RSA Archer Automates Drudge Work, Adds Context (Sponsored Content)
The major challenges faced by federal agencies and DoD components in managing their cybersecurity and other risks include personnel shortages, daunting compliance requirements and the need for consistent data reporting and management across multiple elements of a diverse and geographically dispersed enterprise.
The RSA Archer Suite helps by automating the drudge work, providing context for incident reports, and other data flows and ensuring a common taxonomy, workflow and metrics across the enterprise. RSA Archer leaves human security personnel free to look at the bigger picture—and make decisions based on real-time, accurate information, intuitively displayed.
Not surprisingly, it’s ubiquitous among large enterprises in both the public and private sectors, according to RSA Archer Public Sector Director Dan Carayiannis.
“Any large bank, retailer or telco that you can think of” is likely among the 1500-strong RSA Archer global customer base, which includes more than 175 technology companies, 50 members of the Forbes 100 and around 150 government agencies, he told SIGNAL Magazine.
The RSA Archer Suite for integrated risk management provides a single, configurable, integrated platform for managing multiple dimensions of risk, and has been named a leader in Gartner’s integrated risk management (IRM) market category. Carayiannis said RSA Archer “embraces that change as an evolution … [that] helps broaden the view of risk within an organization.” RSA sees the organizations evolving their thinking to one where digital risk management is top of mind and encompasses understanding risk
across the entire enterprise.
Either way, it’s probably easier to think of RSA Archer as a web-based management suite that can help automate processes through workflow and reporting and sitting atop the user’s security and other tools, displaying data intuitively, incorporating context and automating routine tasks.
RSA has been part of the cybersecurity landscape since the three scientists whose name it bears—Ron Rivest, Adi Shamir, and Leonard Adleman—first described a new kind of encryption in 1977. Since its founding as RSA Data Security in 1982, the company has grown into a security behemoth.
RSA Archer was added to RSA’s product portfolio when Archer Technologies was acquired in 2010. Since 2016, the venerable security company has been part of the Dell Technologies family of companies.
Carayiannis noted that Dell—a huge global enterprise—uses RSA Archer for much of its own risk and compliance management. “We drink our own champagne,” he joked, riffing off the old IT industry adage about eating your own dog food. “RSA Archer does a terrific job helping organizations understand risk,” by providing context and enabling prioritization, for instance among multiple IT security or vulnerability alerts. “If I have a 1000 things going wrong at this moment from a cyber perspective what are the things that I need to work on first? How do I prioritize them from a risk perspective? … How can I most effectively reduce my risk profile?”
RSA Archer offers a range of different ways to quantify risk, including a simple color coding (green/yellow/red) and numerical risk scoring values based on a variety of formulas. “We try to be as open as possible—supporting multiple types of risk management methodologies such as NIST 800-53, ISO 31000 and NIST RMF,” he said.
A desired end state, he added, was risk quantification, the ability “to calculate the cost of the risk, not just the severity of the risk, but how much it is worth to me to fix something … This allows an organization to start thinking about risk from a budgetary perspective.”
But for many RSA Archer users, this is an evolutionary direction, he acknowledged. It requires a mature risk management culture to make it work. “It’s something that many organizations want to get to, but it’s down the road. … There’s a lot you have to do to get the foundation right,” he said.
In the event of an IT security incident, “RSA Archer will take that event and add context around it ... answering key questions such as what are the other assets within that [affected] system domain, what are the user organizations or missions or programs that need to use that domain to stay functional, what network is it operating on, who’s responsible for those applications and those systems; if those systems were to be taken offline … what would the implications be if I shut it down for mitigation?”
Providing such context, he continued, helps the staff of an agency’s Security Operations Center or SOC to understand an incident “holistically” in a way that will produce better decisions about how to respond.
RSA Archer also provides a centralized portal for SOC staff, meaning incident investigations can be tracked and managed with full visibility and reporting; and allowing management to monitor key performance indicators.
In addition to its use in the SOC, RSA Archer facilitates “continuous monitoring of an [IT] environment, bringing data in from various tools and being able to provide an aggregate view,” Carayiannis said.
Indeed, the Department of Homeland Security chose RSA Archer to provide the dashboard for its governmentwide cybersecurity program—Continuous Diagnostics and Monitoring, or CDM, which feeds near real-time information about the state of government networks to agency leaders along with meaningful reports and dashboards populated with key risk metrics.
During the various phases of CDM to date, the government has deployed a wide range of tools to map and manage their networks: Vulnerability and configuration management tools, asset management tools and others. “RSA Archer operates as a hub, drawing data from many types of scanner and sensors, allowing the organization to build an aggregate risk view at any level of the enterprise.
“Data is rolled up into an RSA Archer agency-level dashboard—scored from a risk perspective, populated in a range of reports—and then rolled up into a federal enterprise dashboard,” said Carayiannis.
“I believe the CDM program is the largest program of its kind, not just in the U.S. government, but, from what I’ve been able to see, in the commercial space as well.” He said it exemplified the cybersecurity state of affairs that mature enterprises ought to be able to achieve—real time visibility of enterprise risk.
IT and security risk management is only one of seven “domains” in which the RSA Archer suite operates. The other six run the gamut from business resiliency and continuity of operations planning through audit management and supply chain governance all the way to regulatory compliance and operational risk—and includes a solution purpose-built for the federal government.
In each case, “RSA Archer increases efficiency because we help our customers automate and streamline processes,” said Carayiannis.
The RSA Archer Suite—which can run on-prem or in the cloud—allows the automation of business processes, sucking up data inputs from tools and other sources all throughout the enterprise. “We are technology agnostic. We can integrate with many types of technologies,” he said.
RSA Archer can be programmed to automatically gather data and populate reports. “I might have 20 or 30 organizational elements in my organization submitting reports via spreadsheet and someone is sitting in the bowels of the building cutting and pasting them all” into an enterprise-level report, he said. “From a compliance reporting and risk management perspective, we make that easy.”
“Most important, when it comes to visibility at the management level, we allow them to see data across the enterprise in a consistent way,” by ensuring common processes for measuring and reporting across departments.
RSA Archer “helps agency leaders understand and manage risk across their enterprise. Not just cyber and IT risks but other kinds of risks—environmental, manpower or financial risks that might impact the mission and its chance of success,” Carayiannis said.
“Are you able to, in a common and consistent way across the enterprise, get people to document risk and express it in a consistent way?” In too many federal agencies and DoD elements, he argued, the answer was no.
One helpful tool, he said, was the Risk Register that was a part of the RSA Archer suite. The register helps management “define the risks, document them in a consistent way across the enterprise—and enforce a consistent terminology and methodology.”
But that’s just the first step. RSA Archer can help management map appropriate policies and controls to those risks.
“That also provides a way to ensure and document compliance,” Carayiannis said—one example of how RSA Archer’s users can deploy multiple capabilities together.
“We pride ourselves on the fact that RSA Archer is highly configurable and customizable,” he added. “Our customers can use RSA Archer out of the box. … But other customers may have very specific and defined processes, some of which might be quite unique, and they can configure our capabilities to match or align with what they’re doing,” explained Carayiannis.
One out-of-the-box capability RSA Archer offers the public sector aims to streamline the Authority to Operate, or ATO, process. “We use the NIST RMF best practices on defining a system and managing the accreditation process,” said Carayiannis.
RSA Archer’s assessment and authorization capability gives an agency’s authorization team the tools and capabilities to define boundaries, allocate and assess controls, determine whether each information system stays within acceptable risk parameters and assemble ATO packages in a highly efficient and automated manner.
Again, leveraging multiple RSA Archer capabilities is a force multiplier. “The results of vulnerability scans can be mapped to the ATO’d system ... I can now use RSA Archer to make contextual decisions about how to respond to a newly emerging vulnerability and its possible risk to a production system,” outlined Carayiannis.
Ease of integration is another RSA Archer value-add, he said. In its business resilience and continuity of operations planning domain, “RSA Archer can be tied to alerting tools, so warnings can be sent out in the event of a [real-world] incident.”
Currently RSA Archer provides human decision makers with information, but doesn’t offer any automated decision-making capability itself. In the case of the real-world security incident, for instance, a manager would have to take action to send the alert out.
However, automated decision making is something that might be coming in the future, Carayiannis said.
“We have been doing some work in the area of artificial intelligence, so that is something that could come out in the future in terms of the way we interact with tools,” he explained. “Right now we are reporting data … We won’t apply the patch, for instance.” Instead the system will send an alert to security managers, who will need to apply the patch themselves.
Future iterations of the suite might cut out the human middleman in some cases. “We are exploring ways of doing things in an automated fashion where we might cause the tool itself to react,” Carayiannis concluded.