SECURITY
MANDATE
SPONSORED REPORT
AGovernment agencies take steps to combat a pernicious new category of cyberthreats
EVOLVING RESPONSE TO EVOLVING THREATS
FTER SEVERAL YEARS of well-publicized The Cybersecurity Sprint had an immediate effect. The
and damaging data breaches at major agencies, number of known active critical vulnerabilities in federal there’s no question the federal government systems—363 before the month-long sprint—dropped to three faces a massive cybersecurity challenge. The by December. Agencies also made major strides in various traditional methods of securing agency networks areas, such as identifying high value assets, increasing use of
and systems often prove ineffective against the newest rapidly strong authentication by 30 percent, and boosting employee
evolving generation of cyberthreats.
Gaining visibility into unknown or lesser known threats
is also a major issue. After all, you can’t defend against that which you can’t see. While the nature and scope of the problem is broadly understood, the best way to tackle it is not so clear. Government agencies are struggling to build out their security infrastructures. They remain hampered by ongoing budget con- straints. The gap between understanding and effective answers is still significant. It’s a frightening and frustrating situation.
“Organizations have to assume they will be breached at some point, so it’s a question of how well they are set up to detect early, contain, mitigate and recover,” says Dennis Reilly, vice president of federal sales at Gigamon, Inc. “You need new technologies to give you the pervasive visibility into networks and systems that will enable you to react and respond to those threats in an automated fashion.” There are just to many false positives for security operations center personnel to investi- gate. A risk-based approach, aided by automation to enable the investigation and forensic processes is a must.
The Obama Administration has recognized the severity of
the cybersecurity situation facing government agencies. In June 2015, after revelations of a particularly damaging attack on Office of Personnel Management systems that compromised more
than 20 million federal employee records, it ordered a 30-day “Cybersecurity Sprint” to force improvements in agency security protections. As a part of that sprint, the Federal Chief Informa- tion Officer directed agencies to take four “high-priority” actions:
Immediately deploy indicators provided by DHS on priority threat-actor techniques, tactics and procedures to improve cybersecurity posture
Patch critical vulnerabilities without delay
Tighten policies and practices for privileged users Dramatically accelerate implementing multi-factor
authentication, especially for privileged users
use of Personal Identity Verification (PIV) cards.
Information gathered during the sprint helped identify some
of the more critical cybersecurity gaps agencies face. It also helped clarify emerging priorities and the actions needed to address those. All of that resulted in an October 2015 memo from the Office of Management and Budget—the Cybersecurity Strategy and Implementation Plan (CSIP) for the Federal Gov- ernment. The CSIP established agency objectives to improve cyberthreat detection, response and recovery. It specifically includes, “efficient and effective acquisition and deployment of existing and emerging technology.”
“A statement like that demonstrates recognition of what govern- ment faces with modern threats,” says Reilly. “Government agency bureaucracy and procurement processes are too cumbersome and will always lag behind what’s needed for modern threats, which are increasingly well-funded and nimble. Compliance requirements and regulations alone will never be able to keep up.”
PERCEPTION AND REALITY
It remains a matter of if and when the solutions catch up
to perception. In a 2015 study 1, the SANS Institute found a majority of the IT professionals it surveyed assumed some compromise will occur in their organizations. Despite that, it states, few seemed able to achieve a proactive threat response. That response includes implementing such basic measures as a baseline understanding of normal endpoint activities to better detect anomalies through monitoring. The overarching goal
is to gain visibility into the nature of these news threats where there was no visibility before. That is the critical first step.
The SANS survey results also show that incident response (IR) automation is not increasing, which is critical for knowing which endpoint assets and data would be targeted as well
1 https://www.sans.org/reading-room/whitepapers/analyst/case-visibility-2nd- annual-survey-state-endpoint-risk-security-35927