The equipment will monitor VA firewalls and intrusion-detection systems to get a bird's-eye view of security incidents on the VA network.

ActiveEnvoy management consoles can receive output from 18 makes of firewalls, 20 network- and host-based intrusion-detection systems, five databases and three antivirus packages to present an enterprise overview.

Up to 50 employees from the contractor and the VA will be in charge of coordinating security response with hundreds of security information officers at the VA. The CIRC employees will be authorized to fly to any site that needs help in resolving security problems.

In addition, the VA is putting in a separate security operations center (SOC) in Martinsburg, W.Va. The SOC's primary purpose will be to analyze real-time data coming from firewalls, intrusion-detection systems and antivirus response software systems installed at the VA offices, data centers and hospitals in the U.S. and around the world. Connected by high-speed private lines to the CIRC in suburban Washington, the SOC will act as a back-up site if the CIRC suffers a failure. A third backup is envisioned.

The VA, which has 160,000 seats of McAfee antivirus in use, will take advantage of McAfee's ePolicy Orchestrator management console to centralize virus reporting and distribution of alerts and virus updates, Pate says.

The goal is not to take responsibilities away from the 600 information security officers in the VA offices and hospitals but to give them additional help, Pate says.

Under the security response program directed by VA CIO John Gauss, local security managers will be held more responsible for tasks such as applying software patches to applications and operating systems when necessary.

The VA CIRC and SOC will use Remedy's workflow tracking to ensure patching is accomplished.

As to whether software patching can be automated, John Linton, CEO of SecureInfo, says his experience has convinced him that for now "the idea of automating patching in security is a myth. There has to be validation of a patch done, and you just can't automate it."

The CIRC and SOC operations should be ramping up within the next few weeks. The long-term goal is to assist the VA in standardizing more on security products rather than buying a little of everything to make management easier.

The VA's security plans might eventually have some effect on universities because each VA hospital is collocated with a university. The VA's Palo Alto Hospital shares some communications and software infrastructure with Stanford University because doctors at Stanford work at the VA.

RELATED LINKS